Washington, DC - In a comment to the Consumer Product Safety Commission (CPSC) about potential safety issues associated with Internet-connected consumer products, staff of the Federal Trade Commission’s Bureau of Consumer Protection (BCP) warned that poorly secured Internet of Things (IoT) devices could pose a consumer safety hazard and outlined ways to mitigate such risks.
BCP Staff submitted a response to the CPSC as part of the agency’s Request for Comments on potential safety issues and hazards associated with Internet-connected consumer products. While the CPSC noted that privacy and data security are outside the scope of its inquiry, BCP staff in its comment emphasized that poor security in IoT devices might create technology-related hazards associated with the loss of critical safety function, loss of connectivity, or degradation of data integrity. For example, a car’s braking system might fail if infected with malware, or carbon monoxide or fire detectors could stop working if they lose their Internet connection.
Staff also outlined the FTC’s education and enforcement work related to device and information security particularly as it relates to IoT. The FTC has provided IoT manufacturers with guidance on how to predict and mitigate against privacy and security risks.
BCP staff recommends that the CPSC consider how companies might provide consumers with the opportunity to sign up for communications about safety notifications and recalls for IoT devices.
Although BCP staff does not take a position on whether or not the CPSC should implement regulations relating to IoT device hazards, to the extent it considers such regulation, BCP staff suggests that the CPSC use a technology-neutral approach that is sufficiently flexible so that it does not become obsolete as technology changes. Finally, to the extent that the CPSC considers certification requirements for IoT devices, staff recommends that the CPSC should consider requiring manufacturers to publicly set forth the standards to which they adhere. Such disclosures would improve transparency to consumers, as well as allow the FTC to exercise its authority under the FTC Act against companies that misrepresent their security practices in their certifications.
The Commission voted 5-0 to authorize staff to file the comment.