On June 19, 2017, the Federal Trade Commission (FTC) issued a public comment regarding the National Telecommunications & Information Administration’s (NTIA) draft guidance titled Communicating IoT Device Security Update Capability to Improve Transparency for Customers. In commenting on the guidance, the FTC acknowledged the benefits of and challenges to IoT device security, and encouraged manufacturers to take reasonable measures to secure devices and inform consumers about its security features.
The FTC also recommended three specific modifications to the working group’s proposed “Elements of Updatability.” First, including additional “key elements” that manufacturers should disclose prior to sale:
- Whether and how the device can receive upgrades;
- The date on which security support begins;
- Guaranteed minimum security support period; and
- Whether a “smart” device will become highly vulnerable or lose functionality after support ends.
Second, offering “additional elements” to consumers before or after purchase:
- Uniform method for notifying consumers of available updates;
- Method to sign up for support notifications, separate from marketing communications; and
- Real-time notifications when security support is about to end.
Third, removing an “additional element” that described the process by which the manufacturer provides updates, as the technical details likely will not benefit the customer.
While the FTC’s comments are not binding, the FTC’s suggestions reflect lessons learned from its prior enforcement actions, policy initiatives, and consumer and business education. As a result, IoT device manufacturers should consider implementing the FTC’s proposed practices, regardless of whether NTIA incorporates the FTC’s recommendations into the finalized guidance document.