You may have heard about CloudPets being pulled off shelves for recording kids’ voices and that data being leaked, or the EU recalling kids’ smart watches for giving away children’s location in real time. If you’re shopping for any sort of Internet-connected device, you should be worried about your privacy and investigating how much data your new gadget is collecting. That’s why we’ve joined Mozilla in calling on big retailers in the US like Target, Walmart, Best Buy, and Amazon to publicly endorse and apply our minimum security and privacy guidelines and stop selling insecure connected devices.
From the letter: “Given the value and trust that consumers place in your company, you have a uniquely important role in addressing this problem and helping to build a more secure, connected future. Consumers can and should be confident that, when they buy a device from you, that device will not compromise their privacy and security. Signing on to these minimum guidelines is the first step to turn the tide, and build trust in this space.”
In total, the letter is co-signed by 11 organizations: Mozilla, Internet Society, Consumers International, ColorOfChange, Open Media & Information Companies Initiative, Common Sense Media, Story of Stuff, Center for Democracy and Technology, Consumer Federation of America, 18 Million Rising, Hollaback
5 Minimum Security Standards for IoT Devices
Encrypted communications
The product must use encryption for all of its network communications functions and capabilities. This ensures that all communications are not eavesdropped or modified in transit.
Security updates
The product must support automatic updates for a reasonable period after sale, and be enabled by default. This ensures that when a vulnerability is known, the vendor can make security updates available for consumers, which are verified (using some form of cryptography) and then installed seamlessly. Updates must not make the product unavailable for an extended period.
Strong passwords
If the product uses passwords for remote authentication, it must require that strong passwords are used, including having password strength requirements. Any non unique default passwords must also be reset as part of the device’s initial setup. This helps protect the device from vulnerability to guessable password attacks, which could result in device compromise.
Vulnerability management
The vendor must have a system in place to manage vulnerabilities in the product. This must also include a point of contact for reporting vulnerabilities or an equivalent bug bounty program. This ensures that vendors are actively managing vulnerabilities throughout the product’s lifecycle.
Privacy Practices
The product must have a privacy policy that is easily accessible, written in language that is easily understood and appropriate for the person using the device or service. Users should at minimum be notified about substantive changes to the policy. If data is being collected, transmitted or shared for marketing purposes, that should be clear to users and, as in line with the EU’s General Data Protection Regulation (GDPR), there should be a way to opt-out of such practices. Users should also have a way to delete their data and account. Also in line with GDPR, this should include a policy setting standard retention periods wherever possible.
These five are a subset of our IoT Trust Framework, a more comprehensive set of principles manufacturers, resellers, and policymakers can use to help secure IoT devices and their data.
We hope that this letter opens the discussion with large retailers so that we can work together to increase consumer confidence that the devices they bring into their lives will not do them harm. We’re committed to helping improve the safety and trustworthiness of all types of IoT products.
Here’s What You Can Do Today
- Check out our #GetIoTSmart page for consumer and enterprise IoT safety checklists and to keep up to date on our latest IoT activity for news and tips
- Reach out to your favorite retailer to (1) share our tips and advice, (2) express your thoughts on privacy and security, and (3) ask them to commit to endorsing minimum security standards in the products they sell. — Tell them to #GetIoTSmart!