The U.S. Consumer Product Safety Commission (CPSC) plans on holding a public hearing on May 16 aimed at putting new regulations in place for Internet of Things (IoT) devices. The hearing was announced in a notice published in the Federal Register on March 27, 2018. Citing an increase in the number of consumer products connected to the Internet, the CPSC’s notice allows the public to submit comments or present information regarding safety issues and potential hazards related to IoT products. That includes smart thermostats, smart locks and other Internet-connected household devices. Safety consulting and certification company Underwriters Laboratories estimates that by 2020, as many as 20 billion devices will be connected to the Internet. With so many devices jumping online, smart home security is a big concern for manufacturers, consumers, and regulators like the CPSC.
The hearing notice cited safety concerns about the safety of Internet-connected devices including:
• Fire Burn
• Shock Tripping or falling
• Chemical exposure
Typically, the CPSC regulates issues related to physical hazards surrounding products. Data breaches and security issues aren’t familiar territory for the agency. In fact, the hearing notice stated: “We do not consider personal data security and privacy issues that may be related to IoT devices to be consumer product hazards that CPSC would address.”
Still, the notice divides potential hazards into two categories of “product safety challenges” which touch on software and data encryption, as well as whether or not a device could be manipulated. These two categories will be explored below.
Prevention of Hazardous Conditions
According to CNET this category refers to hazardous conditions designed into products intentionally or without what the CPSC calls “sufficient consideration.” Could a smart home device catch fire if operated remotely or left unattended? This kind of question speaks to the more traditional role the CPSC plays in product safety. With new IoT devices intended to perform all sorts of innovative tasks and with many functions entering the market regularly, ensuring the physical safety of these devices may be difficult.
Prevention of Hazardization
The CPSC defines “hazardization” as, “the situation created when a product that was safe when obtained by a consumer but which, when connected to a network, becomes hazardous through malicious, incorrect or careless changes to operational code.” For example, could a bad actor hack your robot vacuum, sending it speeding through your home knocking over kids, terrifying dogs and destroying property?
According to law firm Wiley Rein’s Wiley Connect blog, the CPSC is being careful to carve out data security and privacy risks from the scope of its hearing. This may reflect the fact that other agencies (such as NIST) are already paying attention to those topics.
With attention-grabbing incidents involving IoT devices, such as the Mirai malware attack that wreaked havoc on the Internet last year, IoT regulation is a hot topic, and these challenges may lead agencies and industries to give more consideration to policies related to encryption, authorized access and defensive software.
The CPSC wants to hear about a wide range of topics, such as whether current voluntary standards sufficiently address safety hazards specific to connected devices, the role the government should play in keeping consumers safe regarding IoT devices, and who should be considered responsible for hazards or injuries when multiple companies collaborate to create an Internet-connected product.
The hearing itself will be held on May 16 and available via webcast. Interested parties will be able to submit their written comment to the CPSC until June 15. Click here to submit a comment to the CSPC.