CPSC Takes a Dip in the IoT Regulatory Pool
The U.S. Consumer Product Safety Commission (CPSC) announced on March 27 its plan to hold a public hearing on May 16 “to receive information from all interested parties about the potential safety issues and hazards associated with internet-connected consumer products,” commonly known as the Internet of Things (IoT).
The significance of this undertaking is noteworthy and welcomed. The CPSC in its announcement clearly recognizes that consumer products connected to the internet are “capable of introducing potential for harm (a hazard) where none existed before the connection was established. The consumer hazards that could conceivably be created by IoT devices include: fire, burn, shock, tripping or falling, laceration, contusion, and chemical exposure.” Excluded from CPSC purview, but no less potentially problematic to consumers, are personal data security and privacy issues related to consumer IoT devices. Fortunately, the Federal Trade Commission (FTC) is exercising oversight in this particular arena to protect consumers.
Presently, the CPSC does not have specific guidelines for regulating consumer products that are connected to the internet. However, while every product used by consumers that falls under the jurisdiction of the CPSC have safety standards, these do not necessarily address taking an otherwise dumb consumer product (not connected to the internet) and transforming it into a smart product (that is connected to the internet). The challenge is not limited to addressing the overlay of internet connectivity because “dumb products made smart” incorporate all manner of sensors and software as well as apps that enable remote control and monitoring to enhance service and convenience and to collect data for use by the smart-product manufacturers.
The ability of smart products to be commanded and controlled from remote locations coupled with the vulnerabilities presented by products connected to the internet to be hacked and abused by third-party actors is driving the CPSC’s concerns.
The CPSC acknowledges as much in the announcement. Focusing on two specific product safety challenges:
First, the agency is seeking “prevention or elimination of hazardous conditions designed into products intentionally or without sufficient consideration, e.g., high-risk remote operation or network enabled control of products or product features.”
The second is “preventing and addressing incidents of hazardization” defined as “situations created when a product that was safe when obtained by a consumer but which, when connected to a network, becomes hazardous through malicious, incorrect, or careless changes to operational code.” The CPSC acknowledges “this is a non-traditional area of product safety activity for the consumer product industry and the CPSC.”
And there lies the rub. The landscape of consumer products that have or will become connected to the internet is enormous and continues to grow exponentially. Large and small kitchen appliances, voice assistants (Alexa), security cameras, home security systems, consumer electronics, and home heating and cooling systems are just a few existing examples − not to overlook wearables with many more to come.
The challenge with such a large and diverse pool of internet-connected products is to develop a set of guidelines that can address the safety concerns in a meaningful manner, balancing the welfare of consumers without stifling innovation. Security baked into these products at the design stage will be an obvious starting point. However, maintaining security and software updates over the life cycle of different products will prove problematic. Many smart-home or consumer products have low computing capacity, which does not lend itself to security patches and software updates.
In addition, new threats are being identified. While software and sensors are the focus, it has been shown that hardware is vulnerable, as recently disclosed by Intel.