FTC Recommends Changes in NTIA Draft Informing Consumers About IoT Patches
Manufacturers should give consumers "clear information about whether, how, for how long, and at what cost their IoT devices will receive security support," the FTC commented on NTIA's multistakeholder initiative on security patching for such devices (see 1610190051). A Monday…
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
news release said commissioner voted 2-0 to file the comment in response to an NTIA working group draft document outlining how companies can better inform consumers about IoT security updates. The FTC said companies should, before selling an IoT device: say whether the device can receive security updates, how it receives those updates and when security support will end. On the last point, the commission said manufacturers should provide "a minimum security support period," for "clear, concrete information" compared with an "anticipated timeline" that could be misconstrued as a guarantee. The commission said manufacturers should give a date for starting and ending support. Plus, companies should disclose "key use limitations" before consumers buy a "smart" device so they know it will stop working or become vulnerable when security support ends, said the FTC. It recommended companies adopt a uniform security notification method and give consumers a way to sign up for real-time notifications. The commission said the working group shouldn't require manufacturers to explain how they evaluate, verify or test updates to consumers because those elements may impose "significant communication costs" to industry while providing little to no consumer benefit.