UK wants to improve IoT security with labelling scheme

• Retailers could be blocked from selling insecure products
• Govt wants to mandate 'Secure by Design' code of practice
• People are unwittingly sharing personal data via connected devices

The UK government is considering a labelling scheme that tells customers how secure their IoT products are.

It is one move being considered as part of a consultation by the Department for Culture, Media and Sport (DCMS) that could lead to retailers being banned from selling products that don't measure up to its strict security standards.

These standards are laid out in the 'Secure by Design' code of practice:

• IoT device passwords must be unique and can't be reset to any universal factory setting.
• OEMs must provide a public point of contact as part of a so-called vulnerability disclosure policy.
• Device makers must tell buyers the minimum length of time for which their product will receive security updates.

The code is voluntary at the moment, but the consultation proposes making it compulsory. As for the labelling scheme, that would be voluntary at first, but could also become mandatory. The idea is that it will help customers identify products that have basic security features, and those that don't.

"Many consumer products that are connected to the Internet are often found to be insecure, putting consumers' privacy and security at risk," said digital minister Margot James. "These new proposals will help to improve the safety of Internet-connected devices and is another milestone in our bid to be a global leader in online safety."

On a related and almost as important note, privacy is another major issue with consumer IoT, because it seems that end users don't always know what they are signing up to when they buy certain connected devices.

One such example from the US was reported by OneZero this week.

Building entry system maker Latch lets people open their front door with their smartphone, or provide one-time access to the lobby of their building to a delivery driver, for example. According to the report, customers have come to learn that Latch reserves the right under its privacy policy to collect, store, and share personally identifiable information with partners, which sometimes includes landlords. Funnily enough, some of them aren't happy about it, and have taken the company to court.

In addition, earlier this month it emerged that Amazon employs teams of people worldwide to listen to audio clips recorded by its Alexa smart speaker for the purposes of improving its voice recognition technology. These recordings are captured and sent off to Amazon without the customer's knowledge.

On this side of the pond, companies like Latch and Amazon are subject to GDPR, so they are required to tell customers what data they collect and for what purpose, and with whom they might share it.

That works fine for online services, but when it comes to consumer IoT devices, that informed consent might only be sought after the customer has bought the device. Are they really going to return the product, or are they just going to blindly consent to whatever data requests are made so they can get on with using their new gadget? I suspect the latter.

As well as a label that informs prospective customers about how secure or otherwise an IoT device might be, there should probably be another one that outlines what data you'll be giving up before you part with your hard-earned money.

These kind of trust-building business practices might become necessary if consumer IoT wants to truly go mainstream.