With the proliferation of devices connecting to your home router, have you ever wondered what all your devices are doing on your network? Hearing about hijacked baby monitors, spying dolls and stuffed animals leaking personal information is unfortunately becoming more commonplace. How safe are your fancy new doorbells, cameras, thermostats and other devices to use? If you want to make an informed decision when purchasing one product over another, how would you know?
Consumer Reports, an organization that reviews all sorts of products, is planning to begin rating connected devices and services for privacy and data security. Of interest to me as a security researcher is that this is being proposed with the goal of becoming an open standard, and Consumer Reports is looking to the security community for help in defining what this means. They have released an initial draft, The Digital Standard, as well as on GitHub for more technically savvy individuals.
“Making our consumer-protection standard public isn’t just a gesture of transparency (although we think that’s important). It’s an essential part of the whole project. The standard as it’s now written is a first draft. We hope that everyone from engineers to industry groups to concerned parents will get involved in shaping future versions of it,” Consumer Report notes.
By establishing this standard as open source and asking for community involvement, this initiative addresses a potential limitation to government standards or other slower moving standards bodies. This implies it will continually evolve along with the changes to the security and privacy landscape, which is a key factor in succeeding in the technology space. What may be considered “secure” today may not be a year from now as new exploits and bugs are discovered.
This is a great step in the right direction as consumer purchasing behavior is one of the better motivators to get companies to proactively address issues. Leveraging a well-known and trusted source of consumer review information can help elevate the security and privacy issues discussion to more consumers.
The standard focuses in four areas:
- Products should be built to be secure
- Products should preserve consumer privacy
- Products should protect the idea of ownership
- Companies should act ethically
No system that involves software and networking will ever be 100% secure, but there are a number of things that can be tested on devices and questions that can be answered that do address many of the security issues that have plagued a lot of devices in the market today. While ambitious, this proposal has the potential to positively impact the industry and elevate security and privacy issues for the general public. The balance will be to provide digestible information to the consumer while also addressing the complicated nuances of security.