The Consumer Product Safety Commission (CPSC) recently held a public hearing to discuss its potential role in overseeing the safety of smart devices collectively referred to as the Internet of Things (IoT). As Wi-Fi- and Bluetooth-enabled devices ranging from coffeemakers to thermostats to medical devices flood the marketplace, regulators and consumer safety advocates alike have raised concerns about whether the current framework of government regulations adequately protects consumers. While the hearing was only one step towards increased regulation, it did highlight possible steps the CPSC may take, as well as possible pitfalls raised by industry members and the legal community.
Currently, smart products exist in a bit of a gray area when it comes to government regulation. With respect to the risk of physical injury, these products are regulated under the same frameworks as their “dumb” counterparts. For example, an electronic children’s toy would be subject to the rules and regulations outlined in the Federal Hazardous Substances Act and ASTM F963-17, the Standard Consumer Safety Specification for Toy Safety, regardless of whether it is Wi-Fi-enabled or not.
Additionally, the electronic components in a smart device would likely fall under the auspices of Part 15 of the Communications Act which regulates items such as batteries and transmitters. If the product is handling user data, the Federal Wiretap Act, Stored Communications Act and Children’s Online Privacy Protection Act may also apply.
While traditional regulations may address the potential dangers of traditional products—dangers which may also be present in their smart counterparts—the very nature of smart products introduces additional risks that are not addressed by current regulations; most significantly, hazardization.
Hazardization is a situation where a product may be safe as manufactured but becomes dangerous through some type of post-manufacture modification. One scenario is a third party hacking into a product’s control system and transforming an otherwise safe product into a dangerous one. For example, a hacker may gain access to a smart light bulb and toggle it on and off so fast that it catches on fire.
Another risk that has played out in the past is a situation where a hacker gains access to a product and uses it to damage something else. This occurs frequently in denial-of-service attacks, where hackers gain access to multiple unsecured devices and then direct them to overload a server in order to take down a website.
Not all hazardization risks are due to hackers. At the CPSC hearing, Travis Norton of Bureau Veritas discussed the risk that partial software updates can present. Mr. Norton offered the example of a smart garage door opener that employed a light beam that would prevent the door from closing if the beam was obstructed. At one point during an automatic software update, the door remained operational while the safety feature was disengaged. Traditional safety testing and standards may not consider potential risks during or after software updates.
The issue of hazardization has escaped regulation because it falls in between the missions of the Federal Trade Commission (FTC), Federal Communications Commission (FCC) and CPSC. In 2015, the FTC published a report outlining best practices for addressing consumer privacy and security risks in smart devices, but it did not issue any legally binding regulations. Additionally, FCC Chairman Ajit Pai has issued a statement regarding monitoring bandwidth availability for the IoT, but has not discussed product regulation.
Internet of Things and Consumer Product Hazards Hearing
Concerned with the risk of hazardization, the CPSC hosted a public hearing on May 16, 2018, to hear from industry leaders regarding their thoughts on regulating the IoT. The CPSC also solicited written submissions regarding the topic. In announcing the hearing, the Commission offered dozens of potential questions to be considered, which focused on security issues and possible means of addressing them. Data privacy concerns were not addressed, with the hearing focused on physical threats of smart products.
The hearing featured various industry leaders voicing their concerns regarding maintaining industry standards for device security. Many noted that one significant problem is the market being flooded by cheap foreign devices produced by fly-by-night manufacturers who have little to no incentive to provide any security. The concerns were best summarized in a letter from the Electronic Privacy Information Center: “Because poor IoT security is something that primarily affects other people, neither the manufacturers nor the owners of those devices have any incentive to fix weak security.”
Suggestions offered for IoT-specific regulations included certification for certain categories of devices (not unlike those found for “dumb” products in the Consumer Product Safety Act), mandatory disclosures to consumers, and mandatory upgrades to avoid situations where products are initially safe but become unsafe over time as their technology becomes outdated. Kathleen McGuigan, deputy general counsel for the Retail Industry Leaders Association, suggested the CPSC issue guidelines similar to those released by the Food and Drug Administration regarding smart medical devices.
While all speakers agreed that consumer safety should be paramount, most raised concerns that cumbersome regulation might inhibit the production of inexpensive, low-risk products, particularly from startups that may not be sophisticated enough to navigate a web of regulations from multiple government agencies. CPSC Commissioner Robert S. Adler, who previously served as acting chairman of the CPSC, shared this concern but noted that it can be challenging for regulators to distinguish those products from inexpensive, high-risk products that “give all of us nightmares.”
Perhaps the biggest takeaway from the hearing was that both industry representatives and the CPSC expressed interest in starting with industry guidelines rather than codified regulations. Commissioners seemed to recognize that industry leaders are in a better situation to address rapidly evolving technology, and that rigid regulations could quickly become outdated. With that in mind, it is imperative that manufacturers of smart devices are proactive in addressing potential hazardization risks, as members of the CPSC may be quick to step in if they feel that insufficient action is being taken.
Since the May hearing, the FTC’s Bureau of Consumer Protection has submitted comments to the CPSC on IoT safety. Our Drinker Biddle colleague, Katherine Armstrong, discussed the FTC’s recommendations in this DBR on Data blog post.