In a world where so many of our tools and gadgets — security cameras, watches, refrigerators — are connected to the internet, shoring up cybersecurity is a collective effort.
That’s why the Biden administration is proposing a labeling system for consumer products, sort of like a nutrition label. But instead of calories and fat, the label would tell you how secure that smart device really is.
This week the White House is gathering representatives from the cybersecurity sector, consumer product groups and manufacturers to get input on how to design such a label.
Marketplace’s Meghan McCarty Carino spoke with Jean Camp, a professor of informatics at Indiana University, about why providing consumers this type of information is increasingly important as the Internet of Things continues to expand.
The following is an edited transcript of their conversation.
Jean Camp: Consider smart thermostats. One way a smart thermostat knows people are in the room and controls the temperature is by recording or listening to the sound in the room. If the data are used in further training the [artificial intelligence] that runs on your local thermostat, how specific are the data? Does it send characteristics of the data? This is how loud it was? Or does it send actual recordings? I know security professionals who purchased thermostats and did not know that they were being recorded in their homes. And does this device work when your internet is down? So there are safety as well as security and privacy issues.
Meghan McCarty Carino: You have conducted research on how people respond to cybersecurity nutrition facts, as it were. How do you think a label like this should be designed?
Camp: We looked at all the recommendations [for a rating system] — stars, eyeballs that are looking at you and locks, and we determined that one to five locks tells people you are getting better security here and you’re getting better privacy. But it doesn’t have to be just one level, you can make that more easily, obviously, on the net with phones and browser interfaces where you have your five locks. And you might click on it once. And it might give you a high-level description about what everything is. And you click on the locks and you think, “I am extremely concerned about location” — for example, people who are victims of stalking. So you click on that and you say, “I really want to protect my location.” And that will just give you that information. And it’s also creating a market for people to offer more nuanced guidance.
McCarty Carino: How do you think companies might respond to being asked or forced by law to adopt these labels?
Camp: Well, the company that makes the high-quality, high-security device will be happy, but others might be less happy. We have a little bit of an experiment in this with Apple’s tracing transparency, where people did not realize the degree to which they were being traced and tracked. And when it became possible for them to cut this off, many developers said, “All right, you’re doing no tracing, just pay me money.” So now consumers can make the decision to invest in more secure and higher-quality goods. And if it is indeed true that people don’t care, and I’m sure some people don’t care, they just want the lowest price, that market will still be there as well.
McCarty Carino: Why is a labeling program important to the goal of improving cybersecurity?
Camp: My cybersecurity, or lack of it, can impact you, so there’s an interest in getting collective cybersecurity. But more importantly, I want to be able to buy products that do what I think the product is doing and not engaging in risk without knowing that I’m engaging in risk. You know, at some point, it’s like we’re driving down the road, except for there is no lines on the road and we don’t have a speedometer. It’s not about forcing people to choose security. It’s about enabling people to make decisions about their own priorities and what we want in our own homes.
Related links: More insight from Meghan McCarty Carino
You can read more of Camp’s research into how consumers perceive these labels here.
The basic takeaway, as she mentioned, was some sort of positive quantitative scale: More locks equals more security, which performed better than, say, putting more frownie faces to denote worse security.
There are a couple other countries that have pioneered cybersecurity labels, like Singapore and Finland.
Finland’s version rates devices based on criteria like whether it has regular software updates, what kinds of data protection and encryption methods it uses and if its security protections are on by default or if you need a Ph.D. in manual reading to turn them on.