Following up on comments made by Acting Chairman Ann Marie Buerkle at the February International Consumer Product Health and Safety Officials Organization (ICPHSO) conference about plans for a public forum on connected products, the U.S. Consumer Product Safety Commission (CPSC) will hold a hearing focused on unique challenges and considerations that connected products pose for product safety.
Carefully establishing that the CPSC's remit exclusively involves product safety, and not data privacy or information security, a staff-prepared draft notice (which was approved unamended by the Commission) identifies a number of possible safety-related questions about connected consumer products to be considered at the hearing. They include the following:
- What best practices exist to predict hazards?
- Should certification to appropriate standards be required before IoT devices can be marketed?
- Are there ways CPSC can collaborate with other federal agencies and stakeholders to address potential safety hazards related to IoT?
- What steps should be taken to prevent an Internet connection from creating a hazard to consumers after a product's purchase (or lease) and installation?
- What role should safety standards or design guidelines play in keeping IoT devices from creating new hazards to consumers? Should these standards be voluntary or mandatory?
CPSC staff also listed some potential product hazards for connected products, including those caused by remote operation, unexpected operating conditions, loss of a safety function, and unforeseen dangers created by a product feature.
The Commission will hold a hearing on the issue on May 16, 2018, at CPSC headquarters in Bethesda, Maryland. Requests to participate are due May 2. Written comments, due June 15, can be sent via email.
CPSC joins several other federal agencies already actively engaged on questions involving connected products.
- The Federal Trade Commission (FTC) has jurisdiction over consumer privacy and security under its consumer protection mission, as well as in specific sectors like children's privacy (under the Children's Online Privacy Protection Act (COPPA)). Earlier this year, it obtained the first settlement with a manufacturer involving alleged privacy and security lapses with connected toys.
- The U.S. Department of Commerce's (DOC) National Institute of Standards and Technology (NIST) manages development of the Cybersecurity Framework (technically, the Framework for Improving Critical Infrastructure Cybersecurity). While version 1.1 of this Framework is expected to be released in April, its process management-oriented approach is intended to offer both flexibility and a robust method to manage security questions.
- DOC's National Telecommunications and Information Administration (NTIA) Internet Policy Task Force (IPTF) runs open and transparent multistakeholder processes to develop reports and recommendations on cybersecurity issues, such as the most recent report aimed at addressing the threats posed by botnets. Last year, FTC participated in NTIA's process that sought to address these threats using updates and patches to maintain and improve security for connected products.
While most agencies have focused on privacy and data security, the National Highway Traffic Safety Administration (NHTSA) issued voluntary guidance on self-driving cars in its September 2017 report Automated Driving Systems: A Vision for Safety . The guidance discusses best practices for the testing and safe deployment of Automated Driving Systems and identifies "12 priority safety design elements for consideration, including vehicle cybersecurity, human machine interface, crashworthiness, consumer education and training, and post-crash ADS behavior." Following the recent fatal self-driving car accident in Tempe, Arizona, it has been widely reported that NHTSA and the National Transportation Safety Board sent teams to investigate, and both agencies have been in contact with Uber, Volvo, and federal, state, and local authorities concerning the incident.
CPSC should, of course, keep tabs on technology and safety. It has worked with companies on connected product recalls previously, as with the smoke detector that could fail to sound an alarm if consumers inadvertently deactivated it. At the same time, there are already a range of agencies that have expertise and jurisdiction when it comes to connected products. It will be important for the CPSC to avoid conflicting with or duplicating other agencies' requirements, since the line between security issues that affect privacy or infrastructure and those that affect safety may not be clear. Additionally, as the field develops, it will be important for CPSC to avoid actions that limit the flexibility to adopt appropriate technology solutions, for example, through adopting proscriptive standards or other requirements. As other agencies' work has shown, discussions through open multistakeholder initiatives can be an effective way of creating process management-oriented guidelines that avoid strangling innovation while creating a disciplined approach. The upcoming hearing may provide an important vehicle to prompt useful ideas.