Authored by CDT Summer Intern Dominic Contreras.
With its recall authority and broad mission to protect consumers, the Consumer Product Safety Commission (CPSC or the Commission) plays an essential role in protecting the public against hazards associated with products such as toys, refrigerators, and lawn mowers. Increasingly, such potential hazards are becoming digital, as products of all kinds incorporate computers and networks to make them “smarter.” As federal agencies explore their role in the digital realm, the CPSC should direct its authority to protecting consumers from the real and growing threats associated with these Internet of Things (IoT) devices.
CDT recently filed comments with the Commission in response to its hearings on IoT and consumer product hazards it held in May 2018. In our comments, we encourage the Commission to consider expanding its definition of hazardization – the process by which a product, which would otherwise be safe, poses a danger to consumers when connected to the internet through changes in its operational code – to include the interplay between network connectivity, software, hardware, and autonomous decision making capabilities.
Charged with overseeing the safety of consumer products, the CPSC has an important role to play in policing the wider IoT landscape. The Commission’s main activities involve standards development, oversight, and monitoring, and it is the only agency able to order the mandatory recall of hazardous products. Readers may be familiar with the CPSC – in October 2016, the Commission ordered the recall of approximately 1.9 million Samsung Galaxy Note7 smartphones amid reports of the devices overheating and catching fire.
Discussions about the risks associated with IoT devices often focus on how they can be co-opted for botnet attacks or used for spying and surveillance. As these debates move toward how to properly regulate the IoT, agencies have been pushing up against their authority and domain expertise. The FDA, for example, has focused on medical devices, while the NHTSA has focused on autonomous vehicles. Meanwhile, the CPSC has been interested in the physical hazards associated with connected devices – think smart toasters catching fire or internet-connected smoke detectors malfunctioning due to a security update.
As the CPSC considers how to mitigate hazards associated with IoT devices, we recommend that the Commission look to existing IoT standards to inform its work; for example, there already exist a number of industry and government endorsed IoT standards, and we encourage the Commission to consider their applicability in the consumer product space.
Our comments also highlight the consumer safety risks associated with unsupported or abandoned IoT devices. Product defects and hazards are not always readily apparent and the networked nature of IoT devices gives rise to the possibility that hazards could arise long after a device is no longer supported but still used. Accordingly, the Commission should consider how it will protect consumers and exercise its recall authority when such hazards arise.
Finally, we urge the the Commission to engage in enhanced monitoring and oversight of IoT devices. To quickly mitigate product safety hazards and protect consumers, CDT supports a mandatory “Bill of Materials” that lists the component parts for a given IoT device. We also encourage the Commission to to include an IoT designation in the National Electronic Injury Surveillance System and in the online form that consumers use to report unsafe products.
Traditionally, the CPSC has considered the myriad of data security and privacy issues that are posed by IoT to be outside its jurisdiction, and more effectively addressed by the Federal Trade Commission (FTC). But we believe having more data cops on the beat is a good thing in this case, and we urge the CPSC to working alongside the FTC to aggressively use its recall authority to address privacy and security harms associated with IoT devices.