Google LLC today released a proposed list of five principles around Internet of Things security labeling with an aim to increase security and transparency for electronic products that connect to the internet.
While noting that there has been more focused activity across policymakers, partners, developers and public interest advocates over the last year, Google argues that IoT product labeling has been lacking, even down to the definition of what labeling is. Other areas of concern and still open to debate include what labeling needs to convey regarding security and privacy, where the label should reside and how to achieve consumer acceptance.
“Google has also been considering these core questions for a long time,” various Google security employees write on the Google Security Blog. “As an operating system, IoT product provider and the maintainer of multiple large ecosystems, we see firsthand how critical these details will be to the future of the IoT.”
In an effort to be a “catalyst for collaboration and transparency,” Google is proposing standards for IoT security labeling.
Under the proposed standards, a label must be printed and/or a digital representation of the product’s security and/or privacy status intended to inform consumers. A labeling scheme should define, manage and monitor the use of labels, while an evaluation scheme should publish, manage and monitor the security claims of digital products against security requirements and related standards.
The five principles start with a printed label must not imply trust. Digital security labels must be “live” labels where security and privacy status is conveyed on a centrally maintained website, ideally on the same site hosting the evaluation scheme. A physical label should only be used if it encourages users to visit a website to obtain real-time status.
Labels must reference strong international evaluation schemes – not the physical manifestation of the labels but ensuring that the level references a security/privacy status/posture maintained by a trustworthy security/privacy evaluation scheme. A minimum security baseline must be coupled with security transparency to accelerate ecosystem improvements to set an important minimum bar for digital security.
The fourth proposed principle is that broad-based transparency is just as important as the minimum bar. Google argues that labeling schemes often focus on the lowest common denominator for security capability, but it is equally important that labeling schemes increase transparency in security.
The final principle is that labeling schemes are useless without adoption incentives. Voluntary schemes attract the same developers already doing good security work whereas security is, on average, poor across the IoT market. Google proposes that there should be national labeling schemes, with mandates able to drive improved behavior at scale when they reference broadly acceptable, high-quality, non-government organization standards and schemes.
“As labeling efforts gain steam, we are hopeful that the public sector and industry can work together to drive global harmonization to prevent fragmentation,” the blog post concludes. “And we hope to provide our expertise and act as a valued partner to governments as they develop policies to help their countries stay ahead of the latest threats in IoT.”