Global menu

Our global pages

Close

Consultation on proposals to regulate consumer IoT device security

Consultation on proposals to regulate consumer IoT device security
  • United Kingdom
  • Privacy, data protection and cybersecurity - Cyber
  • Technology
  • Technology, Media and Telecoms
  • Technology, Media and Telecoms - Disruptive Technology

01-05-2019

On 1 May 2019 the UK government, through the Department for Digital, Culture, Media & Sport, launched a consultation on its proposals to regulate the security of consumer Internet of Things (“IoT”) or “smart” devices, which it defines as products that are connected to the internet and/or home network and associated services. This therefore includes products such as smart phones, smart appliances, TVs and speakers, wearable health trackers, internet connected toys and internet connected security systems, detectors and monitors.

Background

In October 2018, the UK government published a voluntary Code of Practice for Consumer IoT Security (“CoP”) which brought together 13 guidelines that are widely considered good practice in IoT security and is intended to support all stakeholders involved in development, manufacturing and sale of consumer IoT devices.

In February 2019, ETSI (the European Standards Organisation which sets globally applicable standards for ICT-enabled systems, applications and services) published Technical Specification 103 645. This builds on the CoP but is intended to facilitate a harmonised approach to consumer IoT security at a global level, including by informing the development of regulation and industry-led certification schemes.

Current consultation

The current CoP relies on self-regulation by industry, but the UK government is concerned that despite the introduction of the CoP there are still significant security flaws in many products on the market and this situation needs to be addressed urgently in order to protect both consumers and the wider economy. As part of its policy objective of moving away from consumers being responsible for securing their own devices towards ensuring that all consumer IoT products are secure by design, the government now intends to introduce legislation to regulate this area and ensure that all consumer IoT devices meet basic security standards. The current consultation sets out its suggested proposals for regulation.

The government is seeking to balance the needs of protecting the privacy and security of consumers against the risk of imposing a heavy regulatory burden on industry and stifling innovation. Following consultation with stakeholders, experts and the National Cyber Security Centre it has therefore identified what it considers to be the top three guidelines of the CoP which it wishes to become mandatory in the UK, namely:

• all IoT device passwords to be unique and not resettable to any universal factory default value;

• each manufacturer to provide a public point of contact as part of a vulnerability disclosure policy to enable security researchers and others to report issues; and

• each manufacturer to explicitly state the minimum length of time for which the product will receive security updates.

There are three alternative proposals for how this could be implemented.

Option A, which is the government’s preferred option, involves the introduction of a new mandatory security labelling scheme for consumer IoT products to assist consumers in making informed purchasing decisions. The proposed label contains two symbols, the first being a shield with a tick or cross that indicates whether the product has a unique password that is not resettable to a universal factory setting and whether the manufacturer has implemented a vulnerability disclosure policy, and the second containing a date which identifies the expiry of the minimum period for which the product will receive security updates. Under Option A manufacturers would be required to self-declare and apply a security label in the mandated form to each of its consumer IoT products and retailers would only be able to sell consumer IoT products that have the required label.

Option B would require manufacturers to self-declare that their consumer IoT products adhere to the top three guidelines of the CoP (as identified above) and the ETSI TS 103 645 and retailers could only sell products that adhere to the top three guidelines.

Option C would require manufacturers to self-declare that the product complies with all 13 CoP guidelines and label the product accordingly and retailers would only be able to sell products with the required label.

The consultation contains a series of questions for stakeholders, such as device manufacturers, IoT service provides, mobile app developers and retailers, to respond to. It closes on 5 June 2019. The government has stated that following analysis of responses to the consultation it will, when Parliamentary time allows, introduce legislation to set requirements for a mandated labelling scheme and/or device security. It also makes it clear that this is only the first proposed phase of regulation in this sector and that it intends to increase regulation by mandating further CoP requirements over time.

In the meantime, until legislation is introduced, the government intends the proposed security labelling system to be run on a voluntary basis from a date to be determined later this year.

Implications for stakeholders

Whilst security is clearly paramount for IoT devices, for designers, manufacturers and suppliers of consumer IoT devices for the UK market, now is the time to get involved in shaping the legislation by responding to the consultation that will regulate this rapidly expanding market and will have potentially significant cost and compliance implications.

As well as the cost and potential burden of complying with the proposed UK legislation, a key concern for all stakeholders which is likely to come out in the responses to the consultation will be the potential for the regulatory environment to diverge between different territories over time, possibly leading to different labelling requirements and even different security requirements for the same product when it is sold in different countries.

We will be closely monitoring the outcome of this consultation and will report further on it when its conclusions are published.

Paula Barrett, Partner

< Go back

Print Friendly and PDF

© Eversheds Sutherland 2023. All rights reserved. Eversheds Sutherland is a global provider of legal and other services operating through various separate and distinct legal entities.

Eversheds Sutherland is the name and brand under which the members of Eversheds Sutherland Limited (Eversheds Sutherland (International) LLP and Eversheds Sutherland (US) LLP) and their respective controlled, managed and affiliated firms and the members of Eversheds Sutherland (Europe) Limited (each an "Eversheds Sutherland Entity" and together the "Eversheds Sutherland Entities") provide legal or other services to clients around the world. Eversheds Sutherland Entities are constituted and regulated in accordance with relevant local regulatory and legal requirements and operate in accordance with their locally registered names. The use of the name Eversheds Sutherland, is for description purposes only and does not imply that the Eversheds Sutherland Entities are in a partnership or are part of a global LLP. The responsibility for the provision of services to the client is defined in the terms of engagement between the instructed firm and the client.