On June 19, 2017, the Federal Trade Commission (“FTC”) submitted public comments recommending modifications to draft guidance to improve the security of Internet of Things (IoT) devices by having IoT manufacturers better inform customers about the security of IoT devices. The draft guidance was prepared by a working group convened by the U.S. Commerce Department’s National Telecommunications and Information Administration (“NTIA”) and released on April 25, 2017.

The draft guidance describes the increasing importance of IoT device security to the security and safety of consumers, businesses, and others and notes that security updates are key in protecting IoT devices. The draft guidance further notes that there are interests in promoting transparency with consumers about the security of IoT devices to help consumers make informed purchasing decisions.

The draft guidance describes “key elements” that the working group determined to be the most important and suggests that manufacturers communicate them to consumers prior to purchase. These include describing whether a device can receive security updates, summarizing how the device would receive those updates, and describing the anticipated end of security update support.

The draft guidance also describes “additional elements” that may be helpful but could be communicated to consumers before or after purchase. These include describing how consumers are notified of security updates, describing what happens when a device no longer receives security update support, and describing how the manufacturer secures updates or an explanation of how the process is reasonably secure.

In its comments, the FTC offers suggestions to supplement and modify the draft guidance. For the “key elements,” the FTC recommends that manufacturers should consider stating a clear guaranteed minimum support period rather than merely an anticipated end of support.  According to the FTC’s comments, manufacturers should also disclose any significant decrease in functionality or security that would occur after the end of security update support for an IoT device.

The FTC suggests supplementing the “additional elements” with practices such as adopting a uniform notification method for security updates, enabling consumers to sign up for affirmative notifications about security support, and providing real-time notifications of when support for an IoT device will end. The FTC also suggests omitting the “additional element” of describing how the manufacturer secures updates or an explanation of how the process is reasonably secure because it would impose significant communication costs while providing little benefit to consumers.

In addition to recommending these modifications to the draft guidance, the FTC notes that effectively notifying consumers is difficult and that too much information may impede consumers from making informed choices. Therefore, the FTC suggests an alternative approach to reducing harm by providing a secure device that receives automatic security updates for the device’s reasonable lifespan.