In an effort to increase transparency against the full baseline of security criteria for the Internet of Things (IoT) over time, Google has put out a list of principles around IoT security labeling.
This, it claimed, will help drive “competition” in security and push manufacturers to offer products with more robust security protections. Google, in a blog post, expressed hope that the public sector and industry can work together to drive global harmonization to prevent fragmentation.
Proposed Principles for IoT Security Labeling Schemes
Google has based its labeling proposal on five core principles for IoT labeling schemes. These principles will help increase transparency against the full baseline of security criteria for IoT, it said. These principles will also increase competition in security and push manufacturers to offer products with effective security protections, increase transparency, and help generate higher levels of assurance of protection over time.
Google said labels must not “imply trust”. Unlike food labels, digital security labels must be “live” labels, where security/privacy status is conveyed on a central maintained Website, which ideally would be the same Site hosting the evaluation scheme. A physical label, either printed on a box or visible in an app, can be used if and only if it encourages users to visit the website (e.g. scan a QR code or click a link) to obtain the real-time status.
At any point in time, a digital product may become unsafe for use. Printed labels, if they convey trust implicitly such as, “certified to NNN standard” or, “3 stars”, run the danger of influencing consumers to make harmful decisions. A consumer may purchase a webcam with a “3-star” security label only to find when they return home the product has non-mitigatable vulnerabilities that make it unsafe, it pointed out.
Image credit: Google