Setting Standards for Digital Privacy
At SXSW 2017, Consumer Reports and its info-security partners lay out a vision for digital privacy and security testing
When it’s not even obvious which kids’ toy happens to contain a networked computer, how are you supposed to know if the code running on it is secure?
That’s one question that comes free of charge with the growing wave of Internet of Things devices that use sensors and an internet link to respond to their environment and their users. Think of the thermostat that knows whether you’re home and governs the temperature accordingly or the door lock you can monitor from afar.
These can all deliver meaningful advances over unconnected, unaware devices. But security experts say that many of their vendors have skimped on malware protections. This was evidenced by October’s distributed denial-of-service attack that crippled many websites—it was launched from connected cameras that had been hacked.
Last week, Consumer Reports announced that it was working with three other organizations—privacy-software developer Disconnect, the security-testing firm Cyber ITL, and the corporate-accountability group Ranking Digital Rights—to create a set of criteria for testing and ranking Internet of Things gadgets, along with other digital products.
Representatives of all four groups discussed this venture at a panel Monday at the South by Southwest conference in Austin, Texas, and the conversation made one thing clear: The work won't be easy, but there's no time to lose in pushing ahead.
“These products and the Internet of Things bring real tangible benefits to our lives,” Disconnect founder Casey Oppenheim said to open the discussion. “We also have just crazy hacks that I don’t think anybody could even conceive of a few years ago.”
The Digital Standard
The four organizations have laid out their security and privacy criteria at a site called The Digital Standard and at the collaborative-coding site GitHub. Both locations host a spreadsheet that defines expectations in such areas as the use of default passwords and device encryption to protect your data, then proposes various tests to verify a product’s compliance.
Other groups are free to use the standards to develop product testing, and Consumer Reports plans to gradually introduce elements of the standard into its own evaluations.
As the panelists explained, some of the tests would be simple to conduct: For instance, the standard says that if a device or service is password-protected, the user should be required to set his or her own, strong password.
Others are more complex. One portion of the standard calls for companies to use common software defenses against remote attacks—but that can be evaluated when testers are looking at Internet of Things devices, where the underlying computer code is inaccessible. (The panel did have some advice for programmers, though: "Cut down on the spaghetti code because it only gets noodlier over time,” said Sarah Zatko, co-founder of Cyber ITL.)
The standard also covers privacy practices and other corporate policies. Ranking Digital Rights founder Rebecca MacKinnon noted that many companies have yet to nail down a coherent set of rules.
“You’d be shocked how many companies haven’t even figured out their policies,” she said.
What Comes Next
Turning this proposal into detailed testing criteria for use by CR and other organizations won’t be a quick process—especially because the Internet of Things universe keeps expanding.
“We got a gas grill the other day that’s network-connected,” pointed out Maria Rerecich, CR’s director of electronics testing.
However, manufacturers can start using the standards right away, Rerecich said in a conversation after the panel. The standards describe “the ideal state” for digital devices in terms of privacy and security protections, and she hopes they will motivate companies to do better. “They don’t need to wait for testing to happen.”
In the long run, however, both this standard and comparable efforts such as Underwriters Laboratories’ Cybersecurity Assurance Program are likely to work better when someone is holding companies to account, Oppenheim said.
“Unless there’s a real negative consequence for the company, they’re just going to do what’s good for their shareholders,” he said. But he added that he has seen Facebook and Google respond to public pressure on privacy issues. And if those giants can be swayed by informed consumers, the same should go for any tech company.