Consumer Reports announced that it's developed a standard to help consumers know if a product respects their privacy and protects their data. The publication said it also plans to take this standard into account when it reviews products in the future. Given the company's influence, this move could persuade manufacturers to finally take seriously the security of their customers instead of treating it like an afterthought or simply ignoring it outright.
The announcement comes after many products have been revealed to be insecure. Internet-connected stuffed animals from CloudPets made it easy to collect email addresses, voice recordings, and other data from children and their families; Internet of Things (IoT) products were used to knock major websites like Twitter and Spotify offline; and several IoT cameras have sported vulnerabilities that could be exploited to snoop on unwitting consumers.
These problems have done little to convince manufacturers that privacy and security ought to be a primary concern for any internet-connected devices. Some companies have partnered up to share threat information and develop best practices for IoT products, and Senator Mark Warner has called on federal agencies to figure out how to defend against cyberattacks involving those devices, but another vulnerability is always waiting to be found.
Consumer Reports could help make a difference here. The magazine has been running since 1936. Here's what the company said about its decision to develop this standard in its announcement:
Standards and test protocols to evaluate products can be created by government agencies, but they don’t always have to be, especially if the government is not adequately addressing a problem in the marketplace. Consumer Reports has plenty of experience working with and advocating for stronger standards for all manner of products. We pushed hard for and provided scientific input on the development of dynamic rollover tests now used by the government to evaluate all cars, including SUVs. We also develop our own protocols when we believe existing standards are not going far enough to protect consumers. The safety protocol we developed for doing comparative crash-testing on child car seats was designed to reflect consumers' real-world experiences better than government tests, and it has spurred a lot of productive dialogue with manufacturers.We are now turning this type of focus to privacy. If Consumer Reports and other public-interest organizations create a reasonable standard and let people know which products do the best job of meeting it, consumer pressure and choices can change the marketplace. We’ve seen this repeatedly over our 80-year history.
Consumer Reports said the standard focuses on a few basic ideas:
- Products should be built to be secure.
- Products should preserve consumer privacy.
- Products should protect the idea of ownership.
- Companies should act ethically.
Those are just the broad strokes of the standard. Consumer Reports worked with Disconnect, Ranking Digital Rights, and the Cyber Independent Testing Lab on the standard. All of those organizations--two of them, Ranking Digital Rights and the Cyber Independent Testing Lab, are nonprofits--are devoted to helping consumers protect their privacy and security. The groups worked together over the course of several months to develop the new standard.
Work on the standard was funded by the Craig Newmark Foundation and Craig Newmark Philanthropic Fund, as well as the Ford Foundation. Consumer Reports released the standard in a public document while "inviting others to give us feedback, add their own ideas, and make the standard better." If the standard catches on, manufacturers could finally be held accountable for the influence they hold over many people's digital privacy and security.
Or, at least, it will be easier for publications like Consumer Reports to warn consumers when a product isn't safe to use. Many people have already shown that they aren't going to protect themselves--perhaps warnings from Consumer Reports and other influential outlets will help them stay safe even if they can't or won't follow security best practices.