Consumer agency bows out of IoT data security role

The Consumer Product Safety Commission plans to focus on physical hazards in an upcoming meeting on the safety of the internet of things.

In a March 28 Federal Register notice, the CPSC announced a May 16 public meeting on the product safety issues arising from the growing popularity of connected devices, including toys, "smart" home products, consumer appliances and more.

But the agency announced it planned to stay in its lane when it comes to focusing on physical threats.

"We do not consider personal data security and privacy issues that may be related to IoT devices to be consumer product hazards that CPSC would address," the notice read.

What makes the IoT different from other consumer product categories is the potential for "hazardization," which CPSC defines as occurring when a safe product "connected to a network, becomes hazardous through malicious, incorrect, or careless changes to operational code."

The agency lists "fire, burn, shock, tripping or falling, laceration, contusion and chemical exposure" as some of the possible outcomes of IoT devices going bad.

At the hearing officials will consider how to prevent IoT products from becoming hazardous after purchase and installation, whether government or commercial standards are required and who among the various participants in a product's design, sale and upkeep  is responsible when a connected device leads to an accident or injuries. The agency will also look at the role of software development in preventing or contributing to product failures.

CPSC joins a host of agencies that are examining the internet of things. So far the National Institute of Standards and Technology and the National Information and Telecommunications Agency have probed the connected devices ecosystem for risks, but no one in the regulatory world appears yet to have an interest in developing rules of the road for the IoT space.

Congress may have a role to play. For more than a year, lawmakers including Sen. Cory Gardner (R-Colo.) and Sen. Mark Warner (D-Va.) have been concerned about the security risks of connected devices that are sold with hard-coded, unalterable passwords, which can potentially lead to hacking at scale and the spread of botnets. They're proposing to leverage the purchasing power of the federal government by requiring minimum security standards for devices bought by agencies.