Consumer Groups Demand IoT Security Law for End-Of-Life Devices

A coalition of consumer advocacy organizations, including Consumer Reports, Secure Resilient Future Foundation (SRFF), and US Public Interest Research Group (PIRG) have introduced a model bill to increase transparency around the end-of-life support for Internet of Things (IoT) devices. The proposed legislation comes as concerns grow about the security risks associated with outdated IoT devices that no longer receive manufacturer support or updates.

IoT devices, such as smart home gadgets and connected appliances, have become increasingly prevalent in recent years. However, many consumers remain unaware of when their devices will no longer receive critical software updates from manufacturers, leaving them vulnerable to security risks and unable to perform optimally.

The model bill, dubbed the "Internet of Things Consumer Protection Act," requires IoT device manufacturers to provide clear and conspicuous notice to consumers about the end-of-life date for their devices. The notice would need to be given at the point of sale and in any documentation that accompanies the product. "Consumers have a right to know when their IoT devices will no longer receive critical security updates," said Marta L. Tellado, President and CEO of Consumer Reports. "This bill aims to ensure that consumers are empowered with the information they need to make informed decisions about their purchases."

The proposed legislation also requires manufacturers to provide clear instructions for updating or disconnecting devices from the internet once they reach end-of-life. This provision is aimed at addressing concerns around the so-called "zombie" IoT devices that continue to operate on networks long after their usefulness has expired, posing security risks and consuming resources. The bill's introduction comes amid growing scrutiny of the IoT industry from regulators and consumer advocacy groups. In recent years, a number of high-profile cybersecurity incidents involving IoT devices have raised concerns about the risks associated with outdated or unsupported software.

At the same time, some critics argue that the federal government has been slow to act in addressing these issues. In 2015, the Federal Trade Commission (FTC) released guidelines for IoT device manufacturers around security and privacy, but the agency lacks the authority to enforce these recommendations. "The current regulatory landscape is simply not enough to protect consumers from the risks associated with outdated IoT devices," said Eric Chapman, Senior Policy Analyst at SRFF. "This bill represents a critical step forward in ensuring that consumers have the information they need to make informed decisions about their purchases."

While some manufacturers already provide end-of-life notifications for their IoT devices, the practice is far from universal. The proposed legislation would establish a clear standard for transparency around end-of-life support, providing consistency and clarity for consumers. The bill faces an uncertain future, as it must be introduced in individual state legislatures before becoming law. However, supporters are hopeful that the proposal will gain traction as awareness grows around the risks associated with outdated IoT devices.

Consumers deserve to know when their devices will no longer receive critical updates and support,

said Teresa Murray, Consumer Watchdog at US PIRG. "This bill represents a vital step forward in ensuring that consumers have the information they need to make informed decisions about their purchases."