The Federal Trade Commission (FTC) has contributed comments to a working group overseen by the U.S. National Telecommunications and Information Administration, tasked with producing guidance to ensure IoT users are properly informed about new security updates for their connected devices.

Specifically, the FTC commented on elements that

manufacturers should consider conveying to consumers to help them make better informed purchasing and use decisions. Such key elements include whether the device can receive security updates, how it will receive them, and when support for the device would end.

In the full document provided to the working group, the opening recommendation is that

when describing [a] support period, manufacturers should consider whether they can disclose a minimum security support period in addition to, or instead of, an “anticipated timeline” for support. In the Commission’s experience, aspirational claims can mislead consumers under certain circumstances. It is possible, for example, that consumers would perceive a statement that a company “anticipates” supporting a device for, say, 30 months as a guarantee of the full 30 months of support.

Another concern was that vague statements such as “two years of support” do not indicate exactly when the clock started ticking.

More importantly, given the myriad of potential privacy and security issues arising from eventually unsupported devices that few consumers would expect to pose a threat, the FTC recommended that

if a “smart” device will stop functioning or become highly vulnerable when security support ends, and if consumers would expect a similar “dumb” device to have a longer, safer lifespan, then manufacturers should disclose those key use limitations to consumers prior to purchase.

It was also suggested that manufacturers adopt a uniform standard for update notifications, if indeed such updates are not to be automatic. Finally, the comments encourage frameworks for signing up consumers so they can receive email or other alerts about ongoing support, which should include a real-time push notification (or similar) at the precise moment when support ends.