Last month, CTIA, the wireless industry association, launched an initiative through which wireless-connected Internet of Things (“IoT”) devices can be certified for cybersecurity readiness.  According to the CTIA announcement, the CTIA Cybersecurity Certification Program (the “Program”) is intended to protect both consumers and wireless infrastructure by creating a more secure foundation for IoT applications that support “smart” cities, connected cars, mobile health apps, home appliances, and other IoT-enabled environments.

The Program was developed in collaboration with the nationwide wireless carriers, along with technology companies, security experts and test laboratories, and builds upon IoT security recommendations from the National Telecommunications and Information Administration (NTIA) and the National Institute of Standards and Technology (NIST).  According to the Program Test Plan, devices eligible for certification include those that contain an IoT application layer that provides identity and authentication functionality and at least one communications module supporting either LTE or Wi-Fi networks.

A device submitted for certification will undergo a series of tests at a CTIA-authorized lab.  The testing will assess the device for one of three certification levels or “categories.” To obtain a Category 1 certification, the device will be reviewed for the presence of “core” IoT device security elements, including a Terms of Service and a customer-facing privacy policy, along with technical elements including password management, authentication and access controls.  A Category 2 certification includes the Category 1 elements, in addition to enhanced security features, such as an audit log, multi-factor authentication, remote deactivation, and threat monitoring. A Category 3 certification features the most comprehensive level of cybersecurity threat testing, and covers elements such as encryption of data at rest, digital signature validation, and tamper reporting, in addition to the elements under Categories 1 and 2.

The Program comes at a time of rapid growth for IoT devices.  According to the latest Ericsson Mobility Report, the global IoT market will expand to 3.5 billion cellular-connected devices in the next five years.  Much of this growth is expected to be driven by the anticipated deployment of 5G technology and enhanced mobile broadband.

The Program will begin accepting devices for certification testing beginning in October 2018.  Details on how to participate in the Program are available on the CTIA website.

green_seals_verticalOn September 14, FTC staff sent warning letters to five providers of environmental certification seals and 32 businesses that display them online, alerting them to the agency’s concerns that the seals may be deceptive and may not comply with the FTC’s Green Guides.  Although the warning letters do not identify which certifiers, seals, or businesses were targeted, they do confirm the FTC’s continued interest in “green” marketing.

The FTC Green Guides state that an environmental certification or seal of approval may imply a general environmental benefit claim when it does not specify the basis for the certification, either through the name or some other means.  The Guides further advise marketers that they may prevent deception by accompanying the seal with “clear and prominent language that clearly conveys that the certification or seal refers only to specific and limited benefits.”

Although the Green Guides are primarily directed at marketers of environmental claims, the warning letters indicate that certifiers themselves may also be on the hook.  In the warning letter directed to certifiers, FTC staff notes its concern that the seal at issue does not convey the basis for the certification and may be considered deceptive under Section 5 of the FTC Act.  Moreover, although the certifiers’ websites provide information to marketers regarding their use of the logo, they do not instruct marketers to use qualifying language.

The warning letter directed to marketers further provides that the seal featured on the company’s website may deceptively convey that a product offers a general environmental benefit because it is not accompanied by clear and prominent qualifying language limiting the seal to a specific benefit or benefits.  In some cases, even if consumers click on the seal for more information, the seal itself does not likely convey an effective hyperlink that leads to the necessary disclosures (FTC directly references its .Com Disclosures here).

Even though the FTC did not disclose which companies received the letters, the FTC’s action provides a few key insights for both certifiers and marketers of certifications and seals.

What certifiers can do:  

  • Create seals or logos that incorporate the basis for the certification directly into the seal or logo, so that consumers do not have to look further to understand the specific product attributes tested or certified
  • Clearly convey to marketers that further qualifying language may be needed when it comes to their specific product.

What marketers can do:

  • Make sure consumers will understand the basis for the certification when the seal is placed on the website, product, or packaging.
  • If the basis for certification is not clear from the seal or logo itself, consider placing additional qualifying language in close proximity to better inform consumers of the specific and limited benefits for certification.
  • Don’t assume consumers will simply click on a seal’s icon online for further explanation. Consumers may just view the icon as another graphic on the page.