83 FR 13122 - The Internet of Things and Consumer Product Hazards

CONSUMER PRODUCT SAFETY COMMISSION

Federal Register Volume 83, Issue 59 (March 27, 2018)

The U.S. Consumer Product Safety Commission (CPSC, Commission, or we) will conduct a public hearing to receive information from all interested parties about potential safety issues and hazards associated with internet-connected consumer products. The information received from the public hearing will be used to inform future Commission risk management work. The Commission also requests written comments.

[Federal Register Volume 83, Number 59 (Tuesday, March 27, 2018)]
[Notices]
[Pages 13122-13124]
From the Federal Register Online  [www.thefederalregister.org]
[FR Doc No: 2018-06067]


-----------------------------------------------------------------------

CONSUMER PRODUCT SAFETY COMMISSION

[Docket No. CPSC-2018-0007]


The Internet of Things and Consumer Product Hazards

AGENCY: U.S. Consumer Product Safety Commission.

ACTION: Notice of public hearing and request for written comments.

-----------------------------------------------------------------------

SUMMARY: The U.S. Consumer Product Safety Commission (CPSC, Commission, 
or we) will conduct a public hearing to receive information from all 
interested parties about potential safety issues and hazards associated 
with internet-connected consumer products. The information received 
from the public hearing will be used to inform future Commission risk 
management work. The Commission also requests written comments.

DATES: The Commission hearing will begin at 10 a.m., on May 16, 2018, 
and will conclude the same day. The Commission hearing will also be 
available through a webcast, but viewers will not be able to interact 
with the panels and presenters through the webcast. Requests to make 
oral presentations and the written text of any oral presentations must 
be received by the Office of the Secretary not later than 5 p.m., on 
May 2, 2018. The Commission will accept written comments, as well, 
through June 15, 2018.

ADDRESSES: The hearing will be in the Hearing Room, 4th Floor of the 
Bethesda Towers Building, 4330 East-West Highway, Bethesda, MD 20814. 
Requests to make oral presentations, and texts of oral presentations, 
should be captioned: ``The Internet of Things and Consumer Products 
Hazards,'' and sent by email to [email protected], or mailed or 
delivered to the Office of the Secretary, Consumer Product Safety 
Commission, 4330 East-West Highway, Bethesda, MD 20814, no later than 5 
p.m. on May 2, 2018.
    You may submit written comments, identified by Docket No. CPSC-
2018-0007, by any of the following methods:
    Electronic Submissions: Submit electronic comments to the Federal 
eRulemaking Portal at: www.regulations.gov. Follow the instructions for 
submitting comments. The Commission does not accept comments submitted 
by electronic mail (email), except through www.regulations.gov. The 
Commission encourages you to submit electronic comments by using the 
Federal eRulemaking Portal, as described above.
    Written Submissions: Submit written submissions by mail/hand 
delivery/courier to: Office of the Secretary, Consumer Product Safety 
Commission, Room 820, 4330 East-West Highway, Bethesda, MD 20814; 
telephone (301) 504-7923.
    Instructions: All submissions received must include the agency name 
and docket number for this notice. All comments received may be posted 
without change, including any personal identifiers, contact 
information, or other personal information provided, to: 
www.regulations.gov. Do not submit confidential business information, 
trade secret information, or other sensitive or protected information 
that you do not want to be available to the public. If furnished at 
all, such information should be submitted in writing.
    Docket: For access to the docket to read background documents or 
comments received, go to:

[[Page 13123]]

www.regulations.gov, and insert the docket number CPSC-2018-0007, into 
the ``Search'' box, and follow the prompts.

FOR FURTHER INFORMATION CONTACT: Patricia Adair, Director, Risk 
Management Group, Office of Hazard Identification and Reduction, U.S. 
Consumer Product Safety Commission, 4330 East-West Hwy., Room 813, 
Bethesda, MD 20814. Telephone: 301-504-7335; Email: [email protected].

SUPPLEMENTARY INFORMATION:

I. Background

    There has been an increase in the number of consumer products with 
a connection to the internet that can transmit or receive data, upload 
or download operating software or firmware, or communicate with other 
internet-connected devices. This connected environment is commonly 
called ``the Internet of Things'' (IoT). This internet connectivity 
within and among products holds the promise of many benefits for 
consumers. However, internet connectivity is also capable of 
introducing a potential for harm (a hazard) where none existed before 
the connection was established. The consumer hazards that could 
conceivably be created by IoT devices include: Fire, burn, shock, 
tripping or falling, laceration, contusion, and chemical exposure. We 
do not consider personal data security and privacy issues that may be 
related to IoT devices to be consumer product hazards that CPSC would 
address.
    The growth of IoT-related products is a challenge for all CPSC 
stakeholders to address. Regulators, standards organizations, and 
business and consumer advocates must work collaboratively to develop a 
framework for best practices. To that end, the Commission will hold a 
public hearing for all interested parties on consumer product safety 
issues related to IoT.
    Broadly speaking, the product safety challenges of IoT products 
appear to fall into two main categories:
    1. Prevention or elimination of hazardous conditions designed into 
products intentionally or without sufficient consideration, e.g., high-
risk remote operation or network enabled control of products or product 
features. Such products function as intended on delivery with 
unreasonable levels of risk, or have design defects that were not 
considered or were disregarded before delivery. In many ways, the 
preventive or corrective work related to such products can be seen as 
traditional activity for industry and for the CPSC. However, the high 
rate of growth, unlimited scope of application, and limited experience 
with such products present new safety challenges.
    2. Preventing and addressing incidents of hazardization. 
Hazardization is the situation created when a product that was safe 
when obtained by a consumer but which, when connected to a network, 
becomes hazardous through malicious, incorrect, or careless changes to 
operational code. Managing these kinds of hazards may lead industry and 
regulators to examine policies related to code encryption and security, 
authorized access to programming, and defensive measures (and 
countermeasures) for device software. This is a non-traditional area of 
product safety activity for the consumer product industry and for the 
CPSC.
    Examples of hazards created by an internet-connected product 
include:
     Remote operation: For example, the remote activation of 
the heating elements on a cooktop could create a fire or burn hazard.
     Unexpected operating conditions: For example, a product 
might work safely on delivery, but a software/firmware code is changed 
(malicious or otherwise) during subsequent network access, creating a 
hazard where none existed before, such as a robotic vacuum cleaner that 
suddenly begins operating much faster than expected.
     Loss of a safety function: For example, if an integrated 
home security and safety system fails to download a software update 
properly, the default condition may be to deactivate the system, 
resulting in disabling the smoke alarms without the consumer's 
knowledge.
     Hazard is created from an intended product feature: For 
example, a cooktop that might be remotely controlled could start a 
fire.
    Multiple parties can be involved in creating IoT devices. For 
example the hardware designer, software developer, application 
generator, and third party programmer who creates a useful function for 
the device could all be separate parties. These parties may or may not 
interact collaboratively, or may not even be aware of each other's 
activities.
    CPSC's authority covers the types of product hazards described 
above. Therefore, this hearing will not address personal data security 
or privacy implications of IoT devices.

II. Areas for Discussion

    The Commission is interested in discussion about consumer product 
hazards enabled by an internet connection. The areas for discussion 
include:
     Do current voluntary standards and/or safety regulations 
address safety hazards specific to IoT-connected devices?
     How can IoT-connected devices be subject to safety 
standards (or a set of design principles) to prevent injury?
     What types of devices would need such controls or 
supervisory systems, and what type would not, if any?
     Who should develop such standards or create a set of 
design principles?
     Should certification to appropriate standards be required 
before IoT devices are allowed in the marketplace?
     What are the industry's best practices for predicting 
potential hazards caused by IoT-connected devices? What controls or 
supervisory systems are necessary to mitigate these potential hazards?
     What controls or supervisory systems are available to 
mitigate potential hazards caused by misuse of IoT-connected devices, 
such as preventing the disabling of a safety feature?
     What controls or supervisory systems on products are 
necessary to prevent injuries from unintended consequences of 
misinstallation, failed update, operational changes over time, or 
misuse of an internet connection?
     Have IoT-related incidents and injuries already occurred? 
Please describe the injury scenario and the severity of any injuries. 
How would IoT-related incidents be distinguished from other incidents?
     Are incident-collection systems set up to collect IoT-
related incident data?
     Are there ways CPSC can collaborate with other federal 
agencies to address potential safety hazards related to IoT?
     Are there ways CPSC can collaborate with outside 
stakeholders to address potential safety hazards related to IoT?
     How can CPSC educate consumers on the proper use of IoT-
connected devices?
     Some of the consumer hazards that could conceivably be 
created by IoT devices are: Fire, burn, shock, tripping or falling, 
laceration, contusion, and chemical exposure. Are there other hazards 
that could be introduced into consumer products through enabling an 
internet connection?
     For products whose remote operation could create a hazard 
to consumers, should internet connectivity specifically prevent remote 
operation?
     How do IoT software development methods address potential 
product

[[Page 13124]]

failures that may create hazards to consumers?
     What steps should be taken to prevent an internet 
connection from creating a hazard to consumers after a product's 
purchase (or lease) and installation?
     What role should safety standards or design guidelines 
play in keeping IoT devices from creating new hazards to consumers? 
Should these standards be voluntary or mandatory?
     What role should government play in keeping consumers safe 
regarding IoT devices?
     Will policies to prevent hazardization of IoT products 
require or benefit from strong international cooperation?
     How should the Commission consider responsibilities for 
hazards or injuries among the various contributors to an internet-
connected product associated with an incident?
     How should the Commission consider responsibilities for 
hazards or injuries resulting from interdependencies between products 
(e.g., communications protocol between networked alarm and smart home 
hub)?
     For recalls involving IoT devices, what are different ways 
companies can communicate notice to consumers who own the IoT devices?

III. The Hearing

    Through this notice, the Commission invites the public to provide 
information on how internet-connected products can result in hazards to 
consumers, and what actions the Commission can take to eliminate or 
mitigate those hazards. The purpose of the public hearing on IoT is to 
provide interested stakeholders a venue to discuss potential safety 
hazards created by a consumer product's connection to IoT or other 
network-connected devices; the types of hazards (e.g., electrical, 
thermal, mechanical, chemical) related to the intended, unintended, or 
foreseeable misuse of consumer products because of an IoT connection; 
current standards development; industry best practices; and the proper 
role of the CPSC in addressing potential safety hazards with IoT-
related products. CPSC's authority covers the types of product hazards 
described above. Therefore, this hearing will not address personal data 
security or privacy implications of IoT devices.
    To request the opportunity to make an oral presentation, see the 
information under the DATES and ADDRESSES sections of this notice. 
Participants should limit their presentations to approximately 10 
minutes, excluding time for questioning by the Commissioners. To avoid 
duplicate presentations, groups should designate a spokesperson, and 
the Commission reserves the right to limit presentation times or impose 
further restrictions, as necessary.

Alberta E. Mills,
Secretary, Consumer Product Safety Commission.
[FR Doc. 2018-06067 Filed 3-26-18; 8:45 am]
 BILLING CODE 6355-01-P