A Sting Exclusive: “Cybersecurity: Why consumer products must be looked at urgently”, by BEUC’s Deputy Director General

ursula-pachl 2019.jpg

Ms Ursula Pachl, BEUC’s Deputy Director General.

This article was exclusively written and published for The European Sting by Ms. Ursula Pachl, Deputy Director General of BEUC, the European Consumer Organisation. The opinions expressed in this article belong to our distinguished writer.

 

According to estimates there will be 75 billion connected devices globally in 2025. More and more traditional consumer products that can connect to the Internet (the Internet of Things) are coming to the market: cars, baby monitors, fridges, toys, washing machines, tooth brushes just to name a few.

Connected devices could bring potential advances, for instance making services more convenient. IoT security cameras allow consumers remotely to watch what happens in their house. Connected lights enable people to switch lights on and off from a distance and smart thermostats can optimise your heating and allow you to save energy. A fridge could order food directly from an online supermarket when a consumer is running low on something.

However, these new products also carry risks – risks related to our physical safety, loss of personal data, 24/7 surveillance by business, payment fraud and others.

Consumer products are also becoming different in nature: they increasingly are a mix of hardware, software, data and services. And IoT products not only need to be safe, they also need to be secure, yet they evolve all the time. As they are connected to the internet, software updates are needed regularly. These can happen remotely – sometimes without the consumer knowing. They may happen to improve security features, increase the performance but they can also change the functionalities of the product.

Testing, testing, testing

Our member organisations, national consumer groups, have carried out numerous tests of IoT products. Thanks to that, consumers have access to independent information about which connected products one should buy and which ones to avoid. But these tests are not only an important source of information for consumers. It is through these findings that finally European institutions have realised that many consumer products are now connected but that they are not at all cybersecure: Sadly, the results of our members’ tests show that the market is swamped with products which pose big risks.

Belgian consumer group Test Achats/Test Aankoop asked two ethical hackers to find security flaws in 19 popular smart devices, like alarm systems, a smart lock and a robot vacuum cleaner, which they had installed in one apartment. It wasn’t really rocket-science to find security flaws. They also easily managed to break into the apartment.[1]

Unfortunately, children’s products are among those most at risk. Consumer group Forbrukerrådet from Norway raised the alarm when it discovered that the internet-connected toys ‘My Friend Cayla’ and ‘i-Que’ fail miserably when it comes to safeguarding basic consumer rights, security, and privacy.[2] German consumer association Stiftung Warentest also showed how connected toys could be used to spy on children.[3]

EU laws are not up to the challenge

While problems with internet connected products are now getting more attention, the EU’s legal system is lacking a horizontal cybersecurity legislation which requires all IoT products to be cybersecure.

And although there is a set of rules to ensure that products that are put onto the European market are safe, the EU’s product safety legislation is not enough because it defines the concept of safety too narrowly to deal with the risks related to internet-connected objects. The EU law to date protects consumers against products which can physically harm consumers such as an unstable ladder for instance or dangerous chemicals in furniture or toys. But what about the payment fraud because a computer was hacked? What rules apply to protect against hackable smart door locks which allow burglars to intrude in your house? And what will prevent IoT toys which endanger a child’s privacy from hitting the market?

Another lacuna is that because of the lack of a legal base for mandatory security, effective market checks are missing. Even though a recent recall from the Iceland market surveillance body shows that action is possible[4], the above described problem with the definition of what is a ‘safe’ product means authorities are not wiping out products that pose risk to consumers due to security flaws.

Small products, big risks

It would be a tragic mistake to dismiss the security flaws of household appliances, toys or watches as a small-scale consumer problem. As we are living in a connected world, cyber-attacks on these problems can be harmful for society at large. Cyber-attacks have led to huge damages to the economy, shut down hospitals and could even endanger our country’s electricity system in the future. Making consumer products safer is critical.

Problems not solved with the Cybersecurity Act

In 2018, the EU adopted a Cybersecurity Act. It has enlarged the role of the European Union Agency for Network and Information Security (ENISA) and put in place a cybersecurity certification scheme. Any potential future certification scheme for the security of consumer IoT will however only be voluntary for business. Consequently, unsecure connected products can still end up on the market.

Over the past years we have repeatedly called for binding rules which would require all manufacturers of connected consumer products to adhere to a minimum set of cybersecurity measures before placing their products on the market. These binding rules would include at least strong authentication mechanisms (i.e. connected products would require the consumer to use strong passwords, the availability of security updates and encryption of data).

We hope that the next European Commission will take action to ensure that all products are not only safe but also secure. For now, our member organisations will continue to test products, inform consumers and alert authorities when they discover grave security flaws. Authorities – following the Icelandic example – may use existing legislation creatively to remove products from the market. The UK Government Code of Practice for Consumer IoT Security is a leading national example which can make a difference. And, finally, ENISA should provide guidance for consumer IoT producers and importers.

It is encouraging to see an increase of awareness as to the scale of the problem, and the recognition that cybersecurity is a consumer issue also seen as a in. This must now translate into tangible results.

References

[1] https://www.test-aankoop.be/hightech/internet/nieuws/slimme-woning

[2] https://www.beuc.eu/publications/consumer-organisations-across-eu-take-action-against-flawed-internet-connected-toys/html

[3] https://www.test.de/Smart-Toys-Wie-vernetzte-Spielkameraden-Kinder-aushorchen-5221688-0/

[4] https://ec.europa.eu/consumers/consumers_safety/safety_products/rapex/alerts/?event=viewProduct&reference=A12/0157/19&lng=en

About the author

Ms. Pachl is the Deputy Director General of BEUC, The European Consumer Organisation, representing 43 independent national consumer associations from 32 European countries. Before this, she has held different positions at BEUC, starting as Legal Advisor, than working as Senior Policy and Institutional Affairs Advisor. In her current role Ms. Pachl leads BEUC’s work on digital policies, consumer rights, redress and enforcement. She is also responsible for horizontal and strategic policy such as EU governance and Better Regulation issues and represents BEUC in High Level groups, namely the European Commission’s High Level Group for Artificial Intelligence, the stakeholder group of the EU’s Agency for Network and Information Security (ENISA) and the European Commission’s REFIT platform. With over 20 years of experience, Ursula is a seasoned consumer lawyer and advocate who has helped to shape European consumer law and policy. In particular, she has developed BEUC’s law enforcement activities and is currently leading a project on using AI for the implementation of consumer and data subjects’ rights. She is passionate about mainstreaming consumer’s needs into EU policies and ensuring that the digital transformation takes the right direction, leading to a better society for all. Prior to working for BEUC, Ursula worked for the Austrian Federal ministry for Health and Consumer Protection in Vienna and for the Austrian Consumer Information Association as a member of the consumer advisory board. Ursula is the author of several articles in consumer law and policy journals and regularly comments on consumer issues in the media. She holds a master’s degree in law and a post-graduate degree in cultural management. The primary task of BEUC is to act as a strong consumer voice in Brussels and to try to ensure that consumer interests are given their proper weight in the development of all Union policies.

Advertising

Advertising

Advertising

Advertising

Advertising

Advertising

Advertising

Advertising

Advertising

the sting Milestone

Featured Stings

Can we feed everyone without unleashing disaster? Read on

These campaigners want to give a quarter of the UK back to nature

How to build a more resilient and inclusive global system

Stopping antimicrobial resistance would cost just USD 2 per person a year

Venezuela: ‘A worrying destabilizing factor in the region’, Bachelet tells Human Rights Council

The end of the 404? Why we need to repair the internet’s crumbling infrastructure

This is the world’s greenest football club – and you’ve probably never even heard of it

UN ready to rise above political fray and help Venezuelans based ‘on need, and need alone’

Top UN officials sound alarm as Yemen fighting nears vital hospital in port city of Hudaydah

At least 2.5 million migrants were smuggled in 2016, first UN global study shows

French full-body veil ban, violated women’s freedom of religion: UN Human Rights Committee

Did young people just kill television?

These are the countries best prepared for the fight against cancer

The new European Union of banks is ready

Mental health and suicide prevention-what can be done to increase access to mental health services in my region?

Main results of EU-Japan summit which took place on 25/04/2019 in Brussels

Half of Eurozone in deflation expecting salvation from monetary measures

‘Everyone must be on board’ for peace in Central African Republic: UN’s Lacroix

A Sting Exclusive: Towards better business opportunities for the EU and its neighbours, Commissioner Hahn live from European Business Summit 2015

UN member states express their will to tackle global migration but specific actions are still missing

This Dutch company makes environmentally-friendly paint

‘Cataclysmic events’ in Hiroshima, Nagasaki, began ‘global push’ against nuclear weapons says Guterres, honouring victims

Health: The neglected aspect of climate change

EU Parliament approves CETA: the EU-Canada free trade deal sees the light in Trump’s gloomy era

Telemedicine and the Brazilian reality

‘Stronger’ effort must be made to cement peace deal for South Sudanese women and girls: UN Women chief

Cameron’s Conservatives and UKIP are exploiting and cultivating anti-EU immigration sentiment but Labour party isn’t?

Eurozone: Inflation plunge to 0.4% in July may trigger cataclysmic developments

Largest joint UN humanitarian convoy of the war, reaches remote Syrian settlement

Empathic AI could be the next stage in human evolution – if we get it right

End ‘cycle of violence’ in Gaza, UN deputy chief tells forum on Palestine

How to provide health education and thus create better health systems

How migrants who send money home have become a global economic force

Security Union: political agreement on strengthened Schengen Information System

The impact of refugees on the European healthcare system

10 ways central banks are experimenting with blockchain

COP24 addresses climate change displacement ahead of crunch migration meeting

Inequality in the delivery of health services

Forget GDP – for the 21st century we need a modern growth measure

3 ways firms can master the digital challenges of the 4IR

COP21 Breaking News_10 December: UN Climate Chief Calls for Final Push to Meet Adaptation Fund Goal Very Close to Target

Ahead of State of the Union the European Youth Forum highlights lack of action on youth employment

Who is to pay the dearest price in a global slowdown?

Our present and future tax payments usurped by banks

EU-Turkey deal on migrants kicked off but to who’s interest?

Why businesses are nothing without strong human rights

The Sahel is engulfed by violence. Climate change, food insecurity and extremists are largely to blame

New UN report shows record number of children killed and maimed in conflict

How close is Eurozone to a new recession which may trigger formidable developments?

The Energy Union: from vision to reality

Our idea of what makes a company successful needs to change. And it starts with making waste expensive

How blockchain can manage the future electricity grid

The European Youth raises their voices this week in Brussels at Yo!Fest 2015

European Commission recommends common EU approach to the security of 5G networks

State aid: Commission approves €300 million public support for the development of ultrafast broadband network in Greece

‘Democratic aspirations of the Sudanese people’ must be met urges Guterres, following military removal of al-Bashir from power

A new arrangement between Eurozone’s haves and have-nots

Berlin ‘orders’ the EU Parliament to compromise

Supermarket supply chains are driving poverty and inequality. We can do better

UN agriculture chief urges ‘transformative changes’ to how we eat

Making the most of the Sustainable Development Goal 3: its overlooked role in medical education

‘Compelling case’ for urgency around global disarmament, UN-led forum told

UN chief encouraged by release of Cameroon opposition leader

This robot boat delivered a box of oysters in a breakthrough for unmanned shipping

More Stings?

Speak your Mind Here

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s