Consumer Reports decision to rate cybersecurity is a huge deal
Conventional wisdom has it that most consumers simply don’t pay much attention to computer security and privacy issues. Perhaps worse, they don’t think they can do much to protect themselves without foregoing many of the benefits of our digital, connected age. Consumer Reports is trying to change both of those things.
Consumer Reports’ new cybersecurity standard
The influential publication and public-interest organization announced on Monday that it has collaborated on a digital consumer-protection standard designed to define “how companies should build these products to really be good for consumers in terms of privacy and other issues,” said Maria Rerecich, who directs electronics testing at Consumer Reports, in a statement.
Developed with Disconnect, Ranking Digital Rights (RDR) and Cyber Independent Testing Lab (CITL) and dubbed The Digital Standard—it includes basic precepts such as “we think devices that connect to the internet … should require consumers to choose unique usernames and passwords during setup” and “companies to delete consumer data from their servers upon request, to protect personal data with encryption as the data is sent through the internet, and to be completely transparent about how personal consumer information is shared with other companies.”
Basically, the new standard covers four key statements:
- Products should be built to be secure: Consumers deserve products that are built with security as a priority.
- Products should preserve consumer privacy: Consumers should know what data of theirs is being collected and have a reasonable amount of control over it.
- Products should protect the idea of ownership: When consumers buy products, they should be able to alter, fix or resell them.
- Companies should act ethically: Companies should be heldaccountable for how they interact with the broader world.
Even more important than The Digital Standard itself, Consumer Reports plans to look for ways to use it to enhance its widely read and highly regarded reviews of digital devices and services. The goal is to use the new standard to develop “specific and repeatable testing procedures,” so Consumer Reports and other others can compare devices and services against each other on these criteria.
Why Consumer Reports’ cybersecurity standard matters
This move is important for several reasons.
First, Consumer Reports is a respected organization, and adding its reputation to the issue should help raise consumer awareness of these issues. And frankly, not much can or will be done to address these issues as long as consumers don’t pay attention to them.
Second, as Consumer Reports points out, public standards can help give companies a new way to compete with one another on the issue. If a company can credibly claim to be better on privacy and security than another, that can create a competitive advantage. And if other companies see they’re losing business because they’re not taking privacy and security seriously enough, they’re likely to boost their efforts. At the same time, transparent competition should help weed out the very worst offenders, helping to make everyone safer.
Finally, an open standard that makes it easy for consumers to track results and engenders competition is likely to spawn innovation. If companies can succeed by finding new ways to deliver products and services without compromising privacy and security, established operations and new start-ups will have incentives to come up with new and better ways to do just that.
I’m cautiously optimistic that Consumer Report’s announcement is a real first step in that direction.