Privacy

How Do I Change the Password for My Washing Machine? Consumer Reports’ New Privacy and Security Review Standards

Published: Mar. 07, 2017

Updated: Oct. 05, 2020

Consumer Reports (CR) has long subjected vacuum cleaners, blenders, cars and other consumer goods to rigorous quality and durability testing. Reading CR reviews is a common step for purchasers who value their detailed and unbiased reviews. But until now Consumer Reports’ reviews have not regularly encompassed privacy and security features.

Consumer Reports has teamed with Disconnect, Ranking Digital Rights, and Cyber Independent Testing Lab to address that gap, and going forward will consider cybersecurity and privacy factors in their reviews. Consumer Reports and these partners have also created a formal standard to evaluate the cybersecurity and privacy risks of IOT devices. Each element of the standard lists a criteria (the component or property to be evaluated) and indicators of that criteria’s implementation that will be used in the new reviews. For instance, the Data Collection standard criterion is “I know what user information this company is collecting,” and the indicator is some disclosure, perhaps in a privacy policy, of the type of user information collected, and how it is collected.

The standard’s elements are loosely grouped into a few overarching principles, including:

  1. Build with security in mind. There are several components in the security domain, such as secure development practices, password standards, and data security. Evaluators will check for resilience against common vulnerability classes such as Cross Site Scripting, and review any crashes for exploitability by attackers. The software should be updatable, and companies should have a bug bounty program or other way to take security vulnerability report
  2. Protect consumer privacy. Data security is evaluated through use of encryption, internal security audits, data retention and deletion policies. The default settings of products should protect consumer privacy. Privacy Policies and Terms of Use should be easy to find and understand.
  3. Allow consumers to alter, fix and re-sell.

Consumer Reports has asked for comments on the new standard and is hosting it on GitHub where notes and proposed modifications can be shared.