AGENCY:

U.S. Consumer Product Safety Commission.

ACTION:

Notice of public hearing and request for written comments.

SUMMARY:

The U.S. Consumer Product Safety Commission (CPSC, Commission, or we) will conduct a public hearing to receive information from all interested parties about potential safety issues and hazards associated with internet-connected consumer products. The information received from the public hearing will be used to inform future Commission risk management work. The Commission also requests written comments.

DATES:

The Commission hearing will begin at 10 a.m., on May 16, 2018, and will conclude the same day. The Commission hearing will also be available through a webcast, but viewers will not be able to interact with the panels and presenters through the webcast. Requests to make oral presentations and the written text of any oral presentations must be received by the Office of the Secretary not later than 5 p.m., on May 2, 2018. The Commission will accept written comments, as well, through June 15, 2018.

ADDRESSES:

The hearing will be in the Hearing Room, 4th Floor of the Bethesda Towers Building, 4330 East-West Highway, Bethesda, MD 20814. Requests to make oral presentations, and texts of oral presentations, should be captioned: “The Internet of Things and Consumer Products Hazards,” and sent by email to cpsc-os@cpsc.gov, or mailed or delivered to the Office of the Secretary, Consumer Product Safety Commission, 4330 East-West Highway, Bethesda, MD 20814, no later than 5 p.m. on May 2, 2018.

You may submit written comments, identified by Docket No. CPSC-2018-0007, by any of the following methods:

Electronic Submissions: Submit electronic comments to the Federal eRulemaking Portal at: www.regulations.gov. Follow the instructions for submitting comments. The Commission does not accept comments submitted by electronic mail (email), except through www.regulations.gov. The Commission encourages you to submit electronic comments by using the Federal eRulemaking Portal, as described above.

Written Submissions: Submit written submissions by mail/hand delivery/courier to: Office of the Secretary, Consumer Product Safety Commission, Room 820, 4330 East-West Highway, Bethesda, MD 20814; telephone (301) 504-7923.

Instructions: All submissions received must include the agency name and docket number for this notice. All comments received may be posted without change, including any personal identifiers, contact information, or other personal information provided, to: www.regulations.gov. Do not submit confidential business information, trade secret information, or other sensitive or protected information that you do not want to be available to the public. If furnished at all, such information should be submitted in writing.

Docket: For access to the docket to read background documents or comments received, go to: Start Printed Page 13123 www.regulations.gov,, and insert the docket number CPSC-2018-0007, into the “Search” box, and follow the prompts.

FOR FURTHER INFORMATION CONTACT:

Patricia Adair, Director, Risk Management Group, Office of Hazard Identification and Reduction, U.S. Consumer Product Safety Commission, 4330 East-West Hwy., Room 813, Bethesda, MD 20814. Telephone: 301-504-7335; Email: padair@cpsc.gov.

SUPPLEMENTARY INFORMATION:

I. Background

There has been an increase in the number of consumer products with a connection to the internet that can transmit or receive data, upload or download operating software or firmware, or communicate with other internet-connected devices. This connected environment is commonly called “the Internet of Things” (IoT). This internet connectivity within and among products holds the promise of many benefits for consumers. However, internet connectivity is also capable of introducing a potential for harm (a hazard) where none existed before the connection was established. The consumer hazards that could conceivably be created by IoT devices include: Fire, burn, shock, tripping or falling, laceration, contusion, and chemical exposure. We do not consider personal data security and privacy issues that may be related to IoT devices to be consumer product hazards that CPSC would address.

The growth of IoT-related products is a challenge for all CPSC stakeholders to address. Regulators, standards organizations, and business and consumer advocates must work collaboratively to develop a framework for best practices. To that end, the Commission will hold a public hearing for all interested parties on consumer product safety issues related to IoT.

Broadly speaking, the product safety challenges of IoT products appear to fall into two main categories:

1. Prevention or elimination of hazardous conditions designed into products intentionally or without sufficient consideration, e.g., high-risk remote operation or network enabled control of products or product features. Such products function as intended on delivery with unreasonable levels of risk, or have design defects that were not considered or were disregarded before delivery. In many ways, the preventive or corrective work related to such products can be seen as traditional activity for industry and for the CPSC. However, the high rate of growth, unlimited scope of application, and limited experience with such products present new safety challenges.

2. Preventing and addressing incidents of hazardization. Hazardization is the situation created when a product that was safe when obtained by a consumer but which, when connected to a network, becomes hazardous through malicious, incorrect, or careless changes to operational code. Managing these kinds of hazards may lead industry and regulators to examine policies related to code encryption and security, authorized access to programming, and defensive measures (and countermeasures) for device software. This is a non-traditional area of product safety activity for the consumer product industry and for the CPSC.

Examples of hazards created by an internet-connected product include:

• Remote operation: For example, the remote activation of the heating elements on a cooktop could create a fire or burn hazard.
• Unexpected operating conditions: For example, a product might work safely on delivery, but a software/firmware code is changed (malicious or otherwise) during subsequent network access, creating a hazard where none existed before, such as a robotic vacuum cleaner that suddenly begins operating much faster than expected.
• Loss of a safety function: For example, if an integrated home security and safety system fails to download a software update properly, the default condition may be to deactivate the system, resulting in disabling the smoke alarms without the consumer's knowledge.
• Hazard is created from an intended product feature: For example, a cooktop that might be remotely controlled could start a fire.

Multiple parties can be involved in creating IoT devices. For example the hardware designer, software developer, application generator, and third party programmer who creates a useful function for the device could all be separate parties. These parties may or may not interact collaboratively, or may not even be aware of each other's activities.

CPSC's authority covers the types of product hazards described above. Therefore, this hearing will not address personal data security or privacy implications of IoT devices.

II. Areas for Discussion

The Commission is interested in discussion about consumer product hazards enabled by an internet connection. The areas for discussion include:

• Do current voluntary standards and/or safety regulations address safety hazards specific to IoT-connected devices?
• How can IoT-connected devices be subject to safety standards (or a set of design principles) to prevent injury?
• What types of devices would need such controls or supervisory systems, and what type would not, if any?
• Who should develop such standards or create a set of design principles?
• Should certification to appropriate standards be required before IoT devices are allowed in the marketplace?
• What are the industry's best practices for predicting potential hazards caused by IoT-connected devices? What controls or supervisory systems are necessary to mitigate these potential hazards?
• What controls or supervisory systems are available to mitigate potential hazards caused by misuse of IoT-connected devices, such as preventing the disabling of a safety feature?
• What controls or supervisory systems on products are necessary to prevent injuries from unintended consequences of misinstallation, failed update, operational changes over time, or misuse of an internet connection?
• Have IoT-related incidents and injuries already occurred? Please describe the injury scenario and the severity of any injuries. How would IoT-related incidents be distinguished from other incidents?
• Are incident-collection systems set up to collect IoT-related incident data?
• Are there ways CPSC can collaborate with other federal agencies to address potential safety hazards related to IoT?
• Are there ways CPSC can collaborate with outside stakeholders to address potential safety hazards related to IoT?
• How can CPSC educate consumers on the proper use of IoT-connected devices?
• Some of the consumer hazards that could conceivably be created by IoT devices are: Fire, burn, shock, tripping or falling, laceration, contusion, and chemical exposure. Are there other hazards that could be introduced into consumer products through enabling an internet connection?
• For products whose remote operation could create a hazard to consumers, should internet connectivity specifically prevent remote operation?
• How do IoT software development methods address potential product Start Printed Page 13124failures that may create hazards to consumers?
• What steps should be taken to prevent an internet connection from creating a hazard to consumers after a product's purchase (or lease) and installation?
• What role should safety standards or design guidelines play in keeping IoT devices from creating new hazards to consumers? Should these standards be voluntary or mandatory?
• What role should government play in keeping consumers safe regarding IoT devices?
• Will policies to prevent hazardization of IoT products require or benefit from strong international cooperation?
• How should the Commission consider responsibilities for hazards or injuries among the various contributors to an internet-connected product associated with an incident?
• How should the Commission consider responsibilities for hazards or injuries resulting from interdependencies between products (e.g., communications protocol between networked alarm and smart home hub)?
• For recalls involving IoT devices, what are different ways companies can communicate notice to consumers who own the IoT devices?

III. The Hearing

Through this notice, the Commission invites the public to provide information on how internet-connected products can result in hazards to consumers, and what actions the Commission can take to eliminate or mitigate those hazards. The purpose of the public hearing on IoT is to provide interested stakeholders a venue to discuss potential safety hazards created by a consumer product's connection to IoT or other network-connected devices; the types of hazards (e.g., electrical, thermal, mechanical, chemical) related to the intended, unintended, or foreseeable misuse of consumer products because of an IoT connection; current standards development; industry best practices; and the proper role of the CPSC in addressing potential safety hazards with IoT-related products. CPSC's authority covers the types of product hazards described above. Therefore, this hearing will not address personal data security or privacy implications of IoT devices.

To request the opportunity to make an oral presentation, see the information under the DATES and ADDRESSES sections of this notice. Participants should limit their presentations to approximately 10 minutes, excluding time for questioning by the Commissioners. To avoid duplicate presentations, groups should designate a spokesperson, and the Commission reserves the right to limit presentation times or impose further restrictions, as necessary.