Wie ist der Stand der IT-Sicherheit bei Verbraucherprodukten? Wie könnten europaweit verbindliche Vorgaben zur IT-Sicherheit gemacht werden? Wie lässt sich die IT-Sicherheit eines Produkts transparenter machen? Informatikerin Anja Hirschel und der Europaabgeordnete Patrick Breyer schlagen ein Bewertungssystem zur IT-Sicherheit von Produkten vor und haben einen entsprechenden Antrag eingereicht.
Wie nützlich wäre eine „IT-Sicherheitsampel“ (ähnlich Ernährungsampel) oder bestimmte Icons, die klar zeigen, ob ein Produkt aktualisierbar ist, verschlüsseln kann usw.?
Einreichungstext des Forschungsprojektes:
When buying goods with embedded digital technology, like smart products
(e.g. connected cars, mobile phones, 'Smart TVs' or any other ‘smart’
products that make up the Internet of Things), which IT security
features are to be subject to the contract? The answer should be clear for the consumer.
With the Internet of things, 'smart' devices start affecting the world
in a direct and physical manner (e.g. car technology). IT devices that
are insecure and vulnerable to integrity and availability threats
increasingly risk our lives and property.
Consumers will get more and more familiar with the digital world, and in particular with 'smart' goods. Such growing digital literacy will favour
the demand for easy access to more detailed information about smart
goods and about how to facilitate their use.
The Pilot Project will aim to make the new 'Digital Contract' rules
easily readable for consumers thanks to the development of an IT
security rating system for smart goods. This IT rating system could for instance consist in 'traffic lights' or icons that would show whether a device will be automatically updated, whether encryption will be applied
to stored data, or other security features. This information will
trigger the consumer's rights and the manufacturer's liability.
According to the Digital Content Directive, suppliers of digital goods
and services will have to provide updates to smart goods, which is not
just important to make them function longer, but also to increase
cybersecurity. The Directive provides for objective requirements for the
conformity of the goods and services, including performance features
such as those related to security, which the consumer may reasonably
expect. Thanks to the rating system in 'smart' goods, consumers will for
instance know whether such updates happen automatically.
In order to foster EU innovation in the highly competitive field of the
Internet of Things (IoT), the European industry needs to attract EU
consumers with consumer friendly features in the development of their
products. The legal protection of consumers, and the legal certainty
about such protection, are key in developing future markets and make the
EU compete worldwide, while keeping high level EU standards of consumer
protection. Defining a common set of standard rules to rate smart goods
and their contractual mechanisms could be an asset for European SMEs
wishing to make their products consumer friendly. This can also support
the EU-level development of 'legal design' tools on contract rules to be
further developed by industry players in the field of IoT products, in
partnership with lawyers and data protection experts.
The European legislator has endeavoured to bring clear legal solutions
for consumers, especially when buying 'smart goods', with a Directive on
Contracts for the Supply of Digital Content and Digital Services, and
with a Directive on the Sale of Goods, both adopted in 2019. However,
practical solutions are needed to make sure that consumers can identify
and compare the IT security features of 'smart goods' and exercise their
contractual rights in this respect.