> What's stopping hobby/micro-developers from saying 'Not FCC approved, use at own risk'?
OP is. Or rather, he wants to make it impossible to opt out. At least that's how I interpret these two paragraphs:
> The FCC recently issued a Notice of Proposed Rulemaking [2] for a cybersecurity labeling program for connected devices. If they meet certain criteria for the security of their product, manufacturers can put an FCC cybersecurity label on it. I fought hard for one of these criteria to be the disclosure of how long the product will receive security updates. I hope that, besides arming consumers with better information, the commitments on this label (including the support period) will be legally enforceable in contract and tort lawsuits and under other laws. You can see my full statement here [3].
> But it’s too early to declare victory. Many manufacturers oppose making any commitments about security updates, even voluntary ones. These manufacturers are heavily engaged at the FCC and represented by sophisticated regulatory lawyers. The FCC and White House are not likely to take a strong stand if they only hear the device manufacturer's side of the story.
Well, making a voluntary sticker to opt-in to certain legal obligations is fine.
But you are saying already that manufacturers don't really want to commit to anything? What makes you think the sticker would change that?
(In principle, I'm all for manufacturers offering more warranties. But when it comes to spending money, privately I almost never opt for the enterprise grad hardware that does come with warranties like long term guaranteed support.
Instead I rely on reputation, eg that Google will keep providing security updates for their Pixel phones for a few years as they have done in the past, even if there's no legal obligation for them.
And I wouldn't want any regulation to take that choice away from me. I'm glad to have escaped the EU where appliances are more expensive, partially because manufacturers are forced to include a two year warranty with each device.)
The labeling program provides a signal to consumers that the device meets a certain standard. The incentive to the manufacturer is that it allows them to borrow the FCC's reputation and advertise a security that is well defined. The consumer can see that the device has that certification, and know that product has legal obligations, and
It's a pretty reasonable first step. No manufacturer is being punished, there's no warranty requirement, and the gov isn't taking away choice. Instead the FCC gives manufacturers a way to reliably signal to consumers that their product meets a security standard. Google can do that because they're Google and have a reputation - this approach would let joe-schmo IOT device manufacturer do the same.
OP is. Or rather, he wants to make it impossible to opt out. At least that's how I interpret these two paragraphs:
> The FCC recently issued a Notice of Proposed Rulemaking [2] for a cybersecurity labeling program for connected devices. If they meet certain criteria for the security of their product, manufacturers can put an FCC cybersecurity label on it. I fought hard for one of these criteria to be the disclosure of how long the product will receive security updates. I hope that, besides arming consumers with better information, the commitments on this label (including the support period) will be legally enforceable in contract and tort lawsuits and under other laws. You can see my full statement here [3].
> But it’s too early to declare victory. Many manufacturers oppose making any commitments about security updates, even voluntary ones. These manufacturers are heavily engaged at the FCC and represented by sophisticated regulatory lawyers. The FCC and White House are not likely to take a strong stand if they only hear the device manufacturer's side of the story.