UL creating standard for wearable privacy and security

Certification program to be finished in early 2016

UL, formerly called Underwriters Labs, soon expects to certify wearables for safety and security, including user privacy.

Founded in 1894 and more commonly known for certifying appliances for electrical safety, UL is developing draft requirements for security and privacy for data associated with Internet of Things devices, including wearables. A pilot program is underway, and UL plans to launch the program early in 2016, UL told Computerworld.

UL first announced its interest in wearable compliance services in January.

"When we think how wearables are used, there are a lot of different implications for security," said Anura Fernando, principal engineer for medical software and system interoperability at UL, in a recent interview. "It might be financially relevant data, but it also could be social engineering: If you use a medical device and happen to be addicted to drugs and are a good programmer, you may be inclined to alter data that provides information to a clinician to get the drugs you want."

Because most wearables will be wireless, UL's concerns include whether the personal data acquired by a smartwatch or other wearable that's associated with a Social Security number or name is secure over Wi-Fi or Bluetooth.

"Fraud could result if data is not properly maintained and authenticated with a proper level of assurance," Fernando added.

UL wants to "begin to raise the bar for how security should be addressed...and establish a minimal baseline for what should be addressed much like we did with electricity 120 years ago," he said. "We want to reach the point [of certifying IoT data security] without having to second-guess it."

Without offering many details, Fernando said that "the jury is still out" on how data privacy and security with wearables will be ultimately protected, or even how strictly it will be regulated by the government. Given the U.S. government's recent apparent willingness to let industry regulate itself in such matters, UL's role becomes more important.

Some wearable security history

In January, the U.S. Food & Drug Administration issued draft recommendations that say the FDA's Center for Devices does not intend to "examine low-risk general wellness products" like wearable devices and apps that monitor health and exercise under its duties outlined in the 1938 federal Food, Drug and Cosmetic Act.

After that draft appeared, President Obama's cybersecurity coordinator, Michael Daniel, went on the record in April calling for a UL-style industry certification model for security of connected devices. "We are very much interested in voluntary models," he said in an interview with Dark Reading at the time.

Without clear government regulations about wearables' data security and privacy, "a lot of manufacturers are nervous about innovating and [determining] what their liability is," Fernando said. Thus, UL's role becomes important.

"At UL, we recognize two kinds of manufacturers," Fernando said. "One group understands cybersecurity or safety and has a good robust product on the market, but on the other end there are manufacturers who have never heard the world 'cybersecurity' before and don't know what they should be doing before marketing a product. So, we are trying to get a baseline of minimal requirements to level the field."

Fernando said UL's certification will be a "minimal level of acceptable safety or security" of products. "You either have that UL mark or you don't."

Once products are certified, they will all be publicly listed, he said.

Anonymous data?

One area of concern to UL and many lawyers in the privacy field is how personal data is collected from smartwatches and other devices, and then how it is used or sold.

Privacy advocates are especially worried that personal data from devices and apps won't be kept anonymous or ever erased when it is collected in bulk in databases and then sold to third parties for marketing or other purposes.

"There need to be standards for anonymizing data, and we're the first ones trying to do some of that," Fernando said. Some privacy advocates argue that even if a smartwatch user never gives his or her name, Social Security or credit card number to a smartwatch or app vendor, a hacker can still successfully invade the user's privacy. One way of doing this would be to use several pieces of publicly available data on the Web to compare with a user's smartwatch GPS location or mobile payment history to identify the user and, potentially, commit fraud against the user.

"Most experts continue to be concerned about the security of wearables, including smartwatches," said Irina Raicu, director of Internet ethics at the Markkula Center for Applied Ethics at Santa Clara University, in an email. She cited research at the University of Illinois demonstrating how motion sensors on smartwatches were monitored to show what a person was typing with a keyboard.

"The fact that DefCon had a whole 'Internet of Things Village' to discuss ways to hack into IoT devices speaks volumes, I think," she added.

Fernando said he's familiar with the concerns of cybersecurity experts with wearables. But he's also optimistic the UL can set minimal standards for anonymization of personal data from devices as well as tackle other related security worries.

"We see a lot of innovation and lot can be done with the correct technology," he said. "I'd be hesitant to write off anything as impossible."

Join the CSO newsletter!

Error: Please check your email address.

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Matt Hamblen

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts