While Americans rely on software for just about everything in modern life—communication (email, text, phone), social media, online purchases, games, research, home security, transportation, and much, much more—most remain only dimly aware of what it is, how it works, and the level of its quality and security.
As the National Institute of Standards and Technology (NIST) recently put it, “most consumers take for granted and are unaware of the software upon which many products and services rely, [and] the very notion of what constitutes software may even be unclear.” That is, in large measure, because consumers aren’t told much of anything about it. They generally see only what it does, not what it is, who made it, how it works, or how it could put them at risk.
The Biden executive order (EO) is obviously aimed at closing that gap in consumer awareness. It calls for NIST, the Federal Trade Commission, and other agencies to “initiate pilot programs informed by existing consumer product labeling programs to educate the public on the security capabilities of Internet of Things (IoT) devices and software development practices, and [to] consider ways to incentivize manufacturers and developers to participate in these programs.”
The EO uses similar language to call for labeling of consumer software.
At one level, an order like that shouldn’t be a tough sell. If an organization can’t trust its software, the business is at risk. That’s true of consumers as well. If you can’t trust the software powering your app or your device, your personal and financial information are at risk.
But is a label an effective way to achieve better security awareness? Debrup Ghosh, senior product manager with the Synopsys Software Integrity Group, isn’t so sure. “The jury is still out on whether labeling is an effective method of consumer awareness,” he said. “For example, data on whether federal food safety laws increased GMO awareness is inconclusive. Several studies reported conflicting results.”
For consumer IoT devices, the two biggest hypotheses that need to be tested are similar to the GMO question: Do consumers understand what these labels mean? Second, do they care?
That, as is usually the case, remains to be seen. But according to a 2021 study done in the U.K. and published in the PLOS Medicine journal, color-coded labels on foods did have some effect. They were “instrumental in ‘nudging’ consumers toward choosing more healthful products and could be the underlying psychological mechanism toward cementing this behavioral change,” according to the study.