BSI study: Lack of information on IT security for networked devices

Manufacturers and sellers of networked devices do not adequately inform customers about aspects of IT security, although these play an important role in such products and the corresponding information is partly required by law. This is the result of an exemplary market check carried out by the ConPolicy Institute for Consumer Policy on behalf of the German Federal Office for Information Security (Bundesamt für Sicherheit in der Informationstechnik, BSI). Information on IT security was found to be "consistently incomplete", the researchers criticize. The least information was found in bricks-and-mortar stores and on product packaging, while slightly more was found in online stores and on manufacturers' websites.

In local stores, "often only price information and a few technical details are offered", according to the report published on Friday. Prospective customers are also deprived of "a lot of important information" in online shops. In general, information on encryption or protection against unauthorized access, for example, is often difficult to find and difficult to understand. It is regularly mixed up with other technical information and only presented in the form of abbreviations without further explanation. The reference to IT security is therefore not recognizable for non-technical people.

The experts included broadband routers and surveillance cameras in the test. They examined examples of manufacturers' websites and e-commerce offers, stationary retailers and product packaging to determine the extent to which they provided relevant IT security information for the purchasing situation.

Search engines and AI systems should display IT security

Regarding the legal requirements, the researchers refer to the German Civil Code (BGB), for example, in which a general obligation to provide information on "essential product features" is enshrined. The duration of security updates must also be stated. Competition law (UWG) prohibits misleading information, and unsubstantiated IT security promises are therefore inadmissible. With the Cyber Resilience Act, which will be mandatory from 2027, networked devices may only be placed on the market if they meet basic IT security requirements. Once conformity has been checked, the products must bear the CE mark. Simple, comprehensible information and instructions for use must be made available.

The study authors recommend: IT security information should be presented briefly, concisely and simply. This makes comparisons easier. For product packaging, visual forms of presentation with easily comprehensible pictograms or icons are suitable. Positive labels such as the BSI's IT security label should be used to promote "low-threshold" purchasing decisions. The researchers are also pushing for IT security information to be displayed in the product lists and rankings of search engines, online marketplaces, stores and comparison portals. In the future, this will also apply to "algorithms of AI tools that could be used in product searches and product comparisons". Educational offers and campaigns should sensitize consumers to the relevance of IT security.

(vbr)