12
votes
Finland launches data security guarantee label – certification symbol serves as a guarantee to consumers that a device's basic information security features are in order
Link information
This data is scraped automatically and may be incorrect.
- Title
- Finland launches data security guarantee label
- Published
- Nov 26 2019
- Word count
- 361 words
This certification is "based on" the ETSI EN 303 645 standard (of which I can only find drafts). I'm reading through this specification and some of it seems to be pretty basic, some of it is very vague and hard to enforce / interpret. The points are as follows:
These are defined in section 4 starting on page 12.
They do mandate response windows for reports by researchers (90 days, which is on the upper end of what I'd call reasonable), but they don't mandate response windows for updates. They do mandate the OEM disclose what the support period is for a device (this is very valuable and rare for consumer devices!), but not what that support period is.
They have reasonable policies around passwords and keys, mandating that they're either device-unique or otherwise not-default (no backdoors based on default passwords or keys). The policies for minimizing attack surfaces are valid (default deny and what you'd otherwise expect). Some of the wording here is a little vague, though.
"Ensure software integrity" mandates secure booting, which may get in the way of flashing alternate ROMs if an exploit isn't found. Personal data protection is required for GDPR compliance. The outage resilience will be nice; sometimes you don't see this in consumer kit so it's great that it's required. The point about deleting personal data is also relevant for GDPR compliance. Examining telemetry data is very vaguely worded and will be hard to enforce. There's a requirement that the user should be informed about the telemetry data, if any, and IIRC this is for GDPR compliance as well.
Validating input data is, as you probably know, one of the hardest parts of software development. The requirement is nice, but actually doing it is another matter.
In sum, about as good of an effort as you can expect. Do read the specification yourself and make your own decision about it, though; don't just take my opinionated word for it. It's not a very long read.