Smart Device Safety

Previous working title: “Trust Us, It’s Secure (We Put a Sticker on It)”

Imagine a world where every car came with seatbelts—but no one told you how to use them, and no one checked if they worked. That’s the current state of consumer AI protections.

We started with food label analogy in the earlier post. The idea of “nutrition labels” for smart devices was simple: people deserve to know what they’re buying. A connected camera or doorbell shouldn’t be any more mysterious than a box of cereal. You look at the label, and you should know exactly how safe it is, how long it will be supported, and whether it’s fit for purpose.

But as smart devices become more embedded in daily life, the stakes rise. This isn’t just about knowing what’s inside—it’s about knowing you’re protected. Think seatbelts, not cereal boxes.

The seatbelt analogy isn’t just a metaphor—it’s a framing device for how we think about safety, responsibility, and trust. Manufacturers have a duty to build protections in, not bolt them on later. Consumers deserve clarity, not complexity.

Who ensures the protections are real? Who decides what counts as “safe enough”? And how do we align standards globally when enforcement is patchy at best – or even voluntary?

Rather than chasing universal rules, we should invest in universal mechanisms: pilot programs, feedback loops, and real-world validation. We need to take in this journey in measured steps. These tools let us test protections in context, adapt to local needs, and build trust through transparency.

The goal isn’t perfection—it’s progress. And that starts with treating consumer safety as a first-order design principle, not a post-launch patch.

---

Security Labelling for Smart Devices — What Comes Next?

When I last wrote about the need for “nutrition labels” on smart devices, the point was simple: people deserve to know what they’re buying. Smart devices shouldn’t be any more mysterious to a consumer than a box of cereal. A dimple check of the label and you know exactly how safe it is, how long it will be supported, and whether it’s fit for your purpose.

That idea has gained significant momentum. Singapore has been running with it for some time. The U.S. has its own scheme in flight, the EU is about to make labelling mandatory, and now Australia has thrown its hat into the ring with an industry-led, government-backed program. So the question is no longer “should we?” — it’s “how do we make these labels credible?”

Where the World Stands Today

Singapore got out in front back in 2020 with its Cybersecurity Labelling Scheme (CLS). It uses a four-tier model, like energy efficiency ratings, with clear steps from basic security up to advanced assurance. Importantly, Singapore has started building mutual recognition agreements with Europe, showing that cross-border trust is possible.

The United States is pushing out the Cyber Trust Mark. It’s voluntary, but the design leans on QR codes that link to live registries. Labels will start appearing on shelves by late 2025, with FCC-accredited labs certifying products.

Europe is taking a different tack. Under the Cyber Resilience Act and Radio Equipment Directive, consumer smart devices will have to meet mandatory security labelling requirements from 2025 onwards. Manufacturers won’t get to opt out.

And then there’s Australia, where IoT Alliance Australia (IoTAA) and the Department of Home Affairs are working on a voluntary scheme set to launch in 2027.

So globally we’re at a fascinating moment: labels are moving from idea to practice, but the models vary wildly.

Australia’s Plan

The Australian scheme is deliberately positioned as voluntary, industry-led, and internationally aligned. The goals are straightforward:

• Raise consumer awareness of smart device security.
• Give people enough information to make informed purchasing decisions.
• Encourage manufacturers to adopt secure-by-design practices.
• Align with international schemes to keep compliance costs down and enable mutual recognition.

The timeline looks like this:

• 2025 – Discovery and co-design.
• 2026 – Development, testing, recruitment of early adopters.
• 2027 – Public launch with an awareness campaign.

That sounds tidy enough, but the design challenges are not small. Do we go with a binary model (pass/fail, like the U.S.), or a multi-level system (tiered ratings, like Singapore)? How broad should the scope be—routers, cameras, appliances, wearables, all of the above? How do you convince suppliers to adopt a label voluntarily, especially if they fear scoring poorly? And who pays to keep the scheme running after 2027?

These are the messy but necessary questions being worked through right now.

The Voluntary Trap

Voluntary schemes have a nasty habit: they risk becoming optional window dressing. If manufacturers don’t see value in participating, adoption stalls. If consumers don’t understand the label, they ignore it. If smaller companies can’t afford certification, the scheme skews toward the big players.

And here’s the real kicker: if the scheme is voluntary and a product fails to meet the baseline, nothing stops it from being sold anyway. That’s like having voluntary expiry dates on food packaging—nobody would take them seriously.

So yes, starting voluntary makes sense. It lowers the barrier to entry and gives the industry space to co-design something workable. But credibility will evaporate fast if the label isn’t backed by visible teeth. Think automotive emission testing – everyone knows how that can end poorly for transgressors.

How to Give It Teeth

There are practical steps that can transform a voluntary program into something that matters:

1. Consumer education
2. • A label only works if people look for it. Think Energy Stars—it became a household name because of strong public campaigns. IoT labels need the same treatment, not just a quiet rollout buried on a government website.
2. Market incentives
3. • Retailers could demand labelled products for prime shelf space. Online marketplaces could highlight or filter by security ratings. If buyers see it and sellers know it helps them stand out, uptake follows.
3. Government procurement
4. • One of the strongest levers is for government agencies to only buy labelled devices. That immediately shifts the market because suppliers chasing large contracts must comply.
4. International alignment
5. • Manufacturers hate duplicating effort. If a device already qualifies for Singapore’s CLS or the U.S. Cyber Trust Mark, it should slide into the Australian scheme with minimal extra work. Mutual recognition keeps costs down and adoption up.
5. Transparency and updates
6. • Labels shouldn’t just say “secure.” They should ‘tell ‘you how long the device will get updates, and they should be backed by QR codes linking to live, maintained registries. A static sticker is worthless once the product falls out of support.
6. A pathway to mandatory
7. • The voluntary stage is fine for pilots, but there needs to be a roadmap to mandatory adoption. Once the system proves itself, transition it into regulation. Otherwise, the scheme risks being stuck in perpetual limbo.

Closing Thoughts

Security labelling for smart devices is no longer a thought experiment. Singapore has proven it works. The EU is making it mandatory. The U.S. is rolling it out. And Australia is gearing up for launch in 2027.

Voluntary is a fine way to start. It lowers friction and gets manufacturers on board. But for the scheme to build real trust, it needs teeth: clear standards, strong incentives, and eventually, enforcement. Without that, labels risk becoming little more than stickers with nice icons.

Australia now has a chance to take the best lessons from overseas and design something credible from day one. If we get it right, consumers will finally have a clear signal of which devices deserve their trust. If we get it wrong, we’ll just end up with a collection of shiny labels that don’t mean much—and the “smart” kettle of 2027 will be no smarter than the one today.

Want to get engaged?

IoTAA expect to begin co-design sessions in October 25. .If you are interested in contributing and getting involved (or being kept informed), register your interest here.
If you have any questions, contact the IoTAA project team at labellingscheme@iot.org.au.

FAQ

1. Why use the seatbelt analogy for AI safety? It helps frame the issue in terms of built-in protections versus optional add-ons—making the stakes tangible for everyday users.

2. What’s wrong with voluntary security labels? They often lack enforcement, consistency, and real-world validation—leading to a false sense of safety.

3. How can we improve consumer protections globally? By investing in pilot programs, feedback loops, and transparency mechanisms that adapt to local contexts.

Absolutely, Mark—here are direct links to the official and most relevant sources for each region’s smart device security labeling or AI consumer protection initiatives:

Essential Smart Devices for the Home

This is an affiliate link (I am just testing it out for now).

MORE on IoT & AI:

Singapore – Cybersecurity Labelling Scheme (CLS) & AI Assurance Sandbox

• Singapore’s Cybersecurity Labelling Scheme overview – includes CLS, AI Assurance Sandbox, and PET adoption guide
• Singapore expands AI assurance pilot to test AI agents – covers real-world testing of GenAI and cross-border recognition

United States – Cyber Trust Mark & AI Consumer Safety Pilot

• Consumer Safety Technology Act – AI pilot bill – outlines the AI pilot for product safety and blockchain fraud prevention
• FTC’s approach to AI regulation and consumer protection – includes enforcement actions and regulatory posture

European Union – Cyber Resilience Act & AI Act

• EU AI Act Compliance overview – Microsoft’s breakdown of the EU AI Act and its phased rollout
• EU commissioner outlines AI governance and consumer protection goals – includes plans for the Digital Fairness Act and enforcement mechanisms