ABCDE
1
XML Tag (XML format)Multiple or Single Option Label (appears on printed and online label)Consumer Explanation (appears on online label when expanded)Optional Additional Information / Linked Information (appears on online label when expanded)
2
Security Mechanisms
3
Security Updates - Consumer explanation: How the device receives security updates
4
Values1) What controls do users have related to updates (e.g., approve, reject, update notifications)
2) Why updates are important to be installed and to what types of risks would users be exposed to if updates are not installed
3) Description of how the manufacturer makes updates secure
4) How users should install updates
5) Justification as to why the device does not get updated
6) End-of-life and hardware replacement policy and what users should expect after the update expiration date (e.g., limited functionality, vulnerability management, paying extra fee for updates)
7) Justification for update expiration date
5
automaticMultipleAutomaticDevice will automatically receive security updates
6
manualmanualUser needs to manually install security updates
7
consent_basedConsent based User will be asked whether to update the device
8
no_updateNo security updatesDevice will not receive any security updates
9
not_disclosedNot disclosed
10
otherOther [text box]
11
Optional sub-attributes for all the values of "Security Updates", except "Not disclosed" and "No security updates"
12
expiration_dateSingleAvailable until at least dateThe date until which the device is guaranteed to be updated
13
Access Control - Consumer explanation: How the device can be accessed and who is allowed to access it
14
Values1) If one type of access control is password, whether the password is used to protect settings or data
2) If one type of access control is password, whether the password is used on the device or for an associated cloud account
3) If one type of access control is password, whether the device can be accessed locally without the password
4) Tips on how to make strong passwords
5) How users can reset their passwords
6) What the password expiration policy is
7) If the type of access control is multi-factor authentication, what types of factors/pieces of evidence are required
8) If the type of access control is biometric data, what characteristics of the user are required
9) Justification as to why no authentication method is being used
10) Justification as to why credentials have default values, if any
11) Justification as to why users cannot set or change the credentials
12) At which stage users can/should set or change the credentials
13) Justification as to why users need to have an account to access the mobile application/device
14) If it is allowed to create more than one account, what levels of access and privilege each account can have
15) If it is allowed to create more than one account, how many accounts can be created to access the device/mobile application
16) Justification as to why no user account is needed to access the device/mobile application
15
passwordMultiplePasswordPassword is required to access the device settings or data
16
biometricBiometricUser's physical or behavioral characteristics are required to access the device settings or data
17
MFAMulti-factor authenticationAt least two factors are required to access the device settings or data, for example a password and a one-time code sent to a previously registered phone number
18
no_controlNo control over accessAnyone can access the device without a password or other authentication method
19
multi_accountMultiple user accountsTo access the device, user needs to create an account; multiple user accounts may be created
20
single_accountRequired user accountTo access the device, user needs to create an account
21
optional_accountOptional user accountUser may create an account, but it is not required
22
no_accountNo user accountsDevice does not support the creation of user accounts
23
not_disclosedNot disclosed
24
otherOther [text box]
25
Optional sub-attributes for password
26
factory_defaultSingleFactory defaultThe credentials required to access the device have default values that are initially generated by the manufacturer
27
user_generatedUser generatedUser needs to create their own credentials to access the device
28
Optional sub-attributes for factory default
29
user_changeableSingleUser changeableUser may change the credentials that are required to access the device (for security purposes, make sure to change all default credentials before using the device)
30
not_user_changeableNot changeable by userUser cannot change the credentials that are required to access the device
31
Security Oversight - Consumer explanation: Manufacturer's use of security audits related to this device
32
Values1) What criteria are considered to assess the company's security practices
2) Who the internal or external auditors are
3) How frequent the audits happen
4) Findings of the audits
5) What the manufacturer will do with the findings of the audits
33
internal_auditSingleAudits performed by internal security auditors
A security team inside the company is commissioned to assess the security practices of the company against a set of documented standards
34
external_auditAudits performed by third-party security auditors
An independent security team outside of the company is commissioned to assess the security practices of the company against a set of documented standards
35
internal_external_auditAudits performed by internal and third-party security auditors
Security teams both inside the company and from outside of the company are commissioned to assess the security practices of the company against a set of documented standards
36
no_auditNo security audits
Security practices of the company are not being assessed by anyone
37
not_disclosedNot disclosed
38
Ports and Protocols - Consumer explanation: List and justification of all the physical interfaces, network ports, and listening services
39
Values1) List of all physical interfaces (e.g., Ethernet, USB) that the device supports
2) List of all communication protocols that are being used
3) Justification for having each interface and communication protocol
4) What access is provided across each of the interfaces
5) What safeguards are designed for each interface to prevent it from being misused
6) Guidance on how users can securely setup their device
7) Manufacturer Usage Description (MUD) file, describing how device normally behaves in the network
8) Information on how the device's functions within the network may affect users' privacy
40
linkSingle[Open text field with the following text in grey and not editable]: www.NS200.example.com/ports
41
not_disclosedNot disclosed
42
Hardware Safety - Consumer explanation: Safeguards the manufacturer has in place to protect the device hardware from tampering
43
Values1) Features that have been implemented to prevent unauthorized tampering with the device
2) What user should look for to find out whether the device is tampered with
3) How a user is informed if the device is tampered with and the event is detected
44
linkSingle[Open text field with the following text in grey and not editable]: www.NS200.example.com/hw_safety
45
not_disclosedNot disclosed
46
Software Safety - Consumer explanation: Safeguards the manufacturer has in place to secure the software of the device
47
Values1) How sensitive information that is being stored and logged in the software is being protected
2) What types of risks are introduced via the libraries the binary links to, either directly or indirectly
3) List of software safety features and secure toolchains against vulnerabilities and crashes, their justification, and how they are being implemented
4) Security Development Lifecycle (SDL) process that includes the process the manufacturer designed to ensure the security considerations throughout the software life cycle
5) The complexity of the code
6) Under fuzz testing, what is the code coverage, number of crashes, and type(s) of crashes
7) How vulnerable the software is to algorithmic complexity attacks
48
linkSingle[Open text field with the following text in grey and not editable]: www.NS200.example.com/sw_safety
49
not_disclosedNot disclosed
50
Personal Safety - Consumer explanation: Safeguards the manufacturer has in place to protect users against safety risks, including abuse and harassment
51
Values1) List of mechanisms to ensure that any failure of the device, either through malware, lack of power, or software flaws, does not result in safety risks
2) List of safety aspects of the product that affect users if the security is compromised
3) List of mechanisms that are considered in the product to protect users from abusive behavior
4) Guidelines to help users protect themselves against abusive behavior
5) Guidelines on how users can report incidents of abusive behavior
52
linkSingle[Open text field with the following text in grey and not editable]: www.NS200.example.com/user_safety
53
not_disclosedNot disclosed
54
Vulnerability Disclosure and Management - Consumer explanation: How transparent and timely the manufacturer has been in disclosing the discovered vulnerabilities, managing them, and mitigating their potential harms
55
Values1) Discovered and reported vulnerabilities
2) While a patch is being created, what steps users should take to mitigate the potential risks of the vulnerability
3) How severe the vulnerabilities were
4) When were the vulnerabilities discovered
5) When were the vulnerabilities fixed
6) What steps the manufacturer took to fix the vulnerabilities
7) What harms did the vulnerabilities lead to
8) The steps involved in approving, signing, and distributing the patch/fix
9) The amount of time it takes for the manufacturer to review the reports of the vulnerabilities
10) The average amount of time it takes for the manufacturer to fix a discovered vulnerability
11) The standard industry average time to patch the vulnerabilities related to the specific device type
12) Justification on why it will take on average a specific number of months to patch a vulnerability
13) How the manufacturer notifies data subject who might be affected by a data breach
56
linkSingle[Open text field with the following text in grey and not editable]: www.NS200.example.com/vul_report
57
not_disclosedNot disclosed
58
Software and Hardware Composition List - Consumer explanation: Software and hardware components that are used in the device
59
Values1) List of all different software and hardware components that are used and their versions
2) List of vulnerabilities and patches for the software and hardware components
3) For software components, the license of any 3rd part library/components used
4) Where each hardware component is manufactured at
5) Where each hardware component is sourced from
60
linkSingle[Open text field with the following text in grey and not editable]: www.NS200.example.com/BOM
61
not_disclosedNot disclosed
62
Encryption and Key Management - Consumer explanation: How user's data will be protected using encryption
63
Values1) If the data stored on the device is encrypted, what encryption method(s) are used
2) If the data stored on the mobile application is encrypted, what encryption method(s) are used
3) If the data stored on the cloud is encrypted, what encryption method(s) are used
4) If the data in transit between device and cloud is encrypted, what encryption method(s) are used
5) If the data in transit between mobile application and cloud is encrypted, what encryption method(s) are used
6) If no encryption is being used, an explanation as to why
7) How cryptographic keys are generated, stored, and managed
8) The crypto libraries that are used and their versions
64
linkSingle[Open text field with the following text in grey and not editable]: www.NS200.example.com/encryption
65
not_disclosedNot disclosed
66
Data Practices
67
Sensor Data Collection - Consumer explanation: Data types that the device sensors can collect
68
Values1) Details of the data that is being collected
2) What information users can obtain from the company and how they can request to obtain a copy of the information
3) What steps users need to take to correct any false information about them
4) How users can enable the controls they have for each data type
5) Justification as to why no control is being offered for a sensor or a data type
6) What users should expect to happen if they opt in/out
7) Information on the range of the device sensors
8) Enumerate all the physiological data types that are being collected (e.g. heart rate, blood glucose, activity, etc)
69
visualSingleVisualDevice can collect visual data (e.g., video, still image)
70
audioAudioDevice can collect audio
71
healthPhysiologicalDevice can measure information related to user's body and health status
72
motionMotionDevice can sense motion
73
magnetic_field_changeChanges to the magnetic fieldDevice can sense the changes to the magnetic field and find the position of an object
74
proximityPresenceDevice can detect the presence of nearby people or objects
75
pressurePressureDevice can sense the pressure
76
tamperingTampering effortsDevice can detect when it is unexpectedly moved or when someone is trying to open the case to access the device's internal components
77
distanceDistanceDevice can sense ultrasonic sound waves to measure the distance to an object
78
levelLiquid levelDevice can sense the level of the liquid
79
lightLightDevice can detect the amount of light
80
carbon_monoxideCarbon monoxideDevice can detect the amount of Carbon Monoxide in the air
81
waterHumidityDevice can detect the humidity to measure the amount of water in the air
82
water_qualityWater qualityDevice can sense the quality of water
83
smokeSmokeDevice can detect the presence of smoke in the air
84
temperatureTemperatureDevice can measure temperature
85
positionPositionDevice can measure the exact location of an object or its relative position
86
not_disclosedNot disclosed
87
otherOther [text box]
88
Optional sub-attributes for all the values of "Sensor Data Collection", except "Not disclosed"
89
opt_in_collectionSingleOption to opt inThe specified data type will not be collected unless the user opts in
90
opt_out_collectionOption to opt outThe specified data type will be collected unless the user opts out
91
Sensor Type - Consumer explanation: Types of sensors the device has
92
Values1) What types of controls users have for each sensor
93
cameraMultipleCameraDevice is equipped with camera sensors
94
microphoneMicrophoneDevice is equipped with microphone sensors
95
accelerometerAccelerometerDevice is equipped with accelerometer sensors
96
motion_sensorMotion sensorDevice is equipped with motion sensors
97
magnetometerMagnetometerDevice is equipped with magnetometer sensors
98
occupancy_sensorOccupancy sensorDevice is equipped with occupancy sensors
99
proximity_sensorProximity sensorDevice is equipped with proximity sensors
100
bluetoothBluetoothDevice is equipped with bluetooth sensors