Testing products for data privacy and security

It’s an exciting and treacherous time to be a consumer. The benefits of new digital products and services are well documented, but the new risks they introduce are not. Basic security precautions are ignored to hasten time to market. Biased algorithms govern access to fair pricing. And four of the five most valuable companies in the world earn their revenue through products that mine vast quantities of consumer data, creating an unprecedented concentration of corporate power. A recent survey at Consumer Reports showed that 65% of Americans lack confidence their data is private or secure, with most consumers feeling powerless to do anything about it.

We're trying to do something about that.

Consumer Reports has been testing products and services for 80 years, equipping consumers with the information they need to make smarter choices, enact new policies and regulations, and reshape the marketplace for the better. Our nonprofit mission has led to standardized safety features in vehicles, removed toxins from our food supply, and blocked the creation of corporate monopolies. Today, we're announcing a new initiative to bring that mission to the world of connected products and services.

A team consisting of Disconnect, Ranking Digital Rights, the Cyber Independent Testing Lab, and Consumer Reports has come together to build a new testing standard for digital products. Available at TheDigitalStandard.org, it looks at consumer expectations of behavior across four key assertions: electronics and software-based products should be secure, consumer information should be kept private, ownership rights of consumers should be maintained, and products should be designed to combat harassment and protect free expression.

The standard is new and so is the approach. We've launched the first, work-in-progress version as an open project. The material is published under a Creative Commons license and posted to GitHub. Anyone who is interested in tackling the complexities of testing products and services for privacy, security, and data practices is invited to contribute.

With the launch of the standard we're entering the next phase of the work. Over the next two years, we intend to publish regular investigations into different product and service verticals. The research will be used to empower consumers and anchor new policy initiatives, but also to refine and flesh out the standard. Digital products introduce a host of new challenges to product testing: Can you rate a product without looking at the service layer behind it? Do you pull a rating once a product receives an over-the-air update? Do you have to audit corporate data centers or is it valid to test based only on publicly-available information? Once we have a better grasp of how to apply the standard, we'll explore how to build it into our regular product ratings.

Our future power as consumers depends on our ability to assert our rights to data privacy and security. That ability, in turn, depends on the quality and volume of independent, trustworthy information available to us. We want companies to compete to offer the most secure products and services, consumers to wield full control of their data in the marketplace, and our collective voice to drive responsible corporate behavior. Shining a light on privacy and data practices is the first step to converting the values we share into actionable influence over the markets that touch our lives.