[fiatmoney]

The problem is that a regulation like "be secure" is impractical, because to a close approximation no system is actually, 100% secure - it's just a matter of the effort taken to hack it.

So the regulation ends up being "go through the security process" (take something like PCI compliance as your model). This always ends up being a crappy fit because the guy doing the process can typically only throw out a list of "best practices" that may or may not make any sense for any particular application, and in any event aren't comprehensive enough. It's also wildly expensive, since the process is embedded in a regulatory-certified person who charges N$ / hour.

Empirically the best you can do absent some specific industrial setup is a series of bright-line rules like "don't store passwords in the clear", but that's far from sufficient.

[acdha]

What if the regulation largely ignored the technology and instead focused on responsibility: prohibit license terms requiring arbitration or restricting class action cases, setting minimum warranty terms which treat software support as a primary requirement (no selling a washing machine with a 10+ year hardware lifetime but ending software support 6 months after release), and restricting liability disclaimers so a company can't completely shirk responsibility the way everyone does now?

The one which would make the most sense to me is something like a souped-up CERT: researchers report vulnerabilities to them, staff grades the severity, and a company has increasingly strict penalties if the fix isn't shipped within certain timeframes. Imagine if e.g. Samsung, Lenovo, etc. executives knew that their personal assets would be frozen in the U.S. if they continued not to support all of the millions of vulnerable Android devices?

The main thing I'd hope an approach like this could avoid would be the PCI bureaucracy you mentioned where a company might choose to avoid riskier areas rather than being required to expensively audit a process.

[mikeash]

Maybe we could go a bit further and say that a proven security breach (i.e. an unauthorized person actually accesses your device) carries some concrete liability, for example $500 plus a refund of the purchase price?

It's a bit like the laws for junk faxes or illegal telemarketing calls. You don't have to take them to court or prove actual damages, you just press the "statutory damages" button when an actual violation occurs.

I could see some difficulty arising from people who are breached not because of some fault with the product, but because the people made their password "password" or whatever. But maybe this would just encourage manufacturers to make it difficult to set up their devices insecurely.

There might be problems with people knowing that they're breached. To combat this, you might make the $500 (or whatever amount) payable to anybody who accesses such a device in good faith. These "find an insecure web cam pointed at a baby" web sites would go from voyeuristic amusements to money makers.

Just some random ideas....

[acdha]

> Maybe we could go a bit further and say that a proven security breach (i.e. an unauthorized person actually accesses your device) carries some concrete liability, for example $500 plus a refund of the purchase price?

Yeah, that's exactly the kind of thing I was thinking about for market incentives. Right now the immediate cost to a company is zero so the only question is whether it'll cost them future sales. Even a simple refund of the purchase price would be a big shift.

I rather like the bounty idea, too, particularly if we could combine it with some sort of clearing house so e.g. the person who finds an unprotected webcam doesn't have a reason (or excuse) to identify the owner.