[cstross]

> I'm mostly okay with laws (whether they exist or not yet) that say that if your negligence or stupidity was the root cause, as a manufacturer of these goods, you are on the hook for a multiplier of damages.

Such laws won't work, however, without a regulatory framework that ensures that -- for example -- click-through EULAs aren't used to lock customers into sleazy "binding arbitration" agreements that sacrifice their rights in return for permission to use an appliance they bought in good faith.

It may be difficult for regulators to keep up with specific technologies, but much tougher consumer rights protection is essential in order to hold negligent manufacturers responsible, because it's cheaper for the cowboy manufacturers to hire a lawyer to draft some dodgy contract boilerplate than it is for them to hire security experts and ship a safe product.

[manyxcxi]

I agree with that. I'm much more in favor of punishing harshly when the mess up happens and could've been avoided but for willful negligence than trying to write a bunch of catch all regulations before we have a problem.

I think, at least in the US, we need much stronger consumer advocacy laws, something with teeth that can't be arbitrated down by a group of expensive lawyers.

We'd have to find a balance though, as we are already way too litigious and we'd be stifling innovation out of fear of getting accused of negligence.

[gherkin0]

I think it's a little bit of this, a little bit of that. We need regulation to attempt to enforce baseline security practices (e.g. no passwords in cleartext, encryption during authentication, etc), since that can be proactive if not comprehensive. In addition to that, we need stronger consumer advocacy and liability for the more complicated, unanticipated cases.

> We'd have to find a balance though, as we are already way too litigious and we'd be stifling innovation out of fear of getting accused of negligence.

If we're "way too litigious" to the point of stifling innovation, then I think the problem and solution are in a completely different area than this.

[LinuxBender]

I am a technologist; and yet, I am all for stifling innovation with IoT. The folks creating these devices are not qualified to make decisions for themselves or for us.

[manyxcxi]

What decisions are they making for you? It's your decision to opt in to their system by buying. As a technologist you have a good idea how to spot the crappy ones that can put you at risk- or would just (rightly) assume that something like an internet connected Elmo is a bad idea. It's the general population that we have to worry about, as they'll be the ones most seriously harmed (identity theft is the thing I worry most about any of this) by these things going awry. They may also not even put things together that some of these devices could be or are internet connected in the first place, where to us it's obvious that there must be network connectivity of some sort.

That being said, let the bad actors fail. Let their names get dragged through the mud, let the big companies sober up after a few too many VTech/Mattel/LG style failures that make the headlines. Let them either back out of the market because this shit is hard to keep secure, let them work with someone who can, or let them triple down and figure it out themselves. We're going to see a lot of failures, but we'll be better for it.

I've connected my own devices around my house (securely), use z-wave, and consumer home automation hubs/hardware, as well as some well known stuff like Nest and Amazon Echo. I don't ever want to go back to NOT having these things.

I've accounted for many of the likely failure points by these very well regarded manufacturers and I've firewalled my network very tightly, among many other things. But damn it, I've seen the future and I don't want to go back. It's too nice, too convenient, and adds too much real value.

It's your decision to buy their goods, no one should be preventing anyone from trying to enter the market just because you get the heebie jeebies or don't see the value. Someone else does- or no one else does and they fold up shop.

[LinuxBender]

History has shown us that all the the IoT devices are poorly coded at best and completely un-managed at worst.

It is also assumed that these devices have unfettered internet access. Most of them can do HTTPS. Either you allow it or you don't. How many Barbie dolls have been having inappropriate conversations with children that a human would otherwise be arrested for? How many televisions are feeding audio from families back to a company? How long is this data saved? Who has access to it? When must it be destroyed? What legal protections does anyone have against data abuse? What is deemed data abuse? If it turns out I am being spied on, what binding agreement do I have with the manufacturer and seller that will make them feel pain? Are they obligated to give me more than, "We're sorry. Gosh, we're just so darn sorry."

Sorry, no. These devices need to be recycled before they are ever used.

[LinuxBender]

EULA's and binding arbitration clauses are not valid when up against negligence. You can not legally waive negligence in most countries, no matter what a web form or paper contract says. It is not legally binding.