|
|
|
|
|
|
by acdha
3803 days ago
|
|
|
What if the regulation largely ignored the technology and instead focused on responsibility: prohibit license terms requiring arbitration or restricting class action cases, setting minimum warranty terms which treat software support as a primary requirement (no selling a washing machine with a 10+ year hardware lifetime but ending software support 6 months after release), and restricting liability disclaimers so a company can't completely shirk responsibility the way everyone does now? The one which would make the most sense to me is something like a souped-up CERT: researchers report vulnerabilities to them, staff grades the severity, and a company has increasingly strict penalties if the fix isn't shipped within certain timeframes. Imagine if e.g. Samsung, Lenovo, etc. executives knew that their personal assets would be frozen in the U.S. if they continued not to support all of the millions of vulnerable Android devices? The main thing I'd hope an approach like this could avoid would be the PCI bureaucracy you mentioned where a company might choose to avoid riskier areas rather than being required to expensively audit a process. |
|
|
It's a bit like the laws for junk faxes or illegal telemarketing calls. You don't have to take them to court or prove actual damages, you just press the "statutory damages" button when an actual violation occurs.
I could see some difficulty arising from people who are breached not because of some fault with the product, but because the people made their password "password" or whatever. But maybe this would just encourage manufacturers to make it difficult to set up their devices insecurely.
There might be problems with people knowing that they're breached. To combat this, you might make the $500 (or whatever amount) payable to anybody who accesses such a device in good faith. These "find an insecure web cam pointed at a baby" web sites would go from voyeuristic amusements to money makers.
Just some random ideas....