Hacker News new | ask | show | jobs
by Silhouette 3803 days ago
On top of that, if actual harm comes to users of these devices as a result of these devices then we already have plenty of consumer laws protecting them.

The trouble with this is that "actual harm" in a legal context tends to mean something that can be proven in some specific context and have some specific monetary value attached to it.

Personally, I think harm is also done if someone knows their financial details might have leaked and then worries about their credit record and future financial security, or if someone discovers that a creep somewhere in another country has been watching their baby sleeping, or if a "smart" TV has been transmitting personal conversations of whatever nature from the living room to someone else. However, if we're only talking "actual damages", how do you decide what financial compensation is appropriate in such cases?

In reality, the most damaging violations probably aren't the ones with tangible financial losses attached, because financial losses can at least be made good after the fact. You can't make up for lost time, though maybe you can at least assign some nominal value to compensate for time spent on things like updating credentials after a breach. No amount of money can make up for the kind of distress caused to a teenager if a compromised device leaks something like their diary or an intimate video of them getting changed and the results go all around their school.

If security and privacy implications for the Internet of Things are to be taken seriously, I suspect the laws will need updating so that (a) there is a presumption of harm in cases where personal information leaks to an unintended party, and (b) there is a punitive value attached to leaks that cause non-monetary damage, with that value being very high for leaks that cause severe and/or ongoing distress.

I don't think this needs regulation. All it needs is a scale of meaningful penalties, leading up to company-destroying fines and/or jail time for executives for the most serious infringements caused by gross negligence or malice.