[ams6110]

Liability should be on the people who connect these things to the public internet. The owners of the devices. Like with cars, you have certain responsibilities and liabilities when you operate a potential dangerous machine on the public roads.

In the case of ISPs providing cable modems and routers and DVRs and other boxes to their customers, they should be responsible for keeping those secure.

If people start getting fines or sued over what their internet-connected devices are doing, they might stop connecting them to the internet, or shop more carefully for devices or providers that are secure.

[Florin_Andrei]

So grandpa goes to Home Depot, buys a fancy new thermostat and installs it at his home, the device gets hijacked by the archetypal 400 lb hacker, and is used to take down a major commercial site, and then grandpa is liable for the whole thing?

I don't think so.

You make a little gizmo with shitty security, you are liable. Full stop.

[ams6110]

So grampa doesn't take care of his car, the brakes fail and he kills a family with four kids. Is he liable? Yes. He may not know the first thing about brakes or car repair but owns the car, and he took it out on the road without being sure it was in safe operating condition.

But to steal an idea from another comment, make the ISPs liable also for routing the malicious traffic onto the internet. They will then have incentive to monitor their networks and they can take homes offline until their customers fix or disconnect their hacked devices.

[jlgaddis]

I'm the "head fred" networking/infrastructure guy at an ISP. I want to avoid, as much as possible, peeking at my customer's traffic.

In my personal opinion, an ISP should be a dumb pipe. I'm providing you with the ability to send/receive "n" bits per second; I don't care whether you use it to participate in e-mail discussions with your church group or stream pornography and play online poker.

Are you certain you want ISPs to be responsible for monitoring all of your traffic and what you're doing online? Do you really want somebody else deciding -- at their own discretion -- what is "acceptable" for you to do online?

I'm very pro-privacy, pro-encryption, "pro-Internet freedom", etc., but the next guy may not be.

[Florin_Andrei]

And so grandpa needs to become a network security expert to avoid getting sued. Right, "makes sense". ;)

This is not like not doing maintenance on your car. This is like buying a car with faulty airbags. The manufacturer needs to issue a recall and fix the darn thing - or else face legal action.

[woliveirajr]

And here we go with what is malicious traffic.

Leaked news put the government in shame?

Copyrighted materail transmission?

Code to raise the temperature of some heater?

[Analemma_]

> Like with cars

That's not the same thing at all. For a car to hurt somebody, the owner has to be actively using it, and doing so in a reckless or negligent manner; and furthermore, note that reckless operation of a car can hurt somebody even if the manufacturer built it perfectly. (if your car somehow did hurt somebody when nobody was using it, then the liability probably would belong to the manufacturer).

IoT devices are the exact opposite: they can cause harm when the owner has done nothing wrong, and they can only cause harm if the manufacturer screwed up and did not secure it propertly.

All the liability belongs to the producer.

[zzleeper]

True, but then botnet owners would be using foreign IPs to do US attacks and viceversa. So you need punishments that you can actually enforce.

[acomjean]

This makes a case for data caps or charging internet by usage which frankly nobody really likes. Maybe outbound caps for home users (if thats where a lot of the DDOS are coming from). The risk of getting shut off or a higher bill if your transmitting to much data might make people start noticing and securing their devices.

[joe5150]

Car owners are not liable if the car is designed to be dangerous and they don't know it.