[rayuela]

I feel like I hadn't thought of this as a market failure until reading your post calling it that. You're absolutely right about it. That's exactly what it is and the need for government involvement is quite obvious now. Suppliers are going to need to be held liable for the negative externalities their product offerings create, otherwise we're stuck at an equilibrium point where this situation does not improve.

[Splines]

If ISPs were treated like a utility and charged per bit, customers would have an incentive to ensure that their devices weren't dumping traffic onto the internet. It's rare that you can see a dashboard showing your usage, even rarer to see a dashboard showing your usage, broken down by device.

[tyre]

With ISPs (at least in the US) moving towards data caps, this is becoming a reality. It won't fix the problem.

DDOS attacks via IOT don't have to send much data per request. If my devices are doing an extra 10Mb/hour, I won't notice. 1000 homes is 10Gb/hour and that's just a few blocks in a city. 100,000 homes seems easy to hit, which is a petabyte of data per hour.

It's death by a thousand paper cuts. If my internet bill goes up a dollar per month, it's highly unlikely I'm going to debug my refrigerator to figure out how to stop it.

[sophacles]

I think this is missing one component though. I agree I wouldn't, you wouldn't, in fact most people wouldn't debug their refrigerator over a dollar a month bandwidth bill.

I would however take into consideration bandwidth bill effects of what I buy. By comparison: today I buy LED lightbulbs and energy efficient appliances because they will have a long term cost impact on my electricity bill.

[collinmanderson]

Right, though the IoT manufacturers probably aren't going to factor in internet attacks when advertising bandwidth usage. :)

[WayneBro]

That's why I got an Asus RT-AC5300 router. It's got a beautiful traffic analyzer.

I could've built something but honestly I don't have time for that anymore.

[orblivion]

You can call that "getting the government involved" but it's allowing suing for damages due to negligence, which is a fairly basic form of involvement, the sort of thing at the base of the market to begin with. That is to say, it's a bit strange to call this a market failure, because the market will (imo) take care of it once you can assign liability.

[raesene6]

I'm not so sure suing would help here, as who is suing who?

The people who bought the IoT devices probably don't even know that their device has been hijacked in a lot of cases and therefore have no incentive to sue the manufacturers.

The people being hit by the DDoS have a tricky attribution problem to prove which manufacturers are to blame and then the manufacturers could, in many cases, shift the blame to users who didn't read instructions/change default passwords/apply available security patches.

Also you have the problem of complex supply chain. A lot of the people selling these devices are just white-labelling someone else's product, so who's to blame there, the vendor or the ODM?

Lastly you have shrink-wrap style licenses that disclaim liability for flaws the the software market has been relying on for many many years to avoid any liability when their products misbehave...

Personally I don't see the market sorting this, its a classic case of negative externality where government regulation is the most appropriate way to rectify the problem

[exolymph]

Yup, it's a classic externality.