[shad0wca7]

The healthy technology market will force IoT manufacturers to take security seriously. It is not the job of a government to punish a corporation for failing to implement what should now be basic tenets of product quality and suitability.

The loss of customers and reputation should a major security concern arise is a serious market driver and calls for regulation will only ensure that nobody does anything until a multitude of governments agree on a standard. As further food for thought, do you honestly trust the government to make the best choices for your security as a private citizen?

[vog]

I don't buy that argument.

If "customers and reputation" were sufficient, we wouldn't need regulations on the safety of e.g. medical stuff, food and cars. (And history, as well as comparison with other countries, confirms that we do need those.)

Whenever one needs to establish a minimum of quality (and this is what that's ultimatively about), establishing laws mostly works, while trusting the market mostly fails.

Markets are good at many things, but are really bad at establishing a minimum of quality (or provision with basic supplies, for that matter).

[Bartweiss]

> The healthy technology market will force IoT manufacturers to take security seriously.

What? It might force companies not to bleed user data, yeah - people got pretty upset about the dolls spying on their children. But "enabling a DDoS" is a textbook externality. It doesn't hurt the device buyers appreciably, most of them don't even know it's happening, but it causes lots of harm to someone who didn't contract with the company.

More broadly: do you see any evidence at all that the market is actually solving this? It's pleasant to say an efficient market would handle this, but the market we actually have is one where people sell broken products to customers who pay before the flaws are revealed, then move on to a new company name if their reputation gets bad enough. Add in overseas production so that you can't even sue if the seller violates a contract, and the real-world market isn't making any progress on this.

[Gracana]

> The loss of customers and reputation should a major security concern arise

The potentially nice thing about regulation is that you can have some level of trust in a compliant manufacturer. In your example, customers don't know anything about the security of their chosen vendor until a breach happens.. At which point, presumably they leave that manufacturer (and they fix their shit or die), and go to a new manufacturer who hasn't had a breach yet, or has used PR expertise to hide their mishaps, or... maybe they are actually secure. But who knows? Customers don't have the details they need to do anything but hop about randomly between manufacturers.