You are here: Home > Publications > RIPE Labs > Eireann Leverett > Time to Decide on Internet of Things Liability

Time to Decide on Internet of Things Liability

Eireann Leverett — 09 Feb 2017
We are at a very important decision point in Internet history. Will we accept insecure and unsafe Internet of Things (IoT) devices that erode our privacy and open our home networks to intrusion from hackers? Or will we hold vendors accountable for their security and privacy decisions in the products they sell us?

Let’s step back for a moment, and remind ourselves that the world we inherited before the Internet didn’t become safe by accident.


A brief history of product liability and consumer protection

The safety we take for granted today is hard won. Cars didn’t use to have airbags, or seat belts. Bakeries sometimes blew up due to combustion of particulate flour. Children choked on toys or electrocuted themselves in the early days of home electronics.

We owe that world we live to the often unsung heroes of safety like Dame Caroline Haslett, Ralph Nader, and Prof Harold Thimbleby. Dame Haslett, became one of the first female electrical engineers in Britain, and worked tirelessly to improve home electronics safety. Ralph Nader changed the face of crash testing forever with the book Unsafe at Any Speed. Prof. Thimbleby continues to this day working to make medical devices and computer human interaction between medical professionals and computers less prone to error. It took decades of focused treatment to make the world we live in and the products we use more save.

While we owe these past achievements to a number of regulatory mechanisms — from certification to insurance — perhaps the most important enduring change has been made through product liability.

If your dishwasher floods your house or catches fire and burns down your kitchen, the vendor is liable for their product. Each person who can demonstrate harm from the defective product, can receive compensation.

Product liability and software

This is in stark contrast to software products, where all liability is usually believed to be absolved by the End User Licence Agreement (EULA).

Article 12 of European Commission’s Product Liability Directive clearly states:

The liability of the producer arising from this Directive may not, in relation to the injured person, be limited or excluded by a provision limiting his liability or exempting him from liability.

By injured person, we also mean damage to property such as the flooding/fire caused by our hypothetical (but also metaphorical) dishwasher. So, if traditional liability cannot be excluded by a EULA, then why is software granted such freedom from liability in our society today?

The fact that consumer products are regulated through liability while software is not is puzzling. This issue becomes especially pressing in the emerging context of the Internet of Things. Does adding a sprinkle of Internet and a dash of firmware into a dishwasher mean that the manufacturer should be exempt from liability if their product catches fire or floods a room due? Should they still be liable for enabling hacking of these devices through poor security or privacy practices?

Clearly, traditional liability of products should remain intact, even if the device is managed by the Internet of Things. The EU is looking into exactly this, and it will have broad impacts on the security and privacy of devices.

The case of hacked devices

IoT liability is not merely about safety, but also about consumer privacy. IoT devices regularly stream data and metadata to the Internet for processing. This process is called telemetry and is necessary to keep IoT devices working. Typically this telemetry streams from a device to the vendor for various reasons (data collection, processing, device improvement, and sometimes even security or privacy). Users usually don’t have access to this data, and do not know what their devices reveal about themselves or their family.

The specific issue we wish to highlight, is that the vendor can use this data for any purpose they wish, but an average consumer is hard pressed to access such data for any of their own forensic purposes and investigations. In a continuing hypothetical, the victim of a hacked dishwasher flooding a house would have trouble asking the vendor to provide the log files to demonstrate their own vulnerability. Similar legal and consumer access problems apply to robotics and automated vehicles.

The way forward

Without liability we risk unsafe devices that betray us with data flowing from our homes to strangers for their business use. If the device works as expected, then companies have nothing to hide. However, if they are found to be unsafe or privacy invasive, we have a stick with which to enforce our right to privacy in a meaningful way.

There are a host of Data Exploitation issues there that need further discussion and we hope to continue highlighting them in future blog posts.


This article was originally published on Medium for Privacy International where Eireann is currently a Mozilla Open Web Fellow.


MarcoH says:
13 Feb, 2017 12:35 PM
Always love how people immediately wave their seat belts in comparison to IoT security. Car analogies are great, the staple meme, and almost always career of track faster than the cars Nader was writing about.

Clearly, something needs to be done, but it might not be as straightforward.

Dishwashers and other machinery are often still installed by professionals, who become part of the liability chain. And to stick to cars, how much of the repair and maintenance do (or can you do) on a modern vehicle? You take it to the dealership when the warning light comes on or, in case you keep driving, you are greatly reducing the liability of the manufacturer.

That of course of for regular issues, not the hidden defects lurking behind the scenes due to design or manufacturing short comings, the one Nader was after. But as the cases he described, often revolve around "you could have contacted the car owners, but you didn't". Cars are registered, roads have access regulation that essentially prohibit you from driving a non-registered car, that is where manufacturers liability ends and the user comes into play. You, the driver, must ensure your car has a license plate and is in reasonable condition, missing the M.O.T. is the owners problem, not the manufacturers.

The same goes for seat belts, yes the manufacturers need to install them for a vehicle to be allowed to be sold - access regulation is there, because you won't be able to register and get a license plate when there is no certification for the type. But after that, regular technical inspections become mandatory, in which hopefully the seat belts are checked together with the many other safety features. And of course, driving around without wearing your seat belts is a finable offence in many countries.

This where this classic thinking goes wonky, such a system would properly not scale to the extend certain verticals are expected to grow. Let alone that with such a wide variety of applications, there is a one size fits all approach.

Are you going to bring your television, your light bulbs, your dishwasher and any other device for its yearly check up? Provided the manufacturer is held liable and wishes to recall devices, would you let him? Will you register the device, including how to reach you (the owner/operator)?

What about access regulation? Should your provider disable the connectivity to specific devices, because they are known to be faulty? Case law is currently building in the Note 7, should be trivial to locate the remaining phones and block them from using the networks, a solution which was deemed undesirable for a number of "what if" scenarios, liability always focusses on. The alternative, disabling the charging function to render them useless was also not accepted. Meanwhile your downstairs neighbour might still have one and it will one day burn his house (and yours down).

Not saying liability isn't an issue, but also not sure it is that much of a solution, certainly not as generic tool for each and every possible device or application that puts itself under the immense umbrella labeled Internet of things.

Time for lawyers and regulators to become a bit more innovative and start thinking out of the box. The Internet is not highway, your phone is not a car (your car is a phone with 4 wheels).
Eireann Leverett says:
13 Feb, 2017 08:42 PM
You're quite correct, liability alone is necessary to decide on but insufficient to tackle the problem. Indeed the European commission is also looking into a complimentary program of post-market surveillance. This would seek sources of data about which vulnerabilities or privacy abuses are most common. For example, as a penetration tester of critical infrastructures for three years, we noticed that some vulnerabilities were remarkably useful, being commonly exploitable across as many as 70% of clients. That information about the frequency of vulnerability (or even more subtle frequency of exploitation), is currently not available to regulators. That would have to change.

Additionally, as you rightly pointed out, the model of mono-causal security or privacy failures need to change. There is shared causal relationship between the vendor leaving vulnerabilities in products (we're talking OWASP top ten here, not rowhammers), the deployer of the device who may have configured it badly, and the entity that exploited it. We cannot blame one alone, and regulators and liability courts will need to upskill to make decisions accordingly.

This is something we covered with the 72 page paper that was written for the European Commision, and should be published as an annex next year. Of course, it is too lengthy for a blog post and the post market surveillance, certification schemes of devices, people, and organisations, demonstration of harm and demonstration of forsee-ability, skill shortage for regulators and liability courts were all discussed in the necessarily longer document.

Suffice it to say for this blog post: it is still time to decide, whether we like the metaphors or not. It sounds as if you have decided in favour of NO liability for IoT devices or manufacturers. Perhaps you'd like to elaborate why?
MarcoH says:
14 Feb, 2017 12:36 PM
Just to clear things up, I am not immediately opposed to liability in cases where the manufacturer/supplier is proven to be negligent towards design, faults, quality control or being notified of know problems. However I do believe this should be balanced by (enforcing) the users behaviour and being held responsible for the damage caused by improper installation or maintenance of the devices.

Slapping punitive damages on a manufacturer seems to be a very popular tool, but I don't think it is the ultimate solution.

As much as I worry about it, I kinda still like the Internet we build for the furry monster what it has become. When handled properly and taken care of, it is a nice and friendly animal, but we always need to be on guard that it not all of a sudden lashes out to and rips your head off.

In that context we should also look at the possible side effects of going after the vendors alone on that innovative and dynamic eco system, which encourages people to tinker with it to find and develop new opportunities.

Openness is the key to that and I should be allowed to void my warranty by opening the device up, of course at my own expense when it comes down to cost and liability.

Throwing too much of the risk into the manufacturer's lap will probably have an adverse effect on this openness. The best way of providing "lifetime" guarantees and maintenance is to make sure the device is not controlled by the user but by the manufacturer, which especially in small sensors/actuators that lack a physical interface already often is the case.

Combine that with the need for an economic model that supports long term support and we end up subscription models superseding the current one time point-of-sale model, after which I own the device.

In a more apocalyptic vision, you will indeed end up being owned by the device, paying your monthly fee to the lightbulb manufacturer for the privilege of getting some form of comfort that in case somebody breaks into it and switches it off, the manufacturer of said device will have to wire transfer some of that money back to you.

The Internet has become what it is because we managed to look inside the box and replace some of the components. Sounding like an old fart, but back in the days there were no APIs, those are only a commercial response to the habit of tinkering with it, trying to regain some form control on the IO channels people were creating left right and centre.

Take a look at the mobile phone market, Samsung recalled the Note 7 as a natural response to the legal and financial risks already in the system, so not really see a need to change there.

But meanwhile there have been discussions, also in court rooms, regarding:

- What the expected lifetime of a phone is (how long to provide updates)
- The options to install/replace software (jailbreak) outside of the manufacturers or phone companies control
- Whether or not a intermediary should or could interfere with for instance uninstalling known bad (3rd party) applications
- The liability and responsibility of the intermediary in policing and securing the market place for applications

I totally agree something needs to be done, part of the toolkit is liability of the manufacturer. But there are others in that value chain and they shouldn't immediately be left out of scope.

I know that unfortunately we still haven't found a cure for stupidity, but it shouldn't be an excuse either.

As you mentioned in your comment, education is key and I can only agree with your observations that we urgently need to get the legal system equipped with sufficient skill in this area as well.

After that, my hopes are on Darwin, let's just hope that there are enough smart manufacturers around that will survive. But also make sure that they can try and procreate without to many obstacles, a bit of diversity has never hurt a gene pool.
Add comment

You can add a comment by filling out the form below. Only plain text is possible. Web and email addresses will be transformed into clickable links. Comments are moderated so they won't appear immediately.