Time to Decide on Internet of Things Liability
• 5 min read
We are at a very important decision point in Internet history. Will we accept insecure and unsafe Internet of Things (IoT) devices that erode our privacy and open our home networks to intrusion from hackers? Or will we hold vendors accountable for their security and privacy decisions in the product…
Wonderful work, and thank you very kindly for the graphs. They are exactly what I was looking for. I saw this the day it came out on the blog and have cited it in presentations at least twice already, and will no doubt continue to do so for quite a while. Is this part of a wider publication, or should I keep directing people to this blog post?
You're quite correct, liability alone is necessary to decide on but insufficient to tackle the problem. Indeed the European commission is also looking into a complimentary program of post-market surveillance. This would seek sources of data about which vulnerabilities or privacy abuses are most common. For example, as a penetration tester of critical infrastructures for three years, we noticed that some vulnerabilities were remarkably useful, being commonly exploitable across as many as 70% of clients. That information about the frequency of vulnerability (or even more subtle frequency of exploitation), is currently not available to regulators. That would have to change. Additionally, as you rightly pointed out, the model of mono-causal security or privacy failures need to change. There is shared causal relationship between the vendor leaving vulnerabilities in products (we're talking OWASP top ten here, not rowhammers), the deployer of the device who may have configured it badly, and the entity that exploited it. We cannot blame one alone, and regulators and liability courts will need to upskill to make decisions accordingly. This is something we covered with the 72 page paper that was written for the European Commision, and should be published as an annex next year. Of course, it is too lengthy for a blog post and the post market surveillance, certification schemes of devices, people, and organisations, demonstration of harm and demonstration of forsee-ability, skill shortage for regulators and liability courts were all discussed in the necessarily longer document. Suffice it to say for this blog post: it is still time to decide, whether we like the metaphors or not. It sounds as if you have decided in favour of NO liability for IoT devices or manufacturers. Perhaps you'd like to elaborate why?
Showing 2 comment(s)