Eireann Leverett

You're quite correct, liability alone is necessary to decide on but insufficient to tackle the problem. Indeed the European commission is also looking into a complimentary program of post-market surveillance. This would seek sources of data about which vulnerabilities or privacy abuses are most common. For example, as a penetration tester of critical infrastructures for three years, we noticed that some vulnerabilities were remarkably useful, being commonly exploitable across as many as 70% of clients. That information about the frequency of vulnerability (or even more subtle frequency of exploitation), is currently not available to regulators. That would have to change. Additionally, as you rightly pointed out, the model of mono-causal security or privacy failures need to change. There is shared causal relationship between the vendor leaving vulnerabilities in products (we're talking OWASP top ten here, not rowhammers), the deployer of the device who may have configured it badly, and the entity that exploited it. We cannot blame one alone, and regulators and liability courts will need to upskill to make decisions accordingly. This is something we covered with the 72 page paper that was written for the European Commision, and should be published as an annex next year. Of course, it is too lengthy for a blog post and the post market surveillance, certification schemes of devices, people, and organisations, demonstration of harm and demonstration of forsee-ability, skill shortage for regulators and liability courts were all discussed in the necessarily longer document. Suffice it to say for this blog post: it is still time to decide, whether we like the metaphors or not. It sounds as if you have decided in favour of NO liability for IoT devices or manufacturers. Perhaps you'd like to elaborate why?