Washington Post: How regulators can make smart devices more secure against hackers
Smart-television maker Vizio agreed to pay a penalty this month for spying on 11 million customers. According to the Federal Trade Commission, the company captured second-by-second information on what customers viewed, combined it with their gender, age and income, and sold it to third parties.
These kinds of privacy breaches are increasingly common as billions of devices now become part of the “Internet of Things” (I.o.T.). Whether it be our TV sets, cars, bathroom scales, children’s toys or medical devices, we are already surrounded by everyday objects equipped with sensors and computers. And the companies that make them can get away with being careless with consumer security — and with stealing customer data.
Vizio has been accused of exposing its customers to hackers before. In November 2015, security researchers at Avast demonstrated how easy it was for hackers to gain complete access to the WiFi networks that Vizio’s TVs were connected to and that it recorded customer data even when they explicitly opted out of its terms of service.
On Black Friday in 2015, hackers broke into the servers of Chinese toymaker VTech and lifted personal information on nearly 5 million parents and more than 6 million children. The data haul included home addresses, names, birth dates, email addresses and passwords. Worse still, it included photographs and chat logs between parents and their children. VTech paid no fine and changed its terms of service to require that customers acknowledge their private data “may be intercepted or later acquired by unauthorized parties.”
Regulations and consumer protections are desperately needed.
One option would be to hold the manufacturers strictly liable for these hacks, to financially motivate them to improve product security. In the same way that seat belt manufacturers are responsible for the safety of their products, I.o.T. device makers would be presumed to be liable unless they could prove that they had taken all reasonable precautions. The penalties could be high enough to put a company out of business.
But this would be inequitable. One of the factors enabling such hacking is that users don’t use sufficiently complex passwords and thus leave the front door unlocked. It could also stifle innovation, with the big players avoiding the possibility of extreme penalties by becoming averse to innovations, and small players avoiding entering the market because they lack the resources to handle possible litigation.
Duke School of Law researcher Jeremy Muhlfelder says that copyright law has a history of Supreme Court cases that have ruled on this exact principle, of not wanting to curb the “next big thing” by holding innovators liable for their innovations. Innovators themselves wouldn’t, and shouldn’t, be liable for how carelessly their innovations are incorporated into new products. But imposing strict liabilities on manufacturers, since it would lead indirectly to canceling the rewards of innovation, might not be legally realistic either.
A more reasonable solution may be along the lines of what attorney Matt Sherer recommends in a paper on regulating artificial intelligence systems that was published in the Harvard Journal of Law and Technology: Impose strict liability but with the potential for pre-certification that removes the liability. I.o.T. devices would be deemed inherently dangerous, and thus the producer would be strictly liable for faults unless an independent agency certifies the devices as secure. This would be similar to the UL certification provided by Underwriters Laboratories, a government-approved company that carries out testing and certification to ensure products meet safety specifications.
Equipment certification is also one of the recommendations that former Federal Communications Commission chairman Tom Wheeler made in a letter to Sen. Mark R. Warner (D-Va.) regarding the government’s response to the October 2016 attack on the Internet. He proposed a public–private partnership that creates a set of best practices for securing devices, the certification or self-certification of products, and labeling requirements to make consumers aware of the risks. Wheeler proposed “market-based incentives and appropriate regulatory oversight where the market does not, or cannot, do the job effectively.”
As Wheeler also noted, addressing I.o.T. threats is a national imperative and must not be stalled by the transition to a new president. This is beyond politics. It is a matter of national security and consumer safety.