SoylentNews is people
SoylentNews
El Reg reports
The US Federal Trade Commission is holding off regulating the Internet of Things industry until there is an event which "harms consumers right now", according to its acting head.
Maureen Ohlhausen, the American regulator's acting head, told a gathering of cyber security professionals that she was not inclined to impose mandatory regulations on IoT devices.
"We haven't taken a position", she said, according to The Guardian.
"We're saying not 'Let's speculate about harm five years out', but 'Is there something happening that harms consumers right now or is likely to cause harm to consumers'", she added. The British newspaper contrasted her position with the Dyn cyberattack last October, when millions of hacked IoT devices crapflooded Dyn's widely used DNS servers and knocked many big websites offline, including Reddit, Netflix, and Github.
Previous: Consumer Reports Proposes Open Source Security Standard To Keep The Internet Of Things From Sucking
(Score: 2, Interesting) by Anonymous Coward on Friday March 17 2017, @01:10PM (5 children)
If you purchase IoT stuff, and then your devices become part of a damaging botnet, you should be sued by the person damaged. You'll say "Hey! I didn't know that would happen! It's not my fault!", but guess what? It was your negligently setup property that established the conditions to cause harm, and so you should take responsibility. Sure, go ahead and try to sue the IoT company in turn.
These court cases will definitively establish the chain of liability as a matter of common law. And, you will think twice about your setup next time.
In my opinion, the real problem here is that there has been a shift in culture; there is this sense now that nobody really owns anything anymore; there's some, nebulous shared ownership, and everyone thus turns to The State to define in excruciating detail who is liable. The confusion around IoT is a symptom of ever weakening appreciation for property rights and the responsibilities that go with those rights.
If you rely on a government bureaucracy to set policy, then you are going to be building your society on unstable ground that is as transient as the people who head those bureaucracies.
(Score: 3, Interesting) by sjames on Friday March 17 2017, @03:04PM (2 children)
The "owner" of the device couls as easily blame the manufacturer on the grounds that the device sold was not fit for purpose in spite of representation to the contrary and that as a result it created a huge liability.
We can either let the lawsuits fly and make the lawyers rich playing the blame game or we can decide the buck stops with the companies that design and sell stuff that is unfit to live on the internet.
When even the technically competent in a relevant field would have to devote a month of work to deciding if a device might have a serious security flaw, what makes you think it's fair to lay the burden on someone whose technical expertise doesn't go beyond having their ISP install a combination AP and cable modem for them?
(Score: 0) by Anonymous Coward on Friday March 17 2017, @07:26PM (1 child)
What else do you expect from a violently imposed monopoly???
(Score: 1, Touché) by Anonymous Coward on Saturday March 18 2017, @12:21AM
a violently imposed monopoly???
Well, I, for one, expect to get my boot piece back! http://money.cnn.com/2017/03/17/technology/monopoly-classic-game-tokens/ [cnn.com] It is my favorite Monopoly token, I always choose it when playing Monopoly. If it is no longer available, I may become violent!
(Score: 2) by MrGuy on Friday March 17 2017, @03:22PM (1 child)
With respect, I think this argument is horrifically impractical.
Let's say a major US bank has a 6-hour outage due to a botnet of hundreds of thousands of compromised IoT devices. How would they recover damages.
Let's start with the problem of trying to recover from hundreds of thousands of individual defendants. Would you serve them all and try each case? How would you prove, by preponderance of evidence, that each individual defendant caused measurable harm? There IS such a thing as a "defendant class action" where a plaintiff sues defendants as a class, which might get around some of this, but at some point you have to apportion responsibility and measure harm.
Then let's think about the fact that some defendants will be outside the jurisdiction of the court in question. The internet doesn't have boundaries. Do all the US defendents pay for all the damage, because they're the only ones you can sue?
Then think about the problem of actually identifying the individual defendants. Discovering IP's and suing people based on them is done in a lot of copyright infringement cases, but it has some important issues and potential errors. And that's assuming the attack is done in a way that allows you to backtrace the offending IP's well, and that the attack is of a kind where spoofing of IP's isn't possible/easy.
We also have to think about what it means to be negligent. Is installing a device and using it as directed negligent? Should the consumers be required to do research to determine if the device is vulnerable? Should every internet user be expected to evaluate, purchase, and properly administer a local firewall (something even technologists can stuggle with)? Should every buyer of a device be expected to do independent research on the potential security flaws in any device they purchase, and should they be considered negligent if they fail to do so? Somewhere there needs to be some personal responsibility for recklessly disregarding the potential dangers of an action. For example, someone stacking paper on a toaster oven with poor insulation is probably somewhat responsible for starting the resulting fire. But I think there's a question on where the line in home networking between "reasonable precautions" and "reckless disregard for safety" should lie.
And should such "negligence" be dependent on the level of sophistication of the individual in question? A sysadmin who installed cheap networking gear and didn't really give a crap about any possible consequences is probably more negligent than a senior citizen who just wanted to be able to turn the lights off without having to get out of their chair every time. How do you account for this (again, especially in the case where there are hundreds of thousands of defendants)?
Then consider the problem of causation - is having a weak setup inherently negligent? And even if it is, do the actions of a third party breaking into your device and adding it to a botnet complicate things? Consider - I leave my car parked on a hill in neutral, and don't do a good job setting the parking brake. The car rolls down the hill and damages someone else's car. I'm liable because my negligent actions (failing to park my car properly) directly caused the damage. Now consider that I leave my car on the same hill, but it's in park and the brake is set. But I left the windows down and the keys in it. Someone opens my door, releases the parking break, and puts the car into neutral, and it rolls down and does damage as before. Certainly leaving my car unlocked with the keys in it is negligent, but you have a lot harder time linking my negligence to the damage. Because the damage wouldn't have occurred without the actions of a nefarious third party.
Don't get me wrong - I don't think the fact that it would be hard (in my opinion - IANAL) to hold individuals responsible for their setups means that we therefore should hold the device makers responsible INSTEAD. Just that "common law and the courts" are going to have a really, really hard time providing any meaningful enforcement mechanism against individuals who might be negligent.
(Score: 2) by el_oscuro on Saturday March 18 2017, @03:27PM
Actually a better car analogy would be:
You park your car on the hill and put it in park, setting the break as normal. You also lock your car and take the keys. However the car manufacturer only has about 3 or 4 keys different keys. So someone unlocks your car with one of the 4 keys and releases the brake.
SoylentNews is Bacon! [nueskes.com]