FTC to Internet of Stuff: Security, motherf****r, do you speak it? US regulator the FTC says now is not the time for new laws on the "Internet of Things" – but security needs to be improved as we enter the era of always-on, always-connected gadgets, sensors and machines embedded in homes, streets and pockets. In a report [PDF] published today, the commission's staff make a number of policy …
Going forward, I think the best option would be to build something like SNMP for IoT into wireless routers / modems. You'd register the device to the modem and give it a certain amount of data (Device name/type, update URL, version info, data that it sends out) The router would then do basic management of the IoT devices that report to it (comparing the device's version info with what the website offers, see which devices are operating / responding, etc).
"Obviously, this is something for lawyers to have fun with: sadly, is a photo-sharing app monitoring your movements really "unexpected" in this day and age?"
Dear Internet Of Things,
Can I call you IOT? Thanks.
This is Barratry, not Semantics. It's somebody else's job to fix!!!!
Don't feel bad, those little lawyer rascals pull this prank on all the newbies. The joke is that "this day and age" really means whatever day we get to Court. Get it? Funny huh? No???? ok, pretend this day and age is the 17th Century. We'll find you a pirate to hang or a witch to burn. Won't that be fun to watch? Come on, cheer up, they do it to everybody.
A lot of people are saying well who cares I will not pay extra to buy IoT crap but I am afraid corporate America at least may well try and backdoor the consumer if they can. Already your car (if made in the last 5 to 10 years) has a black box recording driving data the insurance companies can use against you (some states have protections on it but most don't). Its not online yet but if you think that's not coming you are more optimistic that me. All thats needed is an open wifi nearby (or you drive past) or heck I can see them embedding cell phone chips eventually. This includes appliances in the home as well eventually. If caught they will just sell it by showing the supposed benefits including perhaps reduced upfront costs (ie the Google model) or added functionality and downplay the data collection.
Well after the hype of Big Data now they need new way to go get even more data from the sheep. Thus the need for my toaster to show me ads as it sends to the mothership god knows what (hidden mic listening for keywords, etc). No they don't give a shit about me personally but get a million people together buying the same toaster then they give a shit.
Yup.
When the electric vacuum cleaner ("a labor saving device") was introduced it led to no savings at all ... Just the thoughtless genocide of dust bunnies as average housekeeping standards improved, in fact.
When you hear how the IOT is going to improve your mind, remember the dust bunnies and how they hid.
Sound words:
"Security, and ultimately the safeguarding of privacy, is the biggest problem, says the FTC. And it needs to be built "into devices at the outset rather than as an afterthought." Employees also need to be trained up on the importance of security so there is a company-wide understanding and approach to protecting data, both internally and with any third parties that companies work with.Additional measures such as good network defenses . . . and keeping an eye on security holes and providing security patches on time, should also be key considerations.
As well as security, companies jumping on the IoT bandwagon should also think about "data minimization", meaning limit the amount of information that is gathered and only retain it for a certain period of time.
Alternatively, companies could go out of their way to "de-indentify" data so it cannot be linked to specific individuals."
Absolutely agree. The problem, however, is that none of this will happen without laws forcing it.
There are two truths here that the FTC needs to understand and accept:
The first is that self regulation simply never works. Regulations cost companies money. Regulations involving overtime cost money. Fire regulations cost money. Workers compensation regulations cost money. Data discovery regulations cost money. And guess what? Regulations around collecting, securing and managing information cost money. And it's not just money for better systems - it's training and monitoring and maintenance and testing and reporting and reviewing. Self regulation doesn't work because companies don't like paying money they don't have to or that won't bring them greater profit.
The second truth is that introducing regulation becomes harder the longer you leave it. Once you have a fully established industry making money hand-over-fist, you are going to have a very big fight on your hands if you try to do anything that reduces the existing profits. Further, if you do end up regulating, it almost always results in a price hike for consumers. Sure, this gets built-in even if you get in on the ground floor but that happens far more organically. If you start unregulated then you might find that the sector enjoys higher profit margins than might otherwise be expected. If you then introduce regulation, the companies will not want to take a hit to that margin and so the price rises. If you start with regulation, you are more likely to see more normal profit margins and thus overall lower prices.
For this and more from my latest book: "Tales of an Armchair Economist", please tune in to my other daily, uneducated ramblings . . .
Short version, regulate now - don't leave it until later. If the FTC believes that certain rules should be adhered to then don't simply hang them out there as suggestions. I should add that for regulations to be effective, they must be monitored and the penalties for breaching them must be a genuine deterrent, otherwise they will be seen as a 'cost of doing business' and saving millions* by risking a 6-figure (at best) slap on the wrist is not a bad equation. Especially when all but the largest data breaches tend not to really effect revenues too much in anything but the very short term.
To paraphrase their own words, regulation needs to be built-in to the industry at the outset rather than as an afterthought.
* - Or earning them by selling off private information.
It's probably important to address one of the main counter-arguments that crops up in questions of regulation - the 'free market'.
Politicians of all stripes (as most are in the pocket of various commercial interests), and especially those adhering to right-wing ideologies, espouse this notion that removing regulations will provide customers with more choice and better services.
This is certainly possible but we know that in the IT and tech industries, the landscape is dominated by several larger players, who buy smaller startups and established companies and thus technology is concentrated and choice removed.
What happens is that smaller companies that might care about privacy and use that as a selling point get bought up by larger companies that don't respect your privacy as much. They then have your historical info as well as any new info you generate or they choose to collect.
The point is that the trend in the tech/IT/comms sector is for the market to be dominated by a small handful of huge companies and so the promise of an unregulated marketplace providing for the customer is a myth.
> Disabling the connection will become a crime.
Kind of like Orwell wrote about two generations ago with the TVs that see you as well and you can't fug with (if I remember right). As an aside the main thing Orwell got wrong about the future was assuming the power structure was not mildly retarded ala shades of Idiocracy which seems to be the case.
@ecofreco
"Disabling the connection will become a crime."
In the medium term, no. Far more likely that most, if not all, features of a device would be dependent on a connection. Not things like toasters, but TVs and Blu-ray players and so on. I can certainly see a world where TVs must be connect to the Internet to be useful for much beyond playing local content and even then, the devices used to play that content would need connectivity too.
There would be no need there to disable a connection -just don't connect it. In the far further future, however, I can see something like this. Not a 'crime' but certainly having it so that any attempt to disable connectivity rendered the device inoperable and in breach of license conditions. Though I suppose that could be a crime to do with trying to disable copy protection.
Still, that level of horror would require a genuinely pervasive wireless network that could be relied on by the device and that is the part that's realistically a fair way away.
"In the medium term, no. Far more likely that most, if not all, features of a device would be dependent on a connection. Not things like toasters..."
Too late! The battle is lost... I just tried to unplug my toaster and it just sat there, lifeless, completely inoperable...
"If companies immediately de-identify data – erase any way to pick out a particular person from the information – the need to offer choices is greatly reduced, apparently."
As though anyone exfiling data from IoT devices isn't already in a position to identify the targets they're attacking and tie that to the data they get from the target.
Back to the drawing board and try again. D-
Given that, for example, home router makers are so slow to patch security vulnerabilities in firmware, what luck does anyone have fixing critical flaws in their IoT light switches, boilers and shoes?
If I have to worry about critical flaws in the security of my shoes, I'm going to change jobs and learn the fine old (if lost) craft of being a cobbler, so I can disable my shoes' IoT nonsense without getting my feet cold. I suspect I will do a fine business with others' shoes as well
Stupidest thing I've heard of in months (which , of course assures some Corporate nimrod will do it).
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
