There’s a big problem with little devices on the Internet. A lot of them have really sloppy security. They have default passwords which require extra effort to change. Some have their own Web servers for no fathomable reason, and others have unsecured Wi-Fi connections. People install them with very little thought and no configuration.
These devices are vulnerable to attacks that take them over remotely, incorporating them into botnets. The October 21 attack on Dyn’s DNS servers made many websites unreachable for a large part of the day. The attack came from thermostats, refrigerators, security cameras, and light bulbs. It’s like an episode of The Twilight Zone.
These devices can let attackers get inside local networks, behind firewalls, where they can access servers and read or change confidential information. Kellyanne Conway was right, in a way. Your microwave oven can spy on you, though it’s reading your email rather than pointing a camera at you.
Many makers of these devices are unquestionably sloppy. The costs of breaches are high and will get higher. The devices are available cheaply, and manufacturers want to keep costs as low as possible. Skimping on security is one way to reduce costs. Many voices are calling for regulation to solve the problem.
Bruce Schneier argues that this is a case of market failure. “The teams building these devices don’t have the security expertise we’ve come to expect from the major computer and smartphone manufacturers, simply because the market won’t stand for the additional costs that would require.”
People in the industry are arguing against regulation. An article on TechPolicyDaily.com agrees that secure design is essential but points out that regulations get in the way of technological innovation. Computer technology changes rapidly, and regulations tend to stagnate once they’re enacted. The result can be that manufacturers are stuck with doing things last year’s way, when more effective remedies are available. “If we want to keep the internet economy innovative and dynamic,” the writer argues, “market-based solutions would be preferable over heavy-handed government regulation.”
The perils of regulation
I basically agree with the TechPolicyDaily article, but we have to ask what the market forces are that will promote secure devices. Consumers, for the most part, have no clue. The market works when people are held responsible for the consequences of their actions. What Schneier calls “market failure” is really responsibility failure.
There are, in broad terms, two approaches to such situations. Let’s call them regulation and liability. Under the regulatory approach, the government specifies what people should do. Under the liability approach, it doesn’t dictate their actions but holds them responsible for any harm they do.
The regulatory approach can take the form of laws which specify in great detail what an industry can or can’t do. They’re many pages long, and the members of Congress who are responsible for them don’t read them. They inevitably contain mistakes, as well as provisions to satisfy special interests. No matter how well-written they are, they dictate a particular approach. They create a burdensome requirement to figure out what the law says and conform to it. In highly regulated industries, large businesses have an advantage, because they can afford the legal staff to make sure they’re complying with the law or convince the government they are.
A second aspect of regulation is the creation of a regulatory bureau. In a way, this is an answer to the first problem, since the bureau can change requirements as technology changes and problems turn up in the original requirements. However, it leads to rule by people in government offices — literally, “bureaucracy.” They want to create work to justify their existence, so they try to expand their roles. They tend to be staffed by people from the industry they’re regulating, so they create a mutually reinforcing relationship between the administrators and the largest companies (which are where administrators generally come from).
The result is cronyism. It’s often implemented in administrative law, where the regulatory agency also controls the judges. A Cato article recently discussed the injustices which administrative law creates.
The liability-based approach
From a libertarian standpoint, a liability-based (tort-based) approach is morally preferable to regulation. People should be held responsible for the harm they inflict, not compelled to act in particular ways. It doesn’t create a mass of regulators who have a cozy relationship with selected businesses. Businesses can prevent harm however they like, but they have to prevent harm or bear the consequences.
There are problems in this approach too. Most jurors aren’t technical experts, and technobabble or emotional appeals can sway their judgment. Identifying the businesses whose devices caused harm is a difficult problem. Public perception can affect judgments. Damages awarded can be ridiculously high or low.
Still, the long-term consequences of bureaucratic regulation are more threatening. Regulation easily detaches itself from the principle of harm prevention. It becomes a way to implement goals which the people in charge think are desirable, whether they prevent actual injury or not.
This has happened in many areas. In federal regulation of what constitutes “organic” food, animal welfare requirements which have nothing to do with the food’s organic nature have been smuggled in, while synthetic substances are allowed in some cases. What was supposed to protect the public against deceptive labeling has become a way for everyone from industry lobbyists to animal rights activists to exert influence.
Laws need to be crafted or adapted to deal with manufacturer negligence on the IoT. These laws should establish the conditions of manufacturer liability, not put their design and production under bureaucratic control.