The Teddy Bear And Toaster Act Is Device Regulation Done Wrong

from the not-the-right-approach dept

Should government to protect us from snooping teddy bears and untrustworthy toasters? The California State Senate seems to think so.

With traditional devices on the decline, laptop and desktop computers now account for less than 25 percent of internet network traffic. Indeed, American households now use, on average, seven connected devices every day. As this so-called “internet of things” continues to expand, an array of connected objects—from toasters to lightbulbs to dishwashers—now include embedded microprocessors, multiplying the number of potential threat vectors for data breaches and cyberattacks.

Notably, security researchers revealed recently that CloudPets, a company that sells connected stuffed animal toys with voice-recording capabilities, had a security vulnerability that leaked the information of more than 500,000 people. In response to accounts like these and concerns about data collection by internet-of-things devices, California is considering S.B. 327, legislation that would require certain security and privacy features for any connected devices sold in the Golden State.

Device insecurity is a real threat and it's encouraging to see legislators thinking about consumer privacy and security. But this bill, facetiously called the “teddy bear and toaster act” by its critics, would create more problems than it solves. These concerns do not merit a heavy-handed and wide-reaching legislative response.

First introduced in February, the bill targets a broad range of products that include “any device, sensor, or other physical object that is capable of connecting to the internet, directly or indirectly, or to another connected device.” It would require that their manufacturers “equip the device with reasonable security features.”

The scope and scale of that definition would appear to cover everything from smartphones to cars to tweet-happy toasters. Sweeping such a broad range of connected devices under its rules ignores that all of these items have unique functions, capabilities, and vulnerabilities. What constitutes a “reasonable security feature” for one might be completely unreasonable for another. This one-size-fits-all regulatory approach threatens to chill innovation, as companies from a host of different sectors expend resources just to make sense of the rules.

Should the bill move forward, we should also expect a range of consumer items will be equipped to blink and buzz and beep in ways more annoying than informative. The bill decrees that: “a manufacturer that sells or offers to sell a connected device in this state shall design the device to indicate through visual, auditory, or other means when it is collecting information.”

For some types of devices—such as virtual and augmented reality systems and autonomous vehicles—this requirement is simply infeasible. These devices use sensors to collect data constantly in order to perform their core functions. For always-on devices like IP security cameras, Amazon Alexa or connected cars, an indicator would just be synonymous with an “on” button. Many of these indicators will be superfluous, misunderstood and costly to implement—costs that disproportionately would hit smaller businesses.

Other provisions of the bill urge sellers of connected devices to notify consumers at checkout where they can find the item's privacy policy and information about security patches and updates. This is valuable information, but the point-of-sale may not be the best time to communicate it. For many devices, a verbal or web-based tutorial likely would be more effective. Companies need the flexibility to figure out the best ways to inform their customers, while these design requirements would remove that flexibility.

In an interconnected world, balancing privacy rights and security is a hugely difficult undertaking. Enshrining that balance in law requires a nuanced and targeted approach. Policymakers at both the state and federal levels should focus their efforts on provable privacy or security harms, while empowering consumers with baseline information, where appropriate. Applying design requirements and compliance tasks in a haphazard way, as S.B. 327 does, will harm innovation without meaningfully improving data security.

Anne Hobson is technology policy fellow with the R Street Institute.


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Ninja (profile), 19 Apr 2017 @ 12:16pm

    I'd say that making storage, transmission and general data manipulation security mandatory, disclosure of what data could be collected for the device to do its basic task (ie: toasters making toasts should collect no data while self-driving vehicles need all sorts of environment data to self-drive) and make further data collection than that basic strictly opt-in could be nice obligations that wouldn't cause any harm to innovation. The way the bill has been crafted is completely flawed but I'd argue we need strong laws to protect everybody from the INEPT.

    reply to this | link to this | view in chronology ]

    • icon
      Wyrm (profile), 19 Apr 2017 @ 5:43pm

      Response to: Ninja on Apr 19th, 2017 @ 12:16pm

      Funny, that's exactly what Congress just voted down, and that was not about optional connected toys but your mandatory ISP. (Well, mandatory as long as you want internet.)

      So I'd find it a little hypocritical to pretend that toy-makers have to abide to some privacy and security standards.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 19 Apr 2017 @ 8:43pm

        Re: Response to: Ninja on Apr 19th, 2017 @ 12:16pm

        The difference is the toy makers aren't funneling millions into campaign coffers like the incumbent telecommunications giants.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Apr 2017 @ 1:28pm

    Good Grief!!!

    Spelling man!

    "The Nanny State Senate seems to think so."

    reply to this | link to this | view in chronology ]

  • icon
    TechDescartes (profile), 19 Apr 2017 @ 1:39pm

    Connected toasters are crumby

    For every eight bits that fall inside the toaster, you lose one bite.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Apr 2017 @ 1:52pm

    So, the text of the bill is less than 20 lines, but I'm not sure the author understands it.

    Requiring "reasonable security features appropriate to the nature of the device and the information it may collect" does not, by definition, require using unreasonably high security features on a device that doesn't need them.

    The bill's mandates are relatively straightforward- (1) the reasonable security features (i.e. tailored to the device's needs and info); (2) some indication that the device is collecting information (again, not any specific method); (3) obtain consent for transmission of info (other than information transmission for the stated functionality of the device- e.g. not for a phone to send voice but for a phone that sends GPS data); (4) a short statement of the information collection made at point of sale; (5) direct notification to consumers of security patches.

    Most of this seems reasonable and/or flexible- it mandates informing consumers of security and collection features, requires consent for unanticipated data transmission, and increases notice of security updates. The bill may not be perfect, but it definitely doesn't jibe with the characterization made in this article.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 19 Apr 2017 @ 2:08pm

      Re:

      Bad legislation is worse than no legislation. Mandating features harms innovation. I'm all for making companies' (in)security record publicly available so consumers can make the decision of whom to trust on their own.

      reply to this | link to this | view in chronology ]

      • icon
        TKnarr (profile), 19 Apr 2017 @ 3:19pm

        Re: Re:

        If that worked, we wouldn't be here. Or haven't you noticed the stream of reports of various breaches that name virtually every company currently producing connected products?

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 19 Apr 2017 @ 3:59pm

          Re: Re: Re:

          >haven't you noticed the stream of reports of various breaches that name virtually every company currently producing connected products?

          I have and that's why I haven't bought their products. Dumb consumers need to be educated.

          reply to this | link to this | view in chronology ]

          • identicon
            Thad, 19 Apr 2017 @ 4:20pm

            Re: Re: Re: Re:

            Dumb consumers

            Who had "two posts" in the "how long is it going to take him to start blaming the victims" pool?

            reply to this | link to this | view in chronology ]

            • identicon
              Anonymous Coward, 19 Apr 2017 @ 4:42pm

              Re: Re: Re: Re: Re:

              If the definition of victim today is someone who voluntarily parted with their money and agreed to restrictive terms of service just to obtain an Internet toaster the word has truly lost all meaning.

              The risks are known, information is easy to find. Ignorance does not a victim make.

              reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Apr 2017 @ 1:59pm

    >shall design the device to indicate through visual, auditory, or other means when it is collecting information.”

    Just think of all the visual and auditory fireworks that Windows 10 would need, why it would be deafening and blinding.

    reply to this | link to this | view in chronology ]

  • identicon
    Peter Leppik, 19 Apr 2017 @ 1:59pm

    So what's your solution?

    This article bothers me because even while it acknowledges the "real threat" of poorly-secured devices, it offers no solution while pointing out all the problems (real or imagined) with the proposal that's being offered.

    If you agree that security of connected devices is a real problem that needs to be addressed, then what's your solution? If not this idea, then what?

    This sort of commentary is very close to straight-up obstructionism. It's very easy to find problems with any specific proposal. It's much harder to come up with better solutions. But nothing will ever get done if nobody ever offers better ideas.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 19 Apr 2017 @ 2:12pm

      Re: So what's your solution?

      "So what's your solution?"

      Lawsuit. Regulation winds up "shielding" businesses more than preventing them from fucking shit up.

      But if a business can be sued by consumers for producing a product that can be used to compromise their privacy then maybe a few things will happen.

      The thoughts of all the shit that might break loose would send many existing businesses into a ah fuck scramble to take their fucking security seriously.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 19 Apr 2017 @ 2:19pm

        Re: Re: So what's your solution?

        Security is hard. Attacking is easier than defending. If you hold the vendors/software developers liable eventually the market will only have the few companies like Apple, Google, and Microsoft who have the money and talent to make their products nominally secure.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 19 Apr 2017 @ 2:26pm

          Re: Re: Re: So what's your solution?

          Not true.

          If you want to do it right, then you need to have an established set of guidelines everyone needs to follow similar to now NIST does password regulations. If you don't follow the minimums you are exposed to a lawsuit.

          Security is a serious issue, your logic would dictate that its okay for the TSA to hire retards for the security of air ports... of fuck, they already do? No fucking wonder! Do you work for the TSA?

          Security, hard or not, is necessary, if you are prepared to do it right, its one of those things you don't need to be doing at all!

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 19 Apr 2017 @ 2:27pm

            Re: Re: Re: Re: So what's your solution?

            **missing word**
            if you are NOT prepared to do it right, you don't need to be doing it at all.

            reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 19 Apr 2017 @ 2:35pm

            Re: Re: Re: Re: So what's your solution?

            "set of guidelines everyone needs to follow" There are so many different devices that do different things I think it would be difficult to make meaningful standards for devices that perform so many different functions and have different expectations of security. But if you could do that something like the Energy Star program could serve as a model. It's a voluntary program and well known and understood by consumers.

            reply to this | link to this | view in chronology ]

            • identicon
              Anonymous Coward, 19 Apr 2017 @ 4:07pm

              Re: Re: Re: Re: Re: So what's your solution?

              I think you have brain damage.

              standards would transcend the devices. Kinda like how NIST password standards have nothing to do with specific devices. But I guess you would not be intelligent enough to understand how that would work, would you? I feel like I am talking to a Politician that likes to talk about shit they know nothing about. Is this Trump?

              Hopefully the next person that has to talk with you about anything that requires knowledge or brain cells gets the option of a refund!

              reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 20 Apr 2017 @ 3:15am

            Re: Re: Re: Re: So what's your solution?

            Set up a set of standards, and set up a certification authority, and then only the big players can play in the market.

            A much better solution is education and caveat emptor.

            reply to this | link to this | view in chronology ]

            • identicon
              Anonymous Coward, 20 Apr 2017 @ 8:38am

              Re: Re: Re: Re: Re: So what's your solution?

              Education an Caveat emptor should always be at play.

              This is about setting a common bar where a company becomes civically liable for their bullshit.

              There is NO WAY for a consumer to reasonable evaluate the true security vulnerabilities of a product.

              reply to this | link to this | view in chronology ]

        • identicon
          Thad, 19 Apr 2017 @ 4:30pm

          Re: Re: Re: So what's your solution?

          Security is hard.

          I've never had any difficulty not leaving an open Telnet port with a hardcoded root password.

          If you hold the vendors/software developers liable eventually the market will only have the few companies like Apple, Google, and Microsoft who have the money and talent to make their products nominally secure.

          Wait, so you're arguing that companies that don't have the money and talent to make their products secure ("nominally" or otherwise) should continue to stay in business and sell their insecure products?

          reply to this | link to this | view in chronology ]

      • icon
        TKnarr (profile), 19 Apr 2017 @ 3:24pm

        Re: Re: So what's your solution?

        That's already been thought of. That's why the "terms of service" for connected devices commonly include clauses preventing users from joining class-action suits and requiring them to first go through manufacturer-friendly arbitration before filing an individual lawsuit (and often making the consumer liable for the company's legal costs if the consumer fails to win the suit, where in the normal course of legal proceedings they wouldn't be). Lawsuits aren't a real threat when no individual consumer can show enough damages to cover the costs of suing and collective actions are prohibited.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 20 Apr 2017 @ 8:43am

          Re: Re: Re: So what's your solution?

          Exactly, which is why we need things like standards. If you as a business fall below them, then your TOS will not save your ass from a lawsuit. So if a person brings suit and a judge finds reason, that product go to a blackhat session where it become a fucking field day exercise in security breaching.

          Once a person succeeds in their suit, they get a juicy stack of cash for their problems and the business is open to future lawsuits by other customers until they release a patch addressing the security vulnerabilities.

          It will not take long for businesses to understand that if they don't take it seriously they could be put out of business fast!

          reply to this | link to this | view in chronology ]

          • icon
            TKnarr (profile), 20 Apr 2017 @ 11:34am

            Re: Re: Re: Re: So what's your solution?

            I don't think you understand the process. With these terms of service a person brings suit, the company moves for dismissal and referral to arbitration based on the TOS, the judge tosses the suit (out or over the wall to the arbitration panel) based solely on the TOS and never gets to the question of whether the complaint had any basis. And if they sue after arbitration, they have to shell out hundreds of thousands of dollars over a couple of years with no ability to recover any of it and the possibility of having to also cover the company's legal fees even if the person wins.

            reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 19 Apr 2017 @ 2:40pm

      Re: So what's your solution?

      Let's see your solution first.

      reply to this | link to this | view in chronology ]

    • icon
      OA (profile), 20 Apr 2017 @ 9:30am

      Re: So what's your solution?

      This article bothers me because even while it acknowledges the "real threat" of poorly-secured devices, it offers no solution while pointing out all the problems (real or imagined) with the proposal that's being offered.

      If you agree that security of connected devices is a real problem that needs to be addressed, then what's your solution? If not this idea, then what?

      First off, I have no opinion on the article...

      I'm not fond of this type of "reasoning". Commentary towards the assessment of a problem is perfectly valid. Furthermore, many solutions should be derived communally.

      If one waits for action plans like the following: 1) Solve problem,

      then you tend to get narrowly considered, cliché-like "solutions".

      This sort of commentary is very close to straight-up obstructionism.

      Obstructionism (or "very close" to it) is usual about insincerity and/or malice. You reply as if the author's insincerity is a given.

      It's very easy to find problems with any specific proposal.

      It is very easy to make proposals that are careless, thoughtless, destructive or irresponsible. The author offers related discussion and arguments. You offer nothing!

      It's much harder to come up with better solutions. But nothing will ever get done if nobody ever offers better ideas.

      Meaningless cliché. This whole comment reads like an attempt to prejudice the susceptible reader and as a blind defense of the criticized legislation. There are no actual arguments!

      reply to this | link to this | view in chronology ]

  • icon
    Roger Strong (profile), 19 Apr 2017 @ 2:01pm

    Not The Singularity We Were Warned About

    Other provisions of the bill urge sellers of connected devices to notify consumers at checkout where they can find the item's privacy policy and information about security patches and updates.

    What of devices that lack a screen for conveying that information? For example that infamous internet-connected smart vibrator mentioned here a month ago.

    The obvious solution is to add a voice chip so that it starts loudly start explaining We-Vibe privacy policy at checkout. That could take a while, so it may still be happily explaining security features on the bus home.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Apr 2017 @ 2:02pm

    The bill decrees that: “a manufacturer that sells or offers to sell a connected device in this state shall design the device to indicate through visual, auditory, or other means when it is collecting information.”

    The 'power on' indicator light already serves this purpose.

    reply to this | link to this | view in chronology ]

  • identicon
    Christenson, 19 Apr 2017 @ 2:29pm

    How about some *good* language for the law?

    Here's my simple list of requirements for all IOT devices:

    Conspicuously available disclosures PRIOR TO THE SALE of:
    Identify the device, (where's the model #?, what's it do?)
    the data it may collect,
    how the collected data is secured,
    how the collected data may be used by whom in spite of being "secured" (hint: here's looking at you, browser fingerprinters!)
    potential consequences of not securing that data.
    How may the internet connection be disabled?
    What are the consequences of disconnecting from the internet?
    How may the firmware be updated?
    How may it's version be determined?


    And a couple of requirements:
    Firmware must not be updated without in-person mechanical permission such as pressing a button.
    Internet disconnection must be reasonably simple and not otherwise damage the device. Maximum tools required: screwdriver, wire cutters, or USB/network cable and computer.
    Firmware updates must be offered to all customers on an anonymous basis.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Apr 2017 @ 2:33pm

    Easier fix

    Just reclassify security defective devices as defective in the product recall sense. When the companies are faced with recalling devices they cannot or will not fix, they'll seriously consider designing the devices to be either correct the first time or, where that's not viable (and, for some devices, it won't be), sufficiently field serviceable that they can -- and do -- fix the problems when problems are reported. As is, you get the worst of all worlds: the complete lack of support/interest after the point of sale that is common in pure software, but the rapid market turnover of embedded devices, allowing the manufacturer to profit and move on before their mistakes catch up to them.

    reply to this | link to this | view in chronology ]

  • icon
    TKnarr (profile), 19 Apr 2017 @ 4:05pm

    Hmm. Who does the R Street Institute represent (as in, who are they being paid by)? The arguments Ms. Hobson presents look like they're taking the proposed law and interpreting every clause in it in the most disadvantageous manner (even when that contradicts the black-letter words of the proposal). The result is arguments that amount to eg. "There isn't a full screen to display details like we'd have on a computer on a toaster, so it's impossible for a toaster to comply.", easily countered by "State clearly in the manual what information is collected and transmitted, then either state that it's continuously collected/transmitted while the toaster is powered on or add one single LED and say that that LED being lit means data collection/transmission is in progress.". The whole thing smacks of an attempt to argue that we shouldn't hold manufacturers to any legal standard and should leave it entirely up to them to voluntarily do the right thing.

    Well, if they would voluntarily do the right thing, we'd never have gotten to the point where a law like this is proposed.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 20 Apr 2017 @ 12:19am

      Re:

      Hmm. Who does the R Street Institute represent (as in, who are they being paid by)?

      Good question.

      Let me phrase it in another way: Who benefits from avoiding product liabity?

      Some likely answers:

      • software vendors;
      • software vendors;
      • software vendors.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 20 Apr 2017 @ 9:52am

        Re: Re:

        "Who benefits from avoiding product liability?"

        Open source. It is the norm for free and open source software to come with no warranty and exclusion of liability. Yet many projects have more features and better security than proprietary options.

        If you kill the market for cheap Chinese routers, you lose many of the platforms that OpenWRT runs on, driving up the price for secure routers. Already the threat of security regulation has caused vendors like TP-Link to make it harder to install third party firmware making the routers permanently insecure when they decide not to support them anymore.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 19 Apr 2017 @ 4:11pm

    That word again. "Regulation". When will we learn?

    reply to this | link to this | view in chronology ]

  • icon
    ECA (profile), 19 Apr 2017 @ 4:37pm

    tHE state

    The STATE is for the citizen/people...
    AS the GOV, is the collective of the states..

    Its interesting the laws created by the GOV., that go beyond their OWN jurisdiction(the constitution) WHEN those in the STATES dont WANT IT..

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 19 Apr 2017 @ 4:44pm

      Re: tHE state

      This is a proposal in the State of California, not congress.

      reply to this | link to this | view in chronology ]

      • icon
        ECA (profile), 19 Apr 2017 @ 10:17pm

        Re: Re: tHE state

        I didnt say anything about Congress..
        I SAID that the STATE has control of STATE LAWS...and that is Part of the constitution(?)

        If all the states decide to do the same thing..Make it a Federal law..

        reply to this | link to this | view in chronology ]

  • identicon
    Stosh, 19 Apr 2017 @ 5:09pm

    If one can't make a piece of toast without an internet connection....we're doomed, doomed I say.

    reply to this | link to this | view in chronology ]

  • icon
    chrisbyrnes (profile), 19 Apr 2017 @ 8:19pm

    Most of you are seriously underestimating this problem

    As one who deals with this problem professionally on a daily basis, I assure you that legislation is critically needed. Insecure devices place more than their owners at risk. They become pawns in criminal enterprises. They are used to undermine the Internet. Device manufacturers continue to ignore this. Continued economic growth, at the point, will require legislation. As usual, California first.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 20 Apr 2017 @ 6:51am

    So... Teddy's eyes glow demonically when it is listening to you and plotting your demise? Hasn't that been done already?

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Techdirt Logo Gear
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.