A recent article in CSO (Australia edition) advised data security executives that “Users’ poor home IoT security could become your next headache”.
This raises and interesting question. Where should we draw the line between a consumer’s responsibility to become technologically literate, including protect the security of their home network and devices, and the developer’s and manufacturer’s responsibility for the security of those devices throughout their life-cycle? The question will eventually have to be answered — and probably in court. Manufacturers facing a class action for security defects in an IoT device will undoubtedly raise a defence of contributory negligence.
In this post, I’ll focus on some observations about what we know about consumer behaviour in addressing defects in products they use. On Thursday, I’ll offer some thoughts on Canadian consumer protection laws and how that might affect suppliers and manufacturers attempting to limit liability for IoT security defects.
The evidence suggests that consumers are aware that there are security risks with their IoT devices. CISCO reported in December 2017 that consumers have a low level of trust in the security of their data flowing through IoT devices. What is less clear is whether consumers believe that they have a significant role to play in ensuring that those devices are secure.
The “plug-and-play” consumer culture does not help instill a sense of responsibility in consumers for managing and maintaining electronic devices. Consumers tend to re-use passwords, leave default passwords on routers, fail to update firmware on devices ranging from routers to smart TVs, and fail to deploy updates. Consumers may gamble that their poor password, virus protection, and software update practices won’t lead to or contribute to the loss of the data. However, the issue in IoT is not only an issue of privacy. It is an issue of the availability and integrity of the data, which could lead to consequences that affect the safe operation of those devices.
Consumers are also poor at quantifying risks and responding to those risks. How bad could it get? Consider automobiles. According to Carfax, one in five vehicles in the United States had open recalls – that is, unfixed issues that in many cases could result in serious safety risks. Researchers continue to try to figure out ways to nudge consumers to respond appropriately to the risks.
Research by the U.S. National Highway Traffic Safety Administration (NHTSA) presented to Congress in 2017 suggests that there are potentially a number of issues at play that affect how consumers respond to risks.
For example, of completion for open recalls decreased with the age of the vehicle. Consumers may simply not invest in much in the maintenance of older vehicles and this may affect the amount of information they receive about open recalls and whether they take the time to have them fixed. Vehicle owners may be more likely to visit a dealership during a new vehicle warranty period. It is more likely they will learn about the open recalls and will be nudged into having them fixed (or appear irresponsible). Older vehicles may not be serviced unless there is a serious problem.
The NHTSA research also showed that the type of component involved affected recall completion rates. It may be that consumers need a better framework for understanding the risk in some cases. Is it possible that a consumer may apply a lower discount to the chances of harm coming from a defective fuel system that could cause a spontaneous fire because they have a limited role in the likelihood of the event? By contrast, might a consumer apply a greater discount to the risk of a defective air bag or seat, if the harm would only apply in the case of a motor vehicle accident. The risk of a motor vehicle accident may already seem rare to the consumer. The consumer may also overestimate their abilities as a defensive driver to prevent the accident.
Whatever the psychological reasons, the statistics do not bode well for consumers taking responsibility for IoT devices, particularly when we consider the myriad types of IoT devices such as wall plugs, lightbulbs and other devices that individually or cumulatively could cause significant security or safety issues. It may be that these devices could be configured to receive remote updates; however, there will still be numerous use-cases where the update itself (if not managed by the consumer) could result in a security or safety issue, particularly if the device must shut down. So some consumer prompt will be required.
So, while a manufacturer may have a legitimate defence of contributory negligence if consumers do not take reasonable care in the operation of their IoT devices and the security of their network, the actual standard of care of consumers should not give public policy wonks any comfort. We will need another solution than the hard edge of tort law.
You can find the NHTSA report here.