Smart-television maker Vizio agreed to pay a penalty this month for spying on 11 million customers. According to the Federal Trade Commission, the company captured second-by-second information on what customers viewed, combined it with their gender, age, and income, and sold it to third parties.
How much was the fine for Vizio, which has sales in excess of $3 billion? It was $2.2 million — barely a slap on the wrist.
This kind of privacy breach is becoming increasingly common as billions of devices are added to the “Internet of Things” (IoT). Whether it be our TV sets, cars, bathroom scales, children’s toys, or medical devices, we are already surrounded by everyday objects equipped with sensors and computers. And the companies that make them can get away with being careless with consumer security — and with stealing customer data.
Vizio has been accused of exposing its customers to hackers before. In November 2015, security researchers at Avast demonstrated how easy it was for hackers to gain complete access to the WiFi networks that Vizio’s TVs were connected to. Avast researchers also reported that Vizio recorded customer data even when customers explicitly opted out of its terms of service.
On Black Friday in 2015, hackers broke into the servers of Chinese toymaker VTech and lifted personal information on nearly 5 million parents and more than 6 million children. The data haul included home addresses, names, birth dates, email addresses, and passwords. Worse still, it included photographs and chat logs between parents and their children. VTech paid no fine and changed its terms of service to require that customers acknowledge their private data “may be intercepted or later acquired by unauthorized parties.”
Regulations and consumer protections are desperately needed.
One option would be to hold the manufacturers strictly liable for these hacks, to financially motivate them to improve product security. In the same way that seat belt manufacturers are responsible for the safety of their products, IoT device makers would be presumed liable unless they could prove they had taken all reasonable precautions. The penalties could be high enough to put a company out of business.
The problem with such harsh penalties are 1) users often enable hacking by using insufficiently complex passwords, thus leaving the front door unlocked and 2) extreme penalties could stifle innovation, since the threat of litigation could stop big players from innovating and small players from entering the market.
Duke School of Law researcher Jeremy Muhlfelder says that copyright law has a history of Supreme Court cases that have ruled on this exact principle, of not wanting to curb the “next big thing” by holding innovators liable for their innovations.
A more reasonable solution may be along the lines of what attorney Matt Sherer recommends in a paper on regulating artificial intelligence systems that was published in the Harvard Journal of Law and Technology: Impose strict liability but with the potential for precertification that removes the liability. IoT devices would be deemed inherently dangerous, and thus the producer would be strictly liable for faults unless an independent agency certifies the devices as secure. This would be similar to the UL certification provided by Underwriters Laboratories, a government-approved company that carries out testing and certification to ensure products meet safety specifications.
Equipment certification is also one of the recommendations that former Federal Communications Commission chairman Tom Wheeler made in a letter to Sen. Mark R. Warner (D-Va.) regarding the government’s response to the October 2016 attack on the Internet. He proposed a public–private partnership that creates a set of best practices for securing devices, the certification or self-certification of products, and labeling requirements to make consumers aware of the risks. Wheeler proposed “market-based incentives and appropriate regulatory oversight where the market does not, or cannot, do the job effectively.”
As Wheeler also noted, addressing IoT threats is a national imperative and must not be stalled by the transition to a new president. This is beyond politics. It is a matter of national security and consumer safety.
Vivek Wadhwa is Distinguished Fellow at Carnegie Mellon University Engineering at Silicon Valley. Follow @wadhwa.