> An individual consumer who purchases a poorly protected network device is unlikely to suffer any meaningful individual harm
It opens the door to liability for companies who purchase insecure network devices. If your peers are buying good hardware while you're buying self-identifying garbage, someone harmed by a botnet running on your metal has a better argument, now, that you were knowingly reckless.
The only sales you can control are the ones that happen in your own country. I'm sure you can buy seat belts from Ali Baba at a fraction of the price, they'll probably be hilariously non-compliant to your country's safety standards, whether or not they work can be modeled by a fair dice roll, and I'm sure your insurer will deny any claims you make after installing them. But you can certainly buy them.
It's likely that if you literally fly out, buy them, pack them in a suitcase and fly home they'd make it, but if you try to buy a crate of obviously non-compliant Product X and it arrives at a port there's a reasonable chance somebody says "This Product X is non-compliant, so, why the hell is that here?" and you're not going to receive it.
You might think well, surely they don't look in most crates. And they don't. They don't look in the forty identical crates of compliant seatbelts going to Ford, because why would Ford be like "Hey, let's order 39 crates of complaint ones, but order 40 crates with #8 non-compliant to kill a few customers as a joke" ?
They're going to look in your crate because you never ordered any crates of seatbelts before, and "Bo Yang Belts" never sent anybody in your country a crate of anything before. Because their products aren't compliant to anybody's standards and so you're their first foreign sale.
But actually you may never even get to buy them. The huge first world economies like the EU and US order such enormous volumes of stuff and require compliance to their standards that it just often doesn't make sense to make Product A for them and then also Product B that's much worse but a bit cheaper for domestic use. I wouldn't like to guess if seatbelts are such a product.
Your answer seems logical but it is a real problem, see this article about Amazon repeatedly called out for selling deathtrap infant seats:
https://www.bbc.co.uk/news/technology-51497010. They really do exist and really do make it across the fairly strict borders in the UK regularly.
But if there are a hundred million compromised TVs, toasters, refrigerators, and thermostats, liability for those few enterprises is largely a moot point.
I don't understand what you're trying to say here. The fact that companies will now be liable means that if even a single person is affected, not only is there clear liability, the kind of offenses that aren't sued for right now, because the payoff is to low to cover the court costs, are suddenly perfectly viable class action suits for amounts in the hundreds of millions of dollars against single manufacturers.
That's a huge shift, and about as far from "moot" as you can get.
I think what is being discussed here in liability for companies purchasing insecure devices, rather than the manufacturers of those devices.
It is reasonable to say that, even if companies are discouraged from purchasing insecure devices, that won't necessarily deter consumers purchasing insecure devices for their households. The threat from devices in households is perhaps even greater than in businesses, if the number of households in question is great enough.
> If your peers are buying good hardware while you're buying self-identifying garbage, someone harmed by a botnet running on your metal has a better argument, now, that you were knowingly reckless.
If every piece of hardware has the same label, that argument dries up and blows away.
If some piece of hardware doesn't have the label and later gets owned, the manufacturer will be held accountable. It would have to be, or else this is toothless. Since no manufacturer can predict which vulnerabilities may be discovered, and since legal teams are a cowardly and superstitious lot, every manufacturer will put the label on now to avoid any potential problems later.
But if we're holding companies liable for dangerous products... shouldn't we be holding the manufacturers liable?
What's the point is holding companies which purchase products liable for the quality of those products? That's a step removed for literally zero benefit I can see.
Just hold the manufacturers liable directly. In other words: standards, not labels.
The point in general for holding purchasers liable is maintenance traditionally for 'wear and tear' as opposed to defects.
To use a car analogy if your car gets into an accident because the break pads should have been replaced 10,000 miles ago that is your fault. If it is because the break pads disintegrate if they get wet that is the manufacturer's fault.
These aren't cars however, but it does bring to mind a hypothetical consistent set of standards involving patches. So if say the product was perfectly fine at launch on 32-bit platforms but it has a bug when run on 64-bit platforms it would become the user's problem.
It obviously wouldn't be a very good system, it isn't realistic in its expectations nor easy to judge or administer with all of the nuances and fine details of knowledge.
It opens the door to liability for companies who purchase insecure network devices. If your peers are buying good hardware while you're buying self-identifying garbage, someone harmed by a botnet running on your metal has a better argument, now, that you were knowingly reckless.