[Update: I did not read the original proposal carefully. I mistakenly believed this was a mandated regulation and not a voluntary one, so some of the points in my post do not apply.
However, I still oppose it for mostly the same reason: if consumers wanted this type of label on their products, then we we would likely already see it.
I am also skeptical that this is being initially proposed as a voluntary program, but is actually laying the foundation for a regulation that is mandatory.]
Please do not propose this regulation. If consumers actually cared about their IoT devices receiving security updates, companies would be doing it. The fact that companies are not already doing this is evidence it's not important to consumers. People may express frustration, but their purchasing behavior speaks louder than their words.
This regulation would force companies to work on things that customers don't actually value. It will hinder innovation. Companies could work on features consumers value instead of working on security updates that consumers do not value.
If this regulation passes, companies will be less likely to offer new IoT devices knowing they will have to provide security updates beyond what consumers are demanding.
This regulation will also increase costs for IoT devices. As a consumer, I do not want the FCC mandating what features will be included in my IoT devices.
From the perspective of an individual engineer, tech regulation like this often leads to engineers doing soul-sucking work that nobody cares about. I know your focus is on consumer protection, not producers, so that point may be irrelevant.
Please do not be the individual that causes a negative impact on the world, despite whatever good intentions you may have.
I'm guessing if the FCC enacts this regulation, it will help you in your political career. However, if you were to take the opposite stance and oppose the legislation for the reasons stated above, I'm sure you'd lose your job very quickly. Therefore, I am confident I will be ignored.
> Please do not propose this regulation. If consumers actually cared about their IoT devices receiving security updates, companies would be doing it. The fact that companies are not already doing this is evidence it's not important to consumers. People may express frustration, but their purchasing behavior speaks louder than their words.
Or, maybe, companies are exploiting consumer ignorance and we're not dealing with an efficient market.
>Please do not propose this regulation. If consumers actually cared about their IoT devices receiving security updates, companies would be doing it. The fact that companies are not already doing this is evidence it's not important to consumers. People may express frustration, but their purchasing behavior speaks louder than their words.
In 1980 11% of American adults used automobile seat belts.
"The fact that companies are not already doing this is evidence it's not important to consumers. People may express frustration, but their purchasing behavior speaks louder than their words."
I would like to see evidence before anyone accepts this premise as true. That's like saying smokers don't care about lung cancer, or parents don't care about lead in baby toys, as shown by their purchase behavior.
Security updates are affected by asymmetric information, widespread consumer ignorance and negative externalities. We need solid regulation.
The fact they voluntarily trade their own resources for these devices is the evidence I would point to.
They may care about "about lung cancer" and other aspects of the product, but they make trade-offs.
Consumers are ignorant about many aspects of the products they use. I do not trust politicians to somehow know what those asymmetries are and divine what our true preferences are.
> If consumers actually cared about their IoT devices receiving security updates, companies would be doing it.
I don't think this is true. Security issues don't matter until they do, and consumers -- by which I mean "people" -- are notoriously bad at estimating risk for sufficiently rare outcomes.
To take a common example, insecure internet-connected baby monitors can literally give strangers video access to your home (not to mention your child, although we don't need to resort to "think of the children"). I think most consumers make purchases with the reasonable expectation that the product isn't going to violate their personal security without them knowing.
As a concrete example to the contrary, even many laypeople I know consider home assistants like Alexa to be too risky -- they don't like the idea of being overheard and monitored by some unknown "other". And that's almost literally part of the product description! When consumers are aware of these issues, they do care. The idea that they currently purchase as though they don't is confounded by a lack of awareness on the one hand, and a reasonable expectation to the contrary on the other hand.
Consumers often purchase insurance for low probability, high impact events. I would infer the fact that consumers are not purchasing insurance for these devices means they don't think it's that big of a deal.
> If consumers actually cared about their IoT devices receiving security updates, companies would be doing it.
This seems like a crazy response to me.
The _entire_ program is _voluntary_. If a manufacture doesn't want to jump through any hoops the only downside is that they don't get an "FCC cybersecurity" label on it. So if the customers _actually_ don't care, then don't do the program and don't get the sticker on the box.
The _only_ reason for anyone to complain about this program is that customers _DO_ fucking care, and _want_ to be informed. Customers _want_ to purchase more secure products but do not have the option, and do not have the information required to do so.
It's not even a mandate that they have X years of security updates. They just have to _disclose_ how many years of security updates they are providing. They could disclose that they provide 3 months of security updates if they want to. If that hurts sales, it's only because PEOPLE ACTUALLY CARE about this.
If your theory is accurate, then this proposed rulemaking would have 0 effect on industry at all.
> As a consumer, I do not want the FCC mandating what features will be included in my IoT devices.
That's not the proposal. The proposal is the FCC mandates what features are included in your IoT devices that have an "FCC cybersecurity" label on it.
> If they meet certain criteria for the security of their product, manufacturers can put an FCC cybersecurity label on it. I fought hard for one of these criteria to be the disclosure of how long the product will receive security updates
If you ask an average consumer about their IoT devices' security updates their eyes will glaze over. I imagine the average car buyer in the 1950s would react the same way to talk of "crumple zones." Consumers absolutely need to be protected from corporate negligence here.
I don't think customers not caring is a valid reason to not do this. Compromised IoT devices don't only cause harm to their owners, but also external networks and the internet as a whole.
A compromised doorbell, or lightbulb etc can be used as part of a botnet to perform DDoS attacks or other nasty activities.
An analogy is like saying we shouldn't work on reducing the pollution emmitted by motor vehicles because the users of these vehicles don't care about how much pollution they cause and would buy them regardless. It's the negative externalities that we need to consider.
I haven't thought through the externality argument very much. If I do I will come back and respond. I'm sure there are people more thoughtful than me who have said something about it.
Something to keep in mind though, government regulation itself is an externality.
And here's the political angle. Letting a bunch of insecure iot devices into your home actually harms other people by allowing your devices to enable subsequent exploits of your neighbors, both on the next block over as well as the next country over.
Therefore iot devices most certainly should be regulated as this is a critical issue for the public good as well as national security.
Consumer don't have time, knowledge, or resources to demand all these things they use. When I buy a car, I want it to be safe. I spend zero time evaluating its technology and demanding labels. I already have a job.
However, I still oppose it for mostly the same reason: if consumers wanted this type of label on their products, then we we would likely already see it.
I am also skeptical that this is being initially proposed as a voluntary program, but is actually laying the foundation for a regulation that is mandatory.]
Please do not propose this regulation. If consumers actually cared about their IoT devices receiving security updates, companies would be doing it. The fact that companies are not already doing this is evidence it's not important to consumers. People may express frustration, but their purchasing behavior speaks louder than their words.
This regulation would force companies to work on things that customers don't actually value. It will hinder innovation. Companies could work on features consumers value instead of working on security updates that consumers do not value.
If this regulation passes, companies will be less likely to offer new IoT devices knowing they will have to provide security updates beyond what consumers are demanding.
This regulation will also increase costs for IoT devices. As a consumer, I do not want the FCC mandating what features will be included in my IoT devices.
From the perspective of an individual engineer, tech regulation like this often leads to engineers doing soul-sucking work that nobody cares about. I know your focus is on consumer protection, not producers, so that point may be irrelevant.
Please do not be the individual that causes a negative impact on the world, despite whatever good intentions you may have.
I'm guessing if the FCC enacts this regulation, it will help you in your political career. However, if you were to take the opposite stance and oppose the legislation for the reasons stated above, I'm sure you'd lose your job very quickly. Therefore, I am confident I will be ignored.