How (Not) to Regulate the Internet

In 2012, famous com­put­er secu­ri­ty expert Bruce Schneier wor­ried about the rise of what he called “secu­ri­ty feu­dal­ism.” This is the process by which users place their trust in a giv­en ven­dor to safe­guard their data and their devices — whether through auto­mat­ic updates, auto­mat­ic back­ups, required two-fac­tor authen­ti­ca­tion, and so on. Echo­ing the old para­noid hack­er ethos, he laments that “Trust is our only option. In this sys­tem, we have no con­trol over the secu­ri­ty pro­vid­ed by our feu­dal lords.”

Of course, Schneier con­ced­ed, this trust isn’t all bad. ” For the aver­age user, giv­ing up con­trol is large­ly a good thing,” because these ser­vices do a bet­ter job of secur­ing them­selves than normies ever can. For peo­ple who are not inclined to tin­ker, that is to say 99% of users, this is a fea­ture and not a bug. Peo­ple do not want oppres­sive tech­ni­cal bar­ri­ers to using a device, then want it to just work — that is why Apple phones are so pop­u­lar, and it is why secure com­mu­ni­ca­tions ser­vices are so unpop­u­lar. They’re just too hard.

Schneier’s solu­tion? “It’s time we step in in our role as gov­ern­ments (both nation­al and inter­na­tion­al) to cre­ate the reg­u­la­to­ry envi­ron­ments that pro­tect us vas­sals.”

Fast for­ward a cou­ple of years, and we are now fac­ing the prospect of inse­cure devices, the Inter­net of Things, that can be hacked into tak­ing down the inter­net. It is a thorny prob­lem: these devices are built by sub-sub-sub­con­trac­tors over­seas, rebrand­ed here, and assem­bled into appli­ances sold at big box stores with no real secu­ri­ty built into them. When some­one exploits these weak­ness­es to launch a dev­as­tat­ing denial of ser­vice attack, as hap­pened recent­ly, there is no real way to trace back who might be respon­si­ble. As I wrote at the time:

Prod­ucts ship with a default user­name and pass­word; they have to, in order to be usable by a nor­mal per­son (there are oth­er schemes that might work, like man­u­fac­tur­ing unique prod­uct keys the way Microsoft does with Win­dows, but again those are very expen­sive and giv­en how easy it is to “crack” those prod­uct keys it prob­a­bly wouldn’t work any­way).”

Most of these devices are cracked with­in six min­utes of being con­nect­ed to the inter­net — a painful­ly short win­dow in which to wipe the pass­word and deny access to mal­ware.

React­ing to this ten­u­ous state of affairs, Schneier again rais­es his clar­i­on call for gov­ern­ment reg­u­la­tion of the IoT mar­ket in the Wash­ing­ton Post.

The gov­ern­ment could impose min­i­mum secu­ri­ty stan­dards on IoT man­u­fac­tur­ers, forc­ing them to make their devices secure even though their cus­tomers don’t care. They could impose lia­bil­i­ties on man­u­fac­tur­ers, allow­ing com­pa­nies like Dyn to sue them if their devices are used in DDoS attacks. The details would need to be care­ful­ly scoped, but either of these options would raise the cost of inse­cu­ri­ty and give com­pa­nies incen­tives to spend mon­ey mak­ing their devices secure.

Ahh, the details. Here’s the thing: lia­bil­i­ty is a mean­ing­less con­cept for IoT man­u­fac­tur­ing. Requir­ing U.S. based sell­ers to cer­ti­fy the infor­ma­tion secu­ri­ty of the devices they sell would intro­duce a galaxy of law­suits against the indus­try. Can you imag­ine Microsoft being sued because some­one got a virus? I can’t — and I would be shocked if a judge allowed such a suit to be brought for­ward. Sim­i­lar­ly, can you imag­ine Dyn suing Phillips for a mal­ware-infect­ed light­bulb, or Xiong­Mai Tech­nolo­gies for build­ing one with­out ade­quate secu­ri­ty? Can you imag­ine Apple being held liable for peo­ple mis­us­ing their iPhones to com­mit crimes?

To call such a legal regime prob­lem­at­ic is an under­state­ment. It would essen­tial­ly crash the indus­try to a halt. Right now, Sec­tion 230 of the Com­mu­ni­ca­tions Decen­cy Act says:

No provider or user of an inter­ac­tive com­put­er ser­vice shall be treat­ed as the pub­lish­er or speak­er of any infor­ma­tion pro­vid­ed by anoth­er infor­ma­tion con­tent provider”

This means that an Inter­net Ser­vice Provider can­not be held liable for ille­gal activ­i­ties that take place by a con­sumer of its ser­vice: that is, if a per­son is using Com­cast to access some­thing like child pornog­ra­phy, it is the per­son access­ing it who is liable, and not Com­cast. The provider of the ser­vice is not respon­si­ble for peo­ple crim­i­nal­ly mis­us­ing that ser­vice.

This is a bedrock prin­ci­ple of both speech online and of reg­u­la­to­ry frame­works on lia­bil­i­ty for abu­sive con­duct online. When I was chased off Twit­ter some months ago by a mob of hate-trolls, I could­n’t hold Twit­ter itself liable for the con­duct of its users. Their “right” to be dicks is pro­tect­ed.

Schneier’s con­cept of hold­ing device man­u­fac­tur­ers respon­si­ble for when a hack­er crim­i­nal­ly mis­us­es their prod­ucts to cre­ate hav­oc would turn this prin­ci­ple on its head. It would place the onus for pre­vent­ing ille­gal activ­i­ty on mak­ers, rather than the crim­i­nals. There is some prece­dent for doing this in a lim­it­ed way — peo­ple have sued cell­phone man­u­fac­tur­ers for traf­fic deaths, and there’s a move­ment to remove the shield that pro­tects gun man­u­fac­tur­ers from being sued by shoot­ing vic­tims — but to pre­tend like such a regime would not be extra­or­di­nar­i­ly dis­rup­tive to the tech­nol­o­gy indus­try is sim­ply dis­hon­est.

The call for (inter­na­tion­al) reg­u­la­tion pos­es sim­i­lar issues. It is an easy thing to call for — just like, as with his exam­ple, envi­ron­men­tal reg­u­la­tions — but the con­se­quences of such a call are vast. Secu­ri­ty researchers like Schneier are rou­tine­ly up in arms about how flim­sy the gov­ern­ment laws are about com­put­er secu­ri­ty — the poor phras­ing of the Com­put­er Fraud and Abuse Act, the inad­e­qua­cy of bureau­crats keep­ing pace with bleed­ing edge cryp­tog­ra­phy research, and so on. And his solu­tion is to make that even more per­va­sive, by hav­ing the gov­ern­ment reg­u­late the secu­ri­ty on your DVR.

It’s true that this is a domes­tic solu­tion to an inter­na­tion­al prob­lem and that there’s no U.S. reg­u­la­tion that will affect, say, an Asian-made prod­uct sold in South Amer­i­ca, even though that prod­uct could still be used to take down U.S. web­sites.

Again, as with estab­lish­ing lia­bil­i­ty, to call such a thing prob­lem­at­ic is to call the Death Star a paper­weight. I strong­ly doubt Schneier would be com­fort­able with the cur­rent majori­ties in the House of Rep­re­sen­ta­tives and the Sen­ate sit­ting down and com­ing up with a broad­ly applic­a­ble, yet con­stant­ly update­able, def­i­n­i­tion of what “secu­ri­ty” means in an IoT appli­ance. If he can think of legal word­ing to stip­u­late exact­ly how much secu­ri­ty is enough, and how to deter­mine secu­ri­ty is insuf­fi­cient, then he should be bring­ing that into the open.

Last­ly, Schneier relies on a bizarre log­i­cal con­struct in try­ing to nar­row the scope of how inter­na­tion­al these reg­u­la­tions would have to be.

If the Unit­ed States and per­haps a few oth­er major mar­kets imple­ment strong Inter­net-secu­ri­ty reg­u­la­tions on IoT devices, man­u­fac­tur­ers will be forced to upgrade their secu­ri­ty if they want to sell to those mar­kets.

This does not fol­low at all. The U.S. is not even remote­ly the largest mar­ket for cell­phones: Chi­na and India have between three and four times as many cell­phones as the U.S., and Brazil, Rus­sia, and Indone­sia have almost as many. With­in a very short peri­od of time, the IoT mar­ket for those coun­tries will look sim­i­lar, espe­cial­ly as prices con­tin­ue to drop. In what uni­verse is a com­mon reg­u­la­to­ry regime on device secu­ri­ty pos­si­ble between the U.S., the BRICs, and Indone­sia? And more press­ing­ly, why would a man­u­fac­tur­er not cre­ate a lux­u­ry “secure” ver­sion of a device for a wealthy, west­ern coun­try, and an inse­cure, cheap ver­sion of a device for every­one else?

Think of some­thing like the phar­ma­ceu­ti­cal indus­try: unlike Schneier’s fears that the inter­net is a life and death issue (yeah, not so much, not for a while yet), here is an actu­al life and death issue. Over a mil­lion peo­ple die every year from coun­ter­feit drugs, but that has­n’t stopped their spread because actu­al drugs are so expen­sive. How would a small reg­u­la­to­ry regime do any­thing about a glob­al prob­lem with these devices acti­vat­ing mas­sive bot­nets?

The real­i­ty is, gov­ern­ment reg­u­la­tion is not the answer. You can­not mean­ing­ful­ly reg­u­late sound device secu­ri­ty, when you can’t even do it with web browsers or oper­at­ing sys­tems. More­over, an inter­na­tion­al regime is not only imprac­ti­cal, but at a basic lev­el impos­si­ble to enforce and actu­al­ly ver­i­fy. The solu­tion to pre­vent­ing future mas­sive DDoS attacks on the inter­net’s back­bone is going to come from some­where else — the cat is already too out of the bag with con­sumer devices.

joshua.foust
Joshua Foust used to be a foreign policy maven. Now he helps organizations communicate strategically and build audiences.