That’s literally one of the jobs of government, to step in when the private sector does not regulate itself well enough to protect consumer interests. It’s not about wanting the government to step in, its about having no other recourse.
Do you think companies are going to choose "security" issues wisely? Do you have an actual solution that doesn't involve government, doesn't have the companies deciding themselves, and that the general public can do?
The past decade has seen an explosion in software being put and used everywhere. With that comes an explosion of bugs that are exploited. Literally hundreds of millions of people have had all their shit stolen from numerous services that have a laissez-faire approach to application security. It's like getting into an automobile accident; you're basically guaranteed to get into at least one in your lifetime. If you've used the Internet, private data of yours is virtually guaranteed to be leaked by at least one service you use.
I'm not a fan at all of excessive government overreach, but the private tech sector is utterly incompetent of policing itself because a) they don't give a shit, and b) no one is holding them accountable enough (you could argue shareholder should, but there's rarely an impact to bottom lines when security breaches happen). The only thing that will make them care is if an impartial 3rd party that can force them to care.
They don't need to. For example in the UK, goods sold need to be of "satisfactory quality" at the time of sale, and if in breach then the seller has to make it good for up to six years after sale, depending on the expected market lifetime of the product.
Something like that is all that's required in primary legislation.
What is missing is a finding that a sufficiently severe security vulnerability present at time of sale falls short of the expected standard. The general concept could be enforced by a court ruling setting precedent or by still quite generic legislation.
Finally it would be up to the courts to decide on a case-by-case basis what constitutes "sufficiently severe" in specific cases. That's no different to how everything else in law works.
You pack a lot of fallacies into one sentence! False dichotomy, boogie man with the bonus of scare quotes. Mandating security updates for some amount of time after a product is sold isn't 'legislators defining security issues'.
Google has already addressed the issue with Android One. Android One certified devices are guaranteed at least two years of security updates. Most of the manufacturers already have such devices available.
No, that's not strong enough. It should be indefinitely (or owner has right to damages) UNLESS the entire spec and interface of a device is completely, comprehensively, and publically documented from the silicon up, and the device must either lack software integrity checking or it must be fully under the owner's control (eg purge OEM public key, replace with his own). This should apply to all products containing microprocessors and software to execute, and should apply to burned in ROMs too (since that software in ROM should be user writable/replaceable, this should discourage use of burn in ROMs). This should apply to the end product, so the whole car, TV, washing machine, vacuum cleaner, cellphone, game console, Intel CPUs and chipsets, etc, must have its microcontroller interfaces and specs fully and publically documented or damages could be awarded later once exploits appear. This should tamp down on IoT for fridges and can openers too as what OEM wants to either document IP xor expose themselves to potentially unlimited civil liabilities.
qubex|7 years ago
koolba|7 years ago
Broken_Hippo|7 years ago
Dirlewanger|7 years ago
I'm not a fan at all of excessive government overreach, but the private tech sector is utterly incompetent of policing itself because a) they don't give a shit, and b) no one is holding them accountable enough (you could argue shareholder should, but there's rarely an impact to bottom lines when security breaches happen). The only thing that will make them care is if an impartial 3rd party that can force them to care.
rlpb|7 years ago
Something like that is all that's required in primary legislation.
What is missing is a finding that a sufficiently severe security vulnerability present at time of sale falls short of the expected standard. The general concept could be enforced by a court ruling setting precedent or by still quite generic legislation.
Finally it would be up to the courts to decide on a case-by-case basis what constitutes "sufficiently severe" in specific cases. That's no different to how everything else in law works.
capitol_|7 years ago
gilrain|7 years ago
"Do you really want legislators deciding what is and is not 'reckless' driving?"
Yup!
jononor|7 years ago
sitkack|7 years ago
tohnjitor|7 years ago
131012|7 years ago
OpenBSD-supreme|7 years ago