(no title)
encyclic | 2 years ago
By volume and impact, what devices have IoT vulnerabilities? If from large mfrs, you might expect some measure of support as that would be somewhat in their best interest, if only to preserve their brand image. My concern would be low quality, usually cheaper, whack-a-mole mfrs that come and go on Amazon, eBay, etc. Even if they release a product that would fall under these guidelines, how are you going to go after a ghost?
Also, what happens when an IoT mfr is acquired, does the acquirer assume all the IoT risks as well?
SimingtonFCC|2 years ago
Great points. From one perspective, we can't afford to do this stuff; from another, we can't afford not to. If connectivity makes your life a little easier for little risk, that's one thing; if your dishwasher steals your identity and sells it online, that's another.
My concern would be low quality, usually cheaper, whack-a-mole mfrs that come and go on Amazon, eBay, etc. Even if they release a product that would fall under these guidelines, how are you going to go after a ghost?
Another great point, but that's a snapshot of the market as it is now. We expect certain standards from some things but not others, depending on how much you depend on them, how much is at risk, and what the costs would be. Right now, under the proposal, a company is 100% free to say "I will support this for 0 days and you expect it to ship broken from the factory" -- it's just that they actually have to say that out loud.
Also, what happens when an IoT mfr is acquired, does the acquirer assume all the IoT risks as well?
I expect this to be a hot topic on the record. We'll see what technologists, manufacturers, consumer advocates, etc. say and try to come up with a proposal addressing stated concerns.
ncallaway|2 years ago
Most other liabilities are inherited during an acquisition. I don't see a good reason for this to be an exception.
It would encourage acquirer's to do much more strict due diligence in this regard, which will have a natural pressure to clean up the behavior of manufacturer's that plan to seek a future exit.
Any exception to liability here seems like a get out of jail free card, for all new manufacturers seeking an exit to behave extremely badly. It also opens the door to corporate shell games, where as soon as a liability is discovered it gets acquired by a thin parent entity to dissolve that liability. I'll leave a comment to that effect as well, but it absolutely seems like this liability should survive an acquisition.