(no title)

An important note: my suggestions would make many business models unviable. I see this as a win-win because I think that profiting on bad security is extremely unethical and should be illegal.

My requests are as follows:

1. It must be at least a 1-year jailable offence without bail to sell an IoT device that does not have the software and firmware 100% open source. This is the absolute minimum and allows end user auditing. Implementing anything else before this is meaningless.

2. The company must pledge to provide security updates for at least 5 years for any device they sell (if there is no sale, this should not apply).

3. For a security update to be valid in the eyes of the FCC, the update must be signed by an existing employee (accountability must be assigned).

4. If an IoT supplier wishes to aggregate data to sell to 3rd parties, this MUST be optional and it MUST be opt-in.

5. Vulnerability detection and registration must be handled by a 3rd party with a lodgement portal, and companies should have at most 1 month to patch it once the vulnerability has been lodged in the 3rd party portal. Failure to fix in time should accrue exponentiating fines.