Securing the Internet of Things through Class-Action Lawsuits

This law journal article discusses the role of class-action litigation to secure the Internet of Things.

Basically, the article postulates that (1) market realities will produce insecure IoT devices, and (2) political failures will leave that industry unregulated. Result: insecure IoT. It proposes proactive class action litigation against manufacturers of unsafe and unsecured IoT devices before those devices cause unnecessary injury or death. It’s a lot to read, but it’s an interesting take on how to secure this otherwise disastrously insecure world.

And it was inspired by my book, Click Here to Kill Everybody.

EDITED TO ADD (3/13): Consumer Reports recently explored how prevalent arbitration (vs. lawsuits) has become in the USA.

Tags: , , ,

Posted on February 27, 2020 at 6:03 AM16 Comments

Comments

Curious February 27, 2020 8:05 AM

I just wanted first to write this: I can see how a wifi enabled gas grill/stove will go badly together with a wifi enabled live burning candle. 😐

Btw, I read the other day that US Boy Scouts of America org has sought to declare bankrupcy, because of lawsuits. I guess that won’t stop people being boy scouts though.

I wonder what possible strategic goals (anything “strategic” necessarily achievable things) could be sought with a class-action lawsuit, and how that compares to US state for invoking all kinds of sanctions imposed on businesses, representatives and individuals (I could only come up with these three forms of entities). And, if, such, also, could lead to laws that for example forbid or criminalize manufacturing, sales, ownership, conspiracy and/or distribution of certain products or services? Or are class-action lawsuits only about money?

Perhaps telling and very problematic in ways, would be any clear or indicated sentiment in how courts even consider a reaction against a bad product/service. I.e “slap on the wrist” vs draconian sanctions vs forgiveness vs ignorance vs bias (special interests) vs immunity (general) vs indemnification (specific).

I think I’ve read that Microsoft and other businesses became indemnified by US government from being subject to lawsuits re. state surveillance and peoples user data. Not 100% sure this is so, but I think I read about that some time ago.

SwashbucklingCowboy February 27, 2020 8:36 AM

I’m skeptical this would work in practice without changes to the law that are unlikely to be made, at least at the federal level.

Not too long ago a case against Symantec due to allegedly foreseeable vulnerabilities was dismissed by a US federal court because the plaintiff could not articulate any actual harm caused by the vulnerabilities.

Clive Robinson February 27, 2020 8:50 AM

I vaguely remember the US fast food industry started to get hit by legal action from customers driven to court by ambulance chasing lawyers…

I also vaguely remember that the fast food industry lent on legislators to stop such law suits.

Thus I suspect two things will happen,

Firstly those selling IoT devices in the US will extend the idea of “leased not owned” by the customer and that the custommer will be required to first arbitrate in “Wales, Alaska” or some such under a set of rules that would be at best prejudicial to the customer. I remember Michael Dell’s wheeze with customers, who were trying to get his shoddy goods fixed which was to sue them in some court in the middle of nowhere last thing on a Friday afternoon.

But I suspect ultimately the trick with IoT will be “one product hardware companies”. That is you set up a company develop a product in it produce a hundred thousand boxes, take out the profit in various ways then kill the company off via insolvancy or some such, so that it pays it’s –phoney debts– by selling off it’s IP etc and ends up with maybe a couple of hundred dollars in the bank, which is just enough to close it out. Then when somebody comes along there is nothing to claim against.

As we know with Amazon, another trick is to make “front end hardware” that is critically dependent on “backend servers” turn the servers off and the hardware product is now usless.

Such processes can be abused in so many ways legaly and transnationaly that by the time the courts get going the money IP and liability are long long gone, across multiple national boarders. Thus any action will be at best pyrrhic.

Fred P February 27, 2020 8:54 AM

While this is an interesting proposal, unless the ability to file class action lawsuits is protected by law, all that’s likely to happen is that writers of terms of use for IoT devices will add an arbitration clause.

Footnote 350: “The feasibility of these potential class actions is not evaluated with respect to statutes of limitation, arbitration clauses, or other fact-specific concerns.”

tz February 27, 2020 10:42 AM

I don’t think it is possible.

The first problem is if you want to go outside the overpriced ecosystem (Apple might do licensed lightbulbs and thermostats, but they will cost as much more as their earphones do), you will be dealing with popup Chinese companies that simply rebrand stuff and send them here with the same defects. You can sue the shell company here, assuming you can find the proper legal entity to serve, but then when the next hop is in China?

A parallel might be the problem with microSD cards that are counterfeits – often they will take a 32Gb and reprogram it to say it is 256Gb, some copy the coloring and say something like “SunDisk” instead of “SanDisk”. Others just counterfeit everything. If you can find a way to stop that (and Amazon can’t seem to), maybe you could stop defective IoT products.

Beyond that, what is “secure”? Requiring two factor for everything? We can’t even get people to stop reusing passwords. The whole problem is cost, both monetary and in convenience. If I could provide a completely secure system (HomeMCU by the Market-ticker.org guy), but it would cost several times as much because I wouldn’t be reselling your data, and I’d be doing pen tests and bug bounties, would the people on the next block who know nothing about computers buy it instead of the cheap whitebox version that is literally plug and play (without any security) and costs 1/5th?

Would people spend the extra thousands of dollars in parts, labor, and insurance when they are used for all the airbags and other safety devices in the cars if they were optional? If your insurance didn’t pay for the repair, would you just remove them and not replace them?

Phaete February 27, 2020 12:37 PM

It reminds me of the saying “if all you have is a hammer, every problem looks like a nail”

Yes it will have effect to some degree but it won’t have enough ‘critical mass’ on it’s own.

Next to Clive’s points, i would like to add some other roads already wandered.

  • Name/Word play: We have now a whole range of health products, from CBD to mushroom extract, from valerian thee to ginseng thee, vitamins a through whatever, but all marketed as :Food additives” so they don’t have to go through the most rigorous testing.
  • The lease not owned model will extend to product as a service model, your IoT device will be cloud guarded for a premium price.

My conclusion;
Let them do what they do best, which is (ab)use the law to it’s fullest extend to get what they want, and if they currently want better IoT security, i will cheer along the way (this time).
But it won’t be enough and we need more initiatives to gain critical mass to make enough of a difference.

Some underlying rules/laws about selling insecure devices wouldn’t hurt either, let them lobby against corporations to provide counter pressure.

Phaete February 27, 2020 12:47 PM

Oh, and please no seals of approval, certificates of excellence, badges of security, striving to excellence, prioritising device security expectations or other homegrown logos with feel good words that are empty promises.

Lawrence D’Oliveiro February 27, 2020 1:55 PM

It would be lawyers proposing such a thing, wouldn’t it? Because class-action lawsuits are such a lucrative operation for them. A typical scenario would be something like 100,000 plaintiffs winning a 10-million-dollar settlement. After the lawyers get their cut, each plaintiff ends up with something on the order of $50.

lurker February 27, 2020 3:45 PM

Things a bit slack over at legal? This can only be a make-work scheme for lawyers, both those pushing the “damages” suits, and those tightening their “Terms of Service”

vas pup February 27, 2020 3:46 PM

I don’t think that is the solution. The better way is to adopt NIST standard which required (as I stated multiple times on this respected blog) HARDWARE operated kill switch in all IoT, so user, not manufacturer, provider, LEAs, hackers, foreign ICs are in charge of your IoTs which you buy to serve only you, not all those listed before.

@EvilKiru – BINGO! You absolutely right.

@Bruce:”It proposes proactive class action litigation against manufacturers of unsafe and unsecured IoT devices before those devices cause unnecessary injury or death.”
WOW! That is something really new in changing mentality in security regardless of remedy suggested, i.e. drop mentality of fire command working primary on mitigation without development wide view on the threat, but prioritize prevention -aka be proactive. But you know, that law was/is usually working after, and technology should and could work before. That is good move, but we will see.

Uhh, dude ... February 27, 2020 6:54 PM

the role of class-action litigation … proactive class action litigation against manufacturers of unsafe and unsecured IoT devices before those devices cause unnecessary injury or death.

Oh, great!

  1. Pay off the college loans of recent law school grads.
  2. Restrict consumer choice with respect to IoT and other computing devices on the market.
  3. Strengthen and further enforce DMCA and other already draconian legal protections for corporate “Intellectual Property” on consumer devices.

Now what else do you want?

@Bill van Eck

unplug the IoT cr*p and throw it away.

Much more economical not to buy it in the first place. Lessons learned and all that.

MrC February 27, 2020 11:27 PM

Eh, Bruce, that’s not a law review article; it’s a student note. The difference being that articles are authored by law professors (or occasionally judges or practicing lawyers) with specialities aligning with the journal’s theme, while notes are written by the student editors of the journal. Generally speaking, notes are not regarded as particularly authoritative, since the author has little experience as a scholar, no experience as a lawyer, and no law degree or bar admission yet. However, on very rare occasions a student note proves so insightful and well-researched that courts may cite to it.

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.