MP Kees Verhoeven wants EU to regulate the Internet of S**t
Vendors don't care, so government should step in
The Democrats 66 (D66) party, currently in opposition in The Netherlands, hopes it can legislate insecure stuff away from the Internet.
The suggestion comes in a multi-part initiative put together by MP Kees Verhoeven, who also wants The Netherlands to fund a local threat analysis capability and a national cyber security centre, and look at vendor liability for bad software.
As Verhoeven's paper (here in Dutch) says, with “locks, bridges, factories, teddy bears, toothbrushes, thermostats, refrigerators, CAT scanners, watches and heart rate monitors” connected to the Internet, security can't be left to consumers.
He also notes Internet of S**tTM device makers are collecting and sometimes selling users' personal information “without explicit permission or without consumer choice”.
In a proposal that will send chills looking for spines in the wild-west of Internet of S**tTM startups, Verhoeven says consumers should be able to turn off unwanted data transfers from their devices (presumably without bricking a thermostat, door-lock or WiFi teddy bear).
Verhoeven argues that consumer electronics have to pass fire safety standards, and wants something similar for the Internet of S**tTM: certification and standards for devices, covering things like encryption, requirements for default passwords, software patches, security alerts, and user instructions.
Such a structure would have to be created at the European Union level, he adds, and there should be a public register of vulnerabilities and breaches.
Software developers get harsh words for not paying attention to quality, and not patching vulnerabilities quickly enough. While allowing that “software is never 100 per cent safe”, Verhoeven writes that bad software practise “is a form of negligence”, and suggests “the government should investigate the best way to control software liability”.
Users need education, the paper says, but they also need comprehensible privacy statements from vendors (Good luck with that – Ed).
“The user must be actively informed before he emphatically can give consent,” the paper says, and the European Privacy Directive has to be enforced on Internet of S**tTM devices.
Compared to the privacy, security and liability proposals, the idea of an independent National Cyber Security Centre (NCSC) is unremarkable. Since institutions like hospitals are ill-equipped to keep up with infosec, he wants an NCSC to give them a helping hand. ®