Cory Doctorow gave a very interesting speech recently at the Personal Democracy Forum (hosted by my friend Andrew Rasiej). He spoke about the “Internet of Things” (IoT) and the risk that Internet-connected devices could be hacked (or programmed by their OEMs) to do things that a user might not want them to do. Specifically, he highlighted the danger of regulations like the Digital Millennium Copyright Act (DMCA) that prohibit modification of the software running these devices by users; regulations he suggests might prevent the constructive modification of connected devices, but might actually increase the likelihood of successful hacking of these devices by unsavory types. I highly recommend you watch it (it’s 20 minutes but worth it), and am embedding it here.
To provide a scary hypothetical example, imagine that hackers broke into your home security device and started watching your home through its camera. They might just watch, which is creepy enough, or use the data to perpetrate an actual burglary while disabling the device. Obviously, an OEM would put in place security safeguards to prevent such hacking, but those safeguards are only as good as the security team at the particular OEM. Unlike open protocols and open source software, the broader developer community (“white hat” hackers, with their greater collective capabilities) would be locked out of the effort to secure and improve these devices. Nefarious (“black hat”) hackers, however, would not be likely to observe the relevant legal restrictions on modifying the software running IoT devices. The fact that any black hat could try to hack these devices while many white hats would stay away in observance of regulations like the DMCA creates a potentially dangerous mismatch of development talent in the war to secure IoT devices.
And this security problem says nothing of the missed opportunity to improve the functionality of these devices thanks to the development efforts of coders outside the OEMs.
I agree with Cory that these rules are problematic for the reasons he states. And I think his suggestion to support the Electronic Frontier Foundation is a reasonable one. I am somewhat optimistic, however, that the market may provide a solution here. Over time, open systems have tended to win out over closed, largely based on the relative functionality of the two systems. Open platforms enable more innovation and, ultimately, better products. As Cory points out, they can also be more secure, at least in the long run (though some might disagree). As such, I think that we may ultimately see that Cory’s dystopian future is avoided not through legislative change – or at least not only because of such change – but because the market demands more open IoT systems.
For now, we can at least all look for opportunities to support, through our purchase behavior and otherwise, products that leverage open IoT hardware and software.
