Are companies responsible for the security of their digital services and products, and to what extent?

The IoT will remain insecure unless government steps in and fixes the problem. We’re unlikely to get any regulation forcing backbone companies to clean up either DDoS attacks or spam, just as we are unlikely to get any regulations forcing IoT manufacturers to make their systems secure. 

Bruce Schneier 

This statement is a combination of an opinion article and a reflection in which Bruce Schneier, a public-interest technologist, explores internet security standards related to the internet of things (IoT).

Schneier’s concern is that the end user becomes responsible for security when companies do not build security within their systems, while companies do not feel that it is their responsibility to provide internet security for products they create, nor do they have any adequate incentives to do so.

To address Schneier’s statement to compare government involvement in the IoT sector on the one hand, and spam and distributed-denial-of-service (DDOS) attacks on the other, feels like a non sequitur argument. The action that would need to be taken in relation to spam and DDOS attacks requires different action approaches than a regulation that would be imposed on IoT. 

Different approaches to regulation

Firstly, spam is a content-focused nuisance that can lead to bigger consequences due to phishing and malware, but is not necessarily malicious. It is also possible that legitimate people and organisations have access to private information and use it. To combat this, the European Commission has adopted wider rules related to privacy which would also combat spam. However, to combat spam with privacy, the rules provide the purview to invade privacy by providing competent authorities with the powers to trace and prosecute spammers. This triggers a debate about the checks and balances of the powers of the European Commission and member states to engage in accessing private information which may or may not be spam or malicious. To address spam, the focus is on privacy as a preventative measure, which would lead to better security. An alternative approach to addressing spam is providing competent authorities with the powers to trace where spam is coming from and intervene with the actors directly, but this would lead to more surveillance. 

Secondly, DDOS attacks are focused on internet infrastructure and are external malicious engagements that seek out specific systems. However, while companies do not prevent DDOS attacks, they do offer services that can monitor and interrupt hackers that seek to enter the system. These services are incentivised by observing a gap in the market. Therefore, while there is no government regulation to monitor and interrupt hackers, the market self-regulated to overcome this gap.

Safety and security

When it comes to IoT products that engage with the internet, companies have not been dealing sufficiently with the safety and experience of end users. Additionally, it is hard to define what ‘secure’ and ‘unsecure’ mean. Generally, when we experience that something is secure, then it is safe to use, i.e. it does not cause harm. 

Nevertheless, we are now in the era of the ‘internet of everybody and everything’, where we cannot only consider our personal safety when interacting with a product, but must also consider other parties who can interact with an item that we own. This can be as innocent as a friend automatically connecting to a Bluetooth product in their vicinity, or a malicious actor trying to access data by purposely connecting to a nearby Bluetooth product. 

An acknowledgement of the impact of third parties on the security of IoT is a good start to having a progressive debate on how to address security and privacy. This moves conversations from reactive to proactive, because the difficulty in addressing product-design consequences is frequent since users sometimes use the product differently than originally intended, which can have unforeseen consequences.

An example is the Facebook like button which was meant to be used on a company scale to provide interests and engagement. However, on an individual level, it became a tool for measuring popularity, which could then be economised in the form of advertisements and sponsored engagements. Later this became an invasion of privacy, as society became more data-oriented. 

A new approach? Impact of third parties by design

The manner in which we can approach the impact of third parties on IoT security is by taking a similar approach as to ‘security by design’ or ‘human rights by design’ in which considering third parties in relation to product safety becomes part of the design process. The question is whether such a concept should be implemented by the government to elicit responsibility and liability.  

Let us look at concepts that have shaped modern companies, for example, the concept of corporate social responsibility (CSR), where the company reflects on their impact on the community; and the concept of sustainability or green economy, where the company reflects on their impact on the planet. These were partially shaped by public pressure, civil society activism, the changing society which was becoming more global and interconnected, and the concept of ‘trust’ (as a value in product development and organisation engagement).

In both cases, there was an interest from governments to set goals for meeting specific standards and reducing harm. However, creating regulations is often reactive and based on how something has impacted society. It is then difficult for companies to anticipate in advance, especially smaller companies that are focused on their innovation and not the different forms of bureaucracy.

We should have more involvement from companies, and build an innate sense of responsibility by adding ‘impact of and on third parties’ to existing concepts of ‘impact on community’ (through CSR) and ‘impact on planet’ (through sustainability initiatives). This would provide an incentive based on innovation and technological prowess to overcome puzzles that relate to, not only the user, but also the third party, rather than a penalising system based on government. 

While it is possible for governments to impose new standards on companies, due to innovation, product development, and changing norms and standards, it would be difficult for governments to continue to regulate keeping users safe. Government cannot design policy on products and concepts that do not exist at this moment in time. 

Nadia Tjahja is a doctoral researcher at the United Nations University Institute on Comparative and Regional Integration Studies (UNU-CRIS) and the Vrije Universiteit Brussel (VUB) in Belgium working on the legitimacy of multistakeholderism in internet governance. She holds an MA in European Interdisciplinary Studies from the College of Europe in Natolin and a BA in Communication Studies from Vesalius College. She has recently received an Advanced Diploma in Internet Governance from Diplo.

Browse through our alumni blog posts at Diplo Alumni Blog.