How do you decide which phone or smart light bulb you buy? You may look at its features, design, price, and possibly compare it to other similar products if its an expensive product. But how do you judge the durability of any internet connected product? It’s not like its written on the box or price chart — but maybe it should be.
Would you buy a 200 USD phone or a comparable 205 USD model if you knew the more expensive version would receive software and security updates longer than the cheaper option? An informed customer would probably opt for the phone that gave them the most value for their money — possibly a phone model that would receive updates for two years longer than the competition. Do you really want to be buying a new smart phone every year to get the latest software features?
Today, customers have no idea how to ascertain how long an internet connected product will receive critical updates. Manufacturers don’t make any commitments or guarantees for how long their product is expected to work. You can pick up a smart light bulb in a store today that has a security vulnerability that is known to the manufacturer, and yet never receive a security update for the product. If you pick up a similar product from another manufacturer, the vulnerability would be patched the minute it connected to the manufacturer’s update servers. The trouble is: customers has no way of knowing which product will continue working in two years.
Devices that connect to the internet, whether it be light bulbs or other Internet-of-Things devices, or smart phones, game systems, and laptops should be sold with best before labels indicating how long customers will receive updates for the device, including firmware and any bundles software. Such labels would empower customers do do better purchasing decisions which would benefit their personal economy as well as the security of the entire internet and help the environment by reducing waste. That is a lot of benefits from a single label.
We need legislation to get manufacturers to commit to providing software updates. I don’t want legislation that limits innovation or puts an undue burden on manufacturers. However, requiring them to put a sticker on the box saying “Best Before ” and having them commit to “provide timely updates that resolves security and stability issues” isn’t really asking all that much. It would require device manufacturers to rework their contracts with component vendors to provide firmware updates, and software vendors to provide updates for the device until at least a given date sometime in the future. Manufacturers could put any date they want on the label, however this would create an incentive to label products with Best Before dates long into the future as a competitive advantage.
Online retailers could present this Best Before date as yet-another-metadata field per product, or just include it in the product description. Again, this is not a unreasonable requirement. Online retailers already fill in hundreds of metadata field per product to make them searchable for customers and to help them manage inventory.
This all sounds fantastic! But what kind of updates do you expect to see? From a legislation point of view, all I’d like to see is a requirement to commit to providing “security and stability updates” — meaning proactive updates to security, fixes for known security vulnerabilities, and updates required for the product to remain operational — within “a timely fashion”. Project Zero, a security research incentive by Google, has already set the industry standard for how long software vendors have to fix security updates: 90-days after being notified of a security vulnerability.
If a manufacturer fails to provide updates before the product has expired, then it would be considered a contract breach and a breach of the sales contract. This would open the manufacturer for lawsuit by consumer protection agencies as well as customers. Local legislation would probably vary quite a bit on this point, but needless to say: the legal landscape would be difficult for manufacturers who played loosely with the security of their devices.
I’m really hoping some consumer protection agency somewhere in the world will follow up and push through on this idea. We’re creating an enormous technological security debt for the internet with outdated and insecure devices that are hijacked from their owners and used in botnets. Customers need to be able to make informed purchase decisions to get the most value out of their money, and the internet needs legislation to help ensure devices that connect to it remain secure — at the very least for a few years after purchase.