back to article MP Kees Verhoeven wants EU to regulate the Internet of S**t

The Democrats 66 (D66) party, currently in opposition in The Netherlands, hopes it can legislate insecure stuff away from the Internet. The suggestion comes in a multi-part initiative put together by MP Kees Verhoeven, who also wants The Netherlands to fund a local threat analysis capability and a national cyber security …

  1. big_D Silver badge

    Finally someone in politics talking sense?

    But putting in such controls will only improve the lot of consumers in the EU. It probably won't stop cheap devices with vulnerabilities being sold in other countries, outside the EU.

    1. Anonymous Coward
      Anonymous Coward

      I doubt

      it will stop the sale of them inside the EU either.

      Oh look, a web cam with WiFi certification to say its been "secured". Yours for £100.

      oh look, a clone from china with no such (or fake) certification. Yours for £39.99

      Guess which one 99% of the populace will buy?

      1. Doctor Syntax Silver badge

        Re: I doubt

        Can we stop and think sensibly about this?

        How many chip sets/software images are involved here? Not many, I'd expect. Vendors are wanting to take advantage of economies of scale. Small manufacturers don't generate their own economies of scale. They achieve it by buying in from large scale manufacturers who are selling components, including software, to all their competitors. Once the software is updated to take into account security requirements it can be sold on the same large scale just as effectively.

        Look at things from the manufacturer's point of view. Making a product using version A of the software will result in lots of grief. A shipment could be seized in customs on import. Everything else in the container gets held back for checking. The manufacturer gets grief from the shipping agent who might well refuse any more shipments from him because he's getting grief from the other manufacturers who had stuff in the same container. Market places such as eBay and Alibaba (who, don't forget, are looking to set up a data centre business in the EU) won't allow the product to be sold through them. He might find other routes to a smaller fraction of the EU market but with higher costs or even simply stop selling to the EU. Competitors selling version B would have no such problems.

        Does the manufacturer have any particular attachment to version A? Does he have some predilection for selling illegal stuff? Of course not. He just wants to sell as much stuff as possible as profitably as possible and if that's achieved by selling version B like his competitors are doing that's what he'll do too. No point in saddling himself with something that puts him at a disadvantage before he's even shipped the stuff out of the factory.

        Now look at things from the software vendor's point of view. Version A has properties which cut him out of customers selling to the EU - and no doubt other markets will follow. A version B wouldn't. The volumes he's selling would spread the additional cost of developing version B very thinly. He could, of course, try to increase his profits and sell version B at a price which would force his customers to raise their prices. If, however, he has competitors competition will keep the price down. If he has no competitors and tries boosting the prices he'll soon find he's acquired some.

        Now let's go back to the manufacturer again. He can ship version B of the software for the EU market (and any other market which follows suit) and version A for markets that don't care. Why would he? Having two product lines where one would do is just extra cost. Why bother? Come to that, why should the S/W vendor keep supplying version A?

        The object of regulation and enforcement doesn't have to be complete detection of every infringing product. It simply has to be to make it more profitable to sell the non-infringing product.

        1. Anonymous Coward
          Anonymous Coward

          Re: I doubt

          It simply has to be to make it more profitable to sell the non-infringing product.

          Maybe, but think you're forgeting about option C. A vendor doesn't want to pay licensing fees for either software A or B, so he gets some chinese students to hack together a version C that is functional but plays fast & loose with all the rules, and lets him sell at 50% the cost of the competition. He sticks a CE mark on it, and dumps thousands of boxes via hundreds of otherwise legitimate sellers on ebay and Amazon marketplace. No-one has the time or money to test the boxes, and if they get complaints ebay might ban one or two sellers, but they'll be replaced by more in a week or two.

          It's the same problem that exists with market traders. We all know that 90% of the tat they have on their stalls on a Saturday morning is counterfeit or made in some asian sweatshop, but they still manage to sell it, and even if the authorities raid one market every week it's only a drop in the ocean.

          The reality is that it won't be more profitable to sell the non-infringing product.

    2. tfewster
      Facepalm

      True, so vendor has 3 choices:

      1) Lose the EU market.

      2) Develop a secure product for the EU, and continue to sell the slightly cheaper version elsewhere until stopped by legislation or lawsuits.

      3) Develop a secure product, embrace economies of scale and social responsibility, help bring about world peace, ... damn, it sounded sensible to start with.

      1. Charles 9 Silver badge

        Or

        4) Stick to the gray markets where nothing's concrete enough for the law to reach.

        1. Doctor Syntax Silver badge

          "4) Stick to the gray markets where nothing's concrete enough for the law to reach."

          Did you ever answer my question in another thread about these grey markets you keep going on about?

          How do they grey market vendors contact the customer? They're not employing people to wander the streets to sidle up to punters saying "Wanna buy some hookey cameras? Come round the corner and I'll give you an address" are they?

          They're advertising. They're selling through the likes of eBay. If you take note you'll find that eBay has a legal presence in Luxembourg. Luxembourg is inside the EU. They can be made amenable under legislation if they start advertising illegal stuff.

          Then there are the customers themselves. If they're inside the EU they can also be made amenable for using such kit.

          Enforcement of regulation doesn't need to be complete. It just needs to be good enough to give a competitive advantage to legal products. Why make an illegal product when a legal one is more profitable? That's all the difference you have to make.

          1. Charles 9 Silver badge

            "How do they grey market vendors contact the customer? They're not employing people to wander the streets to sidle up to punters saying "Wanna buy some hookey cameras? Come round the corner and I'll give you an address" are they?"

            Depending on the country, YES THEY DO. I've BEEN to some such countries.

            As for enforcement, eBay may be in Luxembourg NOW, but they have PLENTY of other locations. The trick with pressuring a multi-national (like the big oil companies) is that they can always threaten to pull up stakes. How do you explain to your citizens why their tax revenue is now in another country? That's why shipping lines never flag in a first-world country. They gain too much from the loose regulations than they'd ever lose flagging elsewhere. Same here. The costs savings by playing fast and loose and fly-by-night are worth more than any inconvenience they'd get by having to move once in a while. You're basically fighting with free: as history as shown us, it's hard to beat free.

            1. Stoneshop Silver badge

              eBay/Amazon

              As for enforcement, eBay may be in Luxembourg NOW, but they have PLENTY of other locations.

              For various reasons, eBay, Amazon and their ilk will want to have a presence within the EU. Luxemburg is one of the preferred locations for such a presence, for tax reasons. Moving out of Luxemburg to another EU member doesn't make much sense, and moving their EU presence out of the EU is out of the question, obviously.

            2. Doctor Syntax Silver badge

              " eBay may be in Luxembourg NOW, but they have PLENTY of other locations."

              Yes, to trade in the EU they have plenty of other locations in the EU.

              Companies wanting to do a lot of business in the EU need to have a legal presence in the EU. So upping sticks from Luxembourg isn't going to help them get round EU legislation.

              If they have a choice between the problems of trying to do without that base and ensuring their traders are trading legally it'll be no contest.

          2. Stoneshop Silver badge

            Did you ever answer my question in another thread about these grey markets you keep going on about?

            I don't expect you'll get one. Charles9 just sticks to various incantations of "regulation won't work" combined with utterances of "China has nukes". As if turning your target market into a radioactive wasteland will somehow not affect your trade balance.

            Either a troll or a dimwit And maybe both..

            1. Anonymous Coward
              Anonymous Coward

              I don't expect you'll get one. Charles9 just sticks to various incantations of "regulation won't work" combined with utterances of "China has nukes".

              Could we please stay with a normal form of debate which is about arguments and counter arguments, not about the people involved? I suspect we'll get plenty of your style of debate when Trump is inaugurated but it's not very productive in itself.

              1. Charles 9 Silver badge

                What I'm saying is that you can't count on regulation in a market that basically lives on working AROUND regulations. A market that acts like an ooze: try to corral it and it just finds a crack, lifts it, and escapes through it.

                And as for the "China has nukes" angle, it boils down to saying it's no use trying to dictate terms to China. They have 1 1/2 billion people, plenty of goods, plenty of know-how, and the means and mentality to force the issue if necessary (they're Far Eastern, a region whose philosophy tends toward Death Before Dishonor). Why do you think so many countries are starting to get chummy with China? They've got most of the cards.

                1. Doctor Syntax Silver badge

                  "What I'm saying is that you can't count on regulation in a market that basically lives on working AROUND regulations."

                  The market is about making money. If there's more money to be made in following regulations than getting around them they'll follow regulations.

                  There are a shedload of ways to make that happen.

                  Did you read this: http://www.theregister.co.uk/2016/11/22/eir_customers_modems_vulnerable/ ? They can enumerate the defective modems in Ireland and the ISP networks they're on. If the regulations oblige the ISPs to ensure that any non-compliant devices are not exposed how easy is it going to be sell them? It becomes more profitable to sell compliant stuff than non-compliant stuff.

                  Maybe there are individuals who want to trade illegally because it's illegal rather than because it's profitable. OTOH in 14 years in forensic science I encountered one case where it seemed possible that that was the situation but I'm not wholly convinced. Most people just want the money.

                2. Stoneshop Silver badge
                  FAIL

                  And as for the "China has nukes" angle, it boils down to saying it's no use trying to dictate terms to China. They have 1 1/2 billion people, plenty of goods, plenty of know-how, and the means and mentality to force the issue if necessary

                  China wants to make money. If that takes certifying tat to be able to sell it in Europe, they will. Of course, they'll prefer to "certify" it, but sooner or later that stuff will get largely weeded out. Also, uncertified grey market stuff will only be part of total idIoT sales anyway.

                  And about those 1.5 billion Chinese, maybe the more relevant metric is the purchasing power they have, compared to 450 million Europeans.

                  Your point, as you're stating it now, is not particularly strong, and expressing it as you did as "China has nukes" is utterly opaque. Someone who until recently visited China regularly, overseeing the manufacturing of electronics, considered it totally ludicrous.

                  1. Charles 9 Silver badge

                    "China wants to make money. If that takes certifying tat to be able to sell it in Europe, they will. Of course, they'll prefer to "certify" it, but sooner or later that stuff will get largely weeded out. Also, uncertified grey market stuff will only be part of total idIoT sales anyway.

                    And about those 1.5 billion Chinese, maybe the more relevant metric is the purchasing power they have, compared to 450 million Europeans.

                    Your point, as you're stating it now, is not particularly strong, and expressing it as you did as "China has nukes" is utterly opaque. Someone who until recently visited China regularly, overseeing the manufacturing of electronics, considered it totally ludicrous."

                    China wants control more than they want money. It's just that the latter is the safest way to the former. But if they have to spend some to get more control, they'll do it. That's what happening with all those "goodwill" projects. They're plunking down to gain beachheads.

          3. Anonymous Coward
            Anonymous Coward

            contagion and herd immunity covers the basis nicely.

    3. Anonymous Coward
      Anonymous Coward

      It's a start plus they won't make one device for the EU and one for everywhere else.

    4. Anonymous Coward
      Anonymous Coward

      I think the idea has merit. You won't stop idiots importing stuff that is badly secured, but it does establish a mechanism to get a handle on it. I see this in the same way as the kite mark: you know that a device which doesn't have it may not be sold because it might burn down your home, and when it does, the insurance will laugh at you for giving them a way out.

      The only real challenges are to stop this from becoming a mechanism for protectionism and for overcharging customers for it in the way modems were a locked up business once for telcos (if you don't know what a modem is, look it up in an IT history book :) ).

      1. LDS Silver badge

        IMHO in the EU there is enough antitrust legislation (and lack of manufacturing capacity) that it would be very difficult to use such provisions to enforce some kind of monopoly.

        For overcharging customers, just look at how it works well in the smartphone space - without any protectionism...

        Worried people will buy the €39.99 gray market item instead of the €99.99 one? Just slap a fruity logo (or any other fashionable brand on it) and people will happily buy the €299.99 or €399.99 one.

      2. Anonymous Coward
        Anonymous Coward

        I see this in the same way as the kite mark

        .. which is more or less the concept in the "Solutions" part of the paper: 6.2 talks about a kite mark approach, and the potential to simply add to the existing infrastructure for it (which is frighteningly unusual for a political paper: it doesn't ask for new pork).

        Unusually good paper. Not quite complete, but a good starting point for both debate and a possible solution.

        1. Phil O'Sophical Silver badge

          Good idea, but will it make it past the beancounters?

          At the end of the day, though, this will only work if there's a regulator with the power to enforce the rules, and the money to fund a testing lab to verify self-certified devices. Since there's no sign of this for any of the other things covered by a CE or Kite mark I wouldn't hold my breath waiting for any EU authority to sign off on that budget item. Perhaps national agencies along the lines of the German TUVs would have more success, if national parliaments can be persuaded to fund them.

    5. joed

      every stick has 2 ends. Just wait till they regulate login to Internet (China-like). Then everyone will be safe and soundmuted.

  2. Anonymous Coward
    Anonymous Coward

    The global internet was nice while it lasted, but we can't have internet-of-shit devices phoning home to America willy-nilly.

    Smart governments will go for extreme localisation of citizens data. It's literally the only way.

    1. Charles 9 Silver badge

      How will they enforce it when data can cross borders so easily even China has trouble?

  3. Anonymous Coward
    Anonymous Coward

    It's Internet of Tat

    Hence the IoT acronym

  4. Mark 85 Silver badge
    Alert

    Damn... color me surprised. A legislator who seems to know what he's talking about when it comes to IT stuff. Or at least some IT stuff... Still.. who knew?

    1. Anonymous Coward
      Anonymous Coward

      Yes, I was impressed too.

      I'm going to ping him an email - there are some gaps in his proposal that I reckon are worth addressing (although my Dutch is a tad rusty :) ).

      1. imanidiot Silver badge

        Almost any Dutchman under the age of 50 speaks decent English, especially those with a university education. So you can probably just shoot him an email in English.

  5. LDS Silver badge

    "consumers should be able to turn off unwanted data transfers"

    No, no, no!!

    Consumers should be able to turn *ON* unwanted data transfers. Explicitly. After being forced to change the default password, and after having to re-enter the new password to accept the data transfer.

  6. TeeCee Gold badge
    Facepalm

    Useless.

    As usual, this looks at the problem and completely misses what it is. It doesn't matter one jot what security one of these things comes with. The only thing that matters is how quickly it will be patched when said security is compromised.

    The simple answer is, if you want to sell an IoT device in the EU you are required to post, up front, a bond to fund the provision of software security updates for it for a minimum of 10 years beyond its planned product lifecycle.

    That'd kill the problem.......and as a side effect would mean that anything that didn't really need internet connectivity never gets it.

    1. LDS Silver badge

      Re: Useless.

      If the quality of the patch code is on par with the quality of the default software, the idea they will plug holes for a while - while probably creating new ones -, is useless too. Especially if both the default software and the patches come with big holes easy to exploit for lack of proper skills and controls.

      They must be forced to start with a sensible baseline, and then ensure they fix those issues that are found.

      Sorry, but I wouldn't buy an oven (or a Samsung device) they will fix after it has burnt my house, or a car they will fix in case it lose a wheel while I'm driving, or a washing machine that blows up and they later fix with a "reinforced door" and a post-it to stay away while washing...

      In every device you do expect a level of built-in security out of the box.

    2. Ole Juul

      Re: Useless.

      "a bond to fund the provision of software security updates for it for a minimum of 10 years beyond its planned product lifecycle."

      Hmm, I tend to agree with your post generally speaking. But I guess I'm old fashioned enough that I don't want to go around and replace everything in 10 years. I've got enough stuff around here that wears out already. Said piece of IoT will probably last decades so I think it is wrong to throw it out after a few years if all it needs is new software.

      1. DropBear

        Re: Useless.

        "But I guess I'm old fashioned enough that I don't want to go around and replace everything in 10 years."

        Absolutely true. I wouldn't bother replacing a functional appliance after 10 years either just because it's "end of life". And yet, it's a certainty there will be no manufacturer in the world who will accept to support this year's model of whatever even for a decade - they just won't do it. And if anyone thinks they can just "legislate" them into it, hahaha, think again - they will do exactly just enough to comply with the letter of the law, and will find the minimum effort way to do it that will prove completely insufficient and useless in practice. Keep selling parts for older machines (if at all) is one thing, but absolutely nobody will keep poring over code rewriting it for ten years on absolutely everything they do. By the way - when, not if, the maker goes bust eventually will the employees be legally forced to keep coming to "work" for free for ten more years to support the model that just came out...? No...? Well then...

        What the solution is then, I can't tell you. But I can and do tell you that writing a decade-long support requirement into law will do precisely diddly squat.

        1. Long John Brass

          Re: Useless.

          Not that hard; When a device falls out of its support window the platform MUST be opened up for 3rd party firmware. No more lock in.

          Maybe force them to open-source the firmware & software payloads too?

    3. Daniel von Asmuth
      Windows

      Useless?

      It seems that one Ducth party has a plan that will connect the country to the Internet Of Things....

      Makes you wonder why they don't think the Internet Of Windows has security vulnerabilities or why those should not be legislated.

  7. David Roberts

    So a £5 light switch

    That has more broad reaching, comprehensive and longer term software support than a ₤500 mobile phone?

    I keep my mobile phone at home, it is a thing, and connects to the Interet.

    Can I have it covered by this legislation, please?

  8. EBG

    nice idea, but ...

    is the software industry capable of producing a secure product ?

  9. Anonymous Coward
    Anonymous Coward

    We need less IoT / Smart choices in the marketplace not more....

    * Freedom of choice to buy dumb basic devices is in the consumer's best interest...

    * But try telling that to IoT peddlers like Samsung who 5+ years ago made board level decisions to axe non-Smart-TV's & non-Smart-Fridge's etc...

    * Question: When you don't configure an IoT device with Wi-Fi router SSID / password, is it disabled from phoning home / being hacked? What about apartment complexes with nearby neighbors wifi routers w/o passwords...???

  10. Anonymous Coward
    Anonymous Coward

    We need less IoT / Smart choices in the marketplace, not more....

    * Freedom of choice to buy dumb basic devices is in the consumer's best interest...

    * Try telling that to Triple-A IoT peddlers like Samsung who 5+ years ago made board level decisions to axe non-Smart-TV's & non-Smart-Fridge's etc...

    * If you don't share Wi-Fi settings with an IoT device is it disabled / offline from phoning home / being hacked? Bad assumption if you live in an apartment complex with wifi routers w/o passwords...

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022