back to article New UK product security law won't be undercut by rogue traders upping and vanishing, government boasts

Britain's plans to force internet-connected device vendors to declare legally binding product lifespans won't be easily evaded by shell companies, the government has told The Register. After the Product Security and Telecommunications Infrastructure (PSTI) Bill was introduced to Parliament last week, some questioned whether …

  1. elsergiovolador Silver badge

    Laugh

    So to get around this you just have to find a patsy to act as a director. At best he or she will get extended all inclusive holiday at one of HM resorts.

    In other words, what this "product security law" actually bring to the table?

    Seems like it will make it more expensive for SMEs and usual suspects will get around it just fine.

    1. Anonymous Coward
      Anonymous Coward

      Re: Laugh

      A DCMS spokesman told us: "UK regulators are experienced in dealing with rogue traders and these new laws don't just cover distributors but also manufacturers and importers, which will lead to a reduction in the number of insecure products on the market."

      The same has been pretty much true of EMC compatibility laws for the past 25 years and it has not and does not stop utterly non compliant products reaching the UK. Similarly for basic electrical safety on knock-off products, such as phone chargers.

      1. Dan 55 Silver badge

        Re: Laugh

        Yeah, well. There also has to be a bit of enforcement, something that the UK is not too good at lately.

        If anyone ever wanted to get rid of dangerous cheap electrical tat at reassuringly western prices, the UK would be the place to do it right now.

        1. Yet Another Anonymous coward Silver badge

          Re: Laugh

          >Yeah, well. There also has to be a bit of enforcement, something that the UK is not too good at lately.

          Didn't we just send a gunboat to show those orientals ?

    2. Peter Prof Fox

      Real person not needed

      Anyone following the shambles that is the regulation of shell companies and LLPs in Private Eye will know that no checking goes on.

      1. Missing Semicolon Silver badge

        Re: Real person not needed

        I'll believe they will go for the officers of a company when they start going for the officers of companies with GDPR failures.

  2. Pascal Monett Silver badge

    Taking a local hostage

    Well yes. It's not cynical, it's perfectly normal. In a world where Zuckerberg is free to ignore repeated pleas and demands for making his cash cow more palatable to the concept of morality, it is obvious that one way to make that bastard focus on the issue is to drag the local CEO muppet in front of the beak and make him sweat.

    Add a bit of inside pressure to the outside pressure that apparently does nothing at all to His Zuckyness.

    And you can put the name of any multinational conglomerate that has a high presence on the web and no stores anywhere in the same basket. Right now we are under the influence of American companies, but nothing says that China, India or even Russia could not, one day soon, have an outrageously successful app on the Internet that is used the world over. When that day comes, we won't have more influence over the makers of that product than we have now over Facebook.

    That is not acceptable when the risk is (young) people being stalked or abused.

    1. Yet Another Hierachial Anonynmous Coward

      Re: Taking a local hostage

      If I am not mistaken, the US courts put the US directors of Volkswagon in prison for their part in the consumer fraud that was dieselgate, whilst the european directors got off with a slap on the wrist or less. International global companies and their CEO's should be held to account wherever that tradename is used or represented..

      1. ThatOne Silver badge
        Devil

        Re: Taking a local hostage

        > the US courts put the US directors of Volkswagon in prison [...], whilst the european directors got off with a slap on the wrist or less

        That's normal, Volkswagen is European. If it had been an US company, it would had got a slap on the wrist in the USA and prison in Europe...

        1. Yet Another Anonymous coward Silver badge

          Re: Taking a local hostage

          So any directors of Aliexpress store314159 that live in the UK better watch out ?

  3. Phones Sheridan Bronze badge

    "will be enforceable against UK-based directors and officers of shell or shadow companies."

    So ne'er do wells will do a Facebook, and have no UK based directors or officers.

    Current Facebook UK officers

    1. Yet Another Anonymous coward Silver badge

      But IIRC Google, Facebook, Amazon, Apple and Microsoft do no business in the UK. All the sales occur

      in Narnia

  4. Boris the Cockroach Silver badge

    We need more laws

    More than the consumer rights act that says that items sold must be fit for use?

    So if the software inside said item is bollocks and has a default password of 1234, then the item falls outside the fit for use bit of the aforementioned act.

    But then we all know the fun and games that begin when we buy a 2nd hand car from a dealer and it has a fault "they're all like it m8", "I cant hear the noise", "drives ok when we tested it", "Its outside the legal 30 days to fix it time", and of course the final "Ok ok we'll fix it but you'll have to pay for it" when presented with a MOT failure notice from another garage.....

    So I dont see any of the IoT tat brigade actually doing anything apart from taking the money and running, and given that the legal profession seems to move slower than a dead sloth(apart from when its chasing an unpaid bill), it would take 5 yrs for any legal action to come to a conclusion

    1. Yet Another Anonymous coward Silver badge

      Re: We need more laws

      There should definitely be more laws, in fact the laws should be so strict that only the likes of CISCO has the infrastructure to meet them. Then we could have a choice of one $1000 home router.

      Anybody else remember the days when you could buy a 300baud modem from BT and that was the only approved modem you were legally allowed to use ?

  5. alain williams Silver badge

    When the shell company implodes ...

    what then ? End users have kit that is vulnerable. OK: the importers are liable, what can they do ? The source code for these things will prolly not be in escrow so they cannot be patched, even if it was and if (big if) it is possible to patch & build a working image from the code - how do they get it on to end users' kit ? These things are often set up to get patches from the makers' machines - which are not longer there.

    Should the importers be made to buy the kit back ? Even if this happens many end users will not want to due to the hassle involved.

    This needs much more thought.

    1. ThatOne Silver badge

      Re: When the shell company implodes ...

      Thought has nothing to do with it.

  6. JohnG

    I would have thought that most of the products arriving in the UK likely to be in breach of these rules would be arriving direct from foreign suppliers (mostly in China), sold via online markets such as Amazon, Ebay and Aliexpress. All of these platforms currently sell numerous products in breach of existing British rules and legislation, apparently with little oversight or interest from the authorities or the online platforms concerned e.g. mains appliances sold with plugs that don't comply with BS 1363. All of these regulations are toothless without a body in a position to enforce them. Trading Standards appear to be overwhelmed.

    1. Doctor Syntax Silver badge

      What's worse section 55(11) of the Bill seems to have been written in terms which will exclude them. By the look of it it would have been intended to exclude finance companies but I can see how online market places will at least argue that they fall under the exclusion.

      What's needed is legislation that recognises a gatekeeper role and makes the gatekeepers responsible.

    2. alain williams Silver badge

      Trading standards

      Trading Standards appear to be overwhelmed.

      Trading standards has seemingly had most of its funding pulled, so there is little that they can afford to do.

    3. Yet Another Anonymous coward Silver badge

      re: I would have thought

      And that Sir is what disqualifies you for a role in government.

  7. sitta_europea Silver badge

    A long time ago I had extended correspondence with my MP and the Minister responsible for Trade and Industry about the problems I faced from Phoenixing.

    For some years I was suing about one company per week for non-payment of bills issued by my small (partnership) business and I thought that this ought to be stopped - the directors of these fly-by-night companies never had the personal liability that I, as a partner in a firm, had for business debts.

    The Minister was clear in his arguments that there was nothing wrong with the existing legal system and nothing needed to be done about it.

    He might have had a point, because a year or two later he was sent to prison.

    1. Blofeld's Cat Silver badge
      Devil

      Bad debts ...

      "For some years I was suing about one company per week for non-payment of bills issued by my small (partnership) business ..."

      I sympathise with you deeply, having just gone through something similar myself.

      In my case one of a particular company's ex-employees* explained that the company concerned was having cash-flow problems and the boss had simply decided not to pay invoices below a certain value.

      This was on the cynical basis that it would cost their supplier more to start legal action than the value of their invoice, and most small firms would simply write off the money instead.

      When (as in my case) they received legal papers, they simply apologised for their oversight and paid up before the case was heard.

      * There were several redundancies once the furlough money stopped.

    2. Anonymous Coward
      Anonymous Coward

      Of course the solution they came up with was the creation of a new company structure, the "Limited Liability Partnership".

  8. Howard Sway Silver badge

    rogue traders will find it harder to sell substandard products

    Hilarious. Are they even aware of what goes on on Amazon and Ebay? They're like a digital Del Boy cheese dream, just perfect for any fly-by-night crap merchant.

    1. ThatOne Silver badge

      Re: rogue traders will find it harder to sell substandard products

      The important thing is not to do something, but to be seen doing it.

      Obviously this can't (and won't) be enforced, but the general public will think they're on the ball.

    2. Paul Crawford Silver badge

      Re: rogue traders will find it harder to sell substandard products

      Make the store front liable?

      Going to be tricky but eBay and Amazon might clean up their act if they have to fund the fix/replacement for anything they handled.

      Overseas supplier? Make Visa/Mastercard pick up the tab if the store front does not pay. Very quickly they will stop selling to the UK which would be a victory of sorts, given how crap most IoT stuff is in the first place. At least less landfill for future generations.

      1. Anonymous Coward
        Anonymous Coward

        Re: rogue traders will find it harder to sell substandard products

        > Going to be tricky but eBay and Amazon might clean up their act if they have to fund the fix/replacement for anything they handled.

        Don't they already?

        Everything you buy from Amazon, you pay Amazon. Your contract is with them. I've heard of people saying Amazon fobs them off, but is this legally correct?

        1. SImon Hobson Silver badge

          Re: rogue traders will find it harder to sell substandard products

          Depends.

          If you buy from Amazon, then your contract is with Amazon.

          If you buy from a seller in Amazon's marketplace, your contract is with the seller and Amazon is just an intermediary. It's a bit like a car boot sale - you find a stall selling something you like, buy something, and the contract is between you and the stallholder - nothing to do with the people organising the boot sale. The only difference is that Amazons has provided a way for you to do business without meeting and handing over bits of fancily printed paper.

  9. Fonant

    No default admin passwords?

    I hope they mean "no fixed default admin passwords", rather than "no password by default for admin access".

    Applying a random default password which is also printed onto a sticker attached to the device is probably the most sensible way forward.

    1. Boothy Silver badge

      Re: No default admin passwords?

      Quote: "Applying a random default password which is also printed onto a sticker attached to the device is probably the most sensible way forward."

      Random just means some formula is used to generate the password.

      Can't remember the company, think it was a main stream home router from one of the larger Internet providers, Sky or BT maybe. A few years back they had a random password set. Turned out to be a formula that used the MAC address as a seed, as someone reverse engineered it. Once that got out, all the routers were basically pawned till an update was pushed out.

      "no password by default for admin access" generally means you have to set one on first login, this can typically be forced on users by the device not being fully usable till they've set the password.

      For example a home router/modem when first switched on, could be blocked from the Internet till activated, which would involve connecting via Ethernet or a temp wifi connection, enter a new password for admin, and another for the wifi (with option to change the SSID at the same time). Then the temp wifi account is disabled, with proper wifi now active, and Internet is connected.

      1. Anonymous Coward
        Anonymous Coward

        Re: No default admin passwords?

        How would a remote scanner grok the MAC in the first place?

        1. Strahd Ivarius Silver badge

          Re: No default admin passwords?

          Rather easy with a few commands or Wireshark.

          If I am not mistaken the same routers had a default Wifi SSID that used also part of the physical address for its name, and the password was also guessable using that name.

          1. Anonymous Coward
            Anonymous Coward

            Re: No default admin passwords?

            A remote scanner would not have access to the LAN!

  10. Detective Emil
    Thumb Up

    "Things" fall apart; the server can't be polled

    Some industry sources [suggested] the regulations [could] set a standard that was too high or costly for IoT device importers and vendors to meet.

    Oh, good. No possibility of buying crap that hardly interoperates now, and won't operate at all in the future.

    1. john 103

      Re: "Things" fall apart; the server can't be polled

      Nice use of WB Yeats!

  11. DS999 Silver badge

    They have to "declare" the lifetime?

    So nothing stops them from saying "we will provide security updates until Dec. 31 2021" and if you buy that product on Dec. 2 2021 that's on you whether you should care or not?

    Even if they intend to support it longer it seems like it would be in their best interest to lowball the figure, given that 99% of consumers won't care about this because 99% of consumers don't know why they should care about this like Reg readers do.

  12. HildyJ Silver badge
    Facepalm

    Laws, regulations - got those

    Enforcements, not so much.

    The day I see an Interpol arrest warrant for Zuck, I'll agree times have changed.

  13. Anonymous Coward
    Anonymous Coward

    chromebooks etc.

    At least that is something good that Google does already. It's very clear on ALL chromeboxes and chromebooks when their software support expires. You get many years for your buck.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022