« Twister | Main | Plastures of plenty »

Unstacking the deck

Thumbnail image for Alice_par_John_Tenniel_42.pngA couple of weeks ago, I was asked to talk to a workshop studying issues in decision-making in standards development organizations about why the consumer voice is important. This is what I think I may have said.

About a year ago, my home router got hacked thanks to a port deliberately left open by the manufacturer and documented (I now know) in somewhat vague terms on page 210 of a 320-page manual. The really important lesson I took from the experience was that security is a market failure: you can do everything right and still lose. The router was made by an eminently respectable manufacturer, sold by a knowledgeable expert, configured correctly, patched up to date, and yet still failed a basic security test. The underlying problem was that the manufacturer imagined that the port it left open would only ever be used by ISPs wishing to push updates to their customers and that ordinary customers would not be technically capable of opening the port when needed. The latter assumption is probably true, but the former is nonsense. No attacker says, "Oh, look, a hole! I wonder if we're allowed to use it." Consumers are defenseless against manufacturers who fail to understand this.

But they are also, as we have seen this year, defenseless against companies' changing business plans and models. In April, Google's Nest subsidiary decided to turn off devices made by Revolv, a company it bought in 2014 that made a smart home hub. Again, this is not a question of ending support for a device that continues to function as would have happened any time in the past. The fact that the hub is controlled by an app means both the hardware and the software can be turned off when the company loses interest in the product. These are, as Arlo Gilbert wrote at Medium, devices people bought and paid for. Where does Google get the right, in Gilbert's phrasing, to "reach into your home and pull the plug"?

In August, sound system manufacturer Sonos offered its customers two choices: accept its new privacy policy, which requires customers to agree to broader and more detailed data collection, or watch your equipment decline in functionality as updates are no longer applied and possibly cease to function. Here, the issue appears to be that Sonos wants its speakers to integrate with voice assistants, and the company therefore must conform to privacy policies issued by upstream companies such as Amazon. If you do not accept, eventually you have an ex-sound system. Why can't you accept the privacy policy if and only if you want to add the voice assistant?

Finally, in November, Logitech announced it would end service and support for its Harmony Hub devices in March 2018. This might have been a "yawn" moment except that "end of life" means "stop working". The company eventually promised to replace all these devices with newer Harmony Hubs, which can control a somewhat larger range of devices, but the really interesting thing is why it made the change. According to Ars Technica, Logitech did not want to renew an encryption certificate whose expiration will leave Harmony Link devices vulnerable to attacks. It was, as the linked blog posting makes plain, a business decision. For consumers and the ecologically conscientious, a wasteful one.

So, three cases where consumers, having paid money for devices in good faith, are either forced to replace them or accept being extorted for their data. In a world where even the most mundane devices are reconfigurable via software and receive updates over the internet, consumers need to be protected in new ways. Standards development organizations have a role to play in that, even if it's not traditionally been their job. We have accepted "Pay-with-data" as a tradeoff for "free" online; now this is "pay-with-data" as part of devices we've paid to buy.

The irony is that the internet was supposed to empower consumers by redressing the pricing information imbalance between buyers and sellers. While that has certainly happened, the incoming hybrid cyber-physical world will up-end that. We will continue to know a lot more about pricing than we used to, but connected software allows the companies that make the objects that clutter our homes to retain control of those items throughout their useful lives. In such a situation the power balance that applies is "Possession is nine-tenths of the law." And possession will no longer be measurable by the physical location of the object but by who has access to change what it does. Increasingly, that's not us. Consumers have no ability to test their cars for regulatory failures (VW) or know whether Uber is screwing the regulators or Uber drivers are screwing riders. This is a new imbalance of power we cannot fix by ourselves.

Worse, much of this will be invisible to us. All the situations discussed here became visible. But I only found out about the hack on my router because I am eccentric enough to run my own mail server and the spam my router sent got my outgoing email bounced when it caused an anti-spam service to blacklist my mail server. In the billion-object Internet of Things, such communications and many of their effects will primarily be machine-to-machine and hidden from human users, and the world will cease to function in unpredictable odd ways.

Illustrations: John Tenniel's Alice, under attack by a pack of cards.

Wendy M. Grossman is the 2013 winner of the Enigma Award. Her Web site has an extensive archive of her books, articles, and music, and an archive of earlier columns in this series. Stories about the border wars between cyberspace and real life are posted occasionally during the week at the net.wars Pinboard - or follow on Twitter.


TrackBack URL for this entry:

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)