California dreaming could bring in “reasonable security” for smart devices

California has just passed a couple new laws that could raise the default security standards for smart devices – if the US Federal government will let it. The new IoT legislation was signed into law by Governor Jerry Brown on September 28.

Let’s be reasonable

The new privacy-conscious legislation mandates that smart devices sold in California come with “reasonable security features.” This, as defined in the law, would include either a pre-programmed password unique to each device or a feature which requires new users to authenticate themselves when first using the device. With these requirements, the new law sets a low, minimum starting base for regulating smart devices. It excludes medical devices which are already covered by specific regulations for data protection.

Smart device manufactures have until 2020 to be in compliance with the law. The law will cover all devices sold or offered for sale in the State of California.

Unreasonable to have no security

Currently, there are no security minimums for smart devices hooking up to the internet. This combination of no security standards together with a huge flood of insecure devices hitting the market has led to a global problem. Hackers have enlisted insecure devices to build botnet armies and run DDoS attacks which have knocked out sections of the internet. Given the lack of a regulatory structure, investigative IT journalists have made their own “name and shame” lists of patently insecure devices and their manufacturers.

It is only your personal data

In addition, the raft of legislature also amended some of the rough edges in the California Consumer Privacy Act of 2018 (CCPA). CCPA was a 50 shades of regulation lighter variant of the EU’s GDPR legislation. It was designed to let Californians know about what personal data was being collected about them, which companies were collecting it, and why it was collected. As with the GDPR, it allowed consumers to view their personal data in a “readily usable format,” request the deletion of personal files, keep their personal data from being resold. However, the law was seen as being both inconsistent in its data handling criteria and also watered down by interests maneuvering to protect their online business models. In particular, data brokers felt threatened by the law.

The amendment cleared some of this confusion up by restricting what would be considered personal information and making some exceptions for the data collection by businesses subject to other privacy regulations such as banks, insurance companies, and credit reporting agencies.

While many privacy advocates such as Electronic Frontier Foundation (EFF) are not enthralled by the new or amended laws, they are a start. As Richard S. Eisert, Partner at Davis & Gilbert LLP stated, “California continues to take the most active role of any state in regulating privacy and imposing obligations on businesses. With the upcoming January 2020 deadlines for the CCPA and the proposed IoT law, business should continue – or begin, if they have not already done so – their efforts to comply.”

The Feds strike back

The US Federal government – and an army of industry lobbyists – are worried by individual states moving to regulate portions of the internet. Having a patchwork quilt of regulations on data privacy and net neutrality would make it more difficult for businesses such as Google, ISPs, and data brokers to conduct their businesses. California is a special threat due to the state’s size and also its history of setting regulations that become a de facto standard across the USA, for example with automobile emissions.

In late September of 2018, the Senate Commerce Committee started with its hearings on consumer privacy. As the EFF has pointed out, the committee is only listening to the big boys — Amazon, Apple, AT&T, Charter Communications, Google, and Twitter—no one is there representing the consumer. In addition, two major industry groups (the Chamber of Commerce and the Internet Association) have called for the federal government to preempt state laws with federal ones.

The fear of the EFF is that the Federal government and the FCC are listening more closely to the opinions of businesses than consumers and that the move to create a Federal standard is an attempt to preempt states such as California from coming up with a stronger regulation on devices and user privacy on their own. As the EFF stated, “a uniform law is only a good alternative if it’s actually a good law—not a weak placeholder designed only to block something stronger.”

This post is also available in: German

As a PR Consultant and journalist, Frink has covered IT security issues for a number of security software firms, as well as provided reviews and insight on the beer and automotive industries (but usually not at the same time). Otherwise, he’s known for making a great bowl of popcorn and extraordinary messes in a kitchen.