In this day and age, the word “hacking” – whether it be uttered in hushed tones, echoed along with “Russians” and “election,” referred to as a software bug harming your laptop, or simply brought up by your computer science friends describing their latest project – seems both routine and distant. To hear of hacks is not a novelty, but to feel their repercussions within one’s own home has been considered unlikely. What many might be surprised to learn, however, is that it is likely that they have been housing hackers for years. “Smart” devices, despite all of their conveniences, are in fact conduits for behavior and cyber activity that are the antithesis of the ethically “smart.”
As the name might suggest, smart devices are devices with Internet connectivity that allow a degree of consumer-device interaction: the Internet, for example, is what puts the “smart” in “smartphone.” Obscure objects of our imagination only a decade ago, smart devices have increasingly permeated our lives and lifestyles. As a result, our homes are becoming littered with smart devices that alleviate burdens or create a less stressful and more low-maintenance living environment. Formerly mechanical appliances such as thermostats, refrigerators, washing machines, and baby monitors now all boast fancier features through a connection to the World Wide Web.
Though this apparent ease, accessibility, and intuitive environment may seem attractive, smart devices, in their short existence, have already proven to be especially prone to hacking and security breaches. This can take many forms, from simple “trolling” to extremely serious transgressions, such as data or identity theft. Regardless, hacking and the use of the Internet as a vehicle of attack is relatively uncharted territory as far as codified protections are concerned. Although there are some regulations regarding children’s usage of certain websites (generally social media), the market of smart devices (frequently referred to as the “Internet of Things”) has remained a regulation-free domain. However, due to the enormous uncertainty regarding the safety of these products and the unprecedented security threat of hacking, it is necessary that the US government, and governments around the world, adopt commonsense, baseline regulations regarding the purchase and marketization of smart devices. These regulations can help promote the safety of their citizens and prioritize their well-being over economic profit and unchecked growth.
Unlike other highly contentious portions of the document, the Constitution’s duty to “provide for the common defense” is hardly up for debate. This provision was originally envisioned, of course, with military threats in mind, but the face of America’s newest invading force has drastically changed. Granted, the dangers of hacking are more ambiguous and less tangible than a human threat – no raging army is clamoring up America’s shores waving spears – but the danger is no less real, and demands government protection of its citizens.
When Donald Trump discusses his beloved “extreme vetting,” he doesn’t have smart devices in mind. However, perhaps these devices’ less visible nature makes their surveillance more necessary than the human beings that have been the targets of his administration’s policies. After all, the enormous power of computers allows for the single-handed destruction of massive swaths of literal and figurative territory: a faster paced, more lethal weapon than ever produced previously by mankind. An October 2016 attack on Domain Name Servers (DNS) virtually froze Internet access on the East Coast and was described as “someone attacking [a] phone company and burning all the phone books at the same time.” The attack was so serious that it garnered a White House response, and investigations later found that hackers used “mirai” malware, accessing household smart devices, to commit the attack. Household devices were especially prone to this hacking due to consumer-oriented marketing and branding that have sacrificed security for user-friendliness. As companies seek to market smart devices that are accessible and user-friendly, security features become less complex; setting up passwords and data protection accounts are, after all, seen as drudgery by most, and can often dissuade consumers from purchasing a certain product.
In November 2016, the United States Department of Homeland Security released a statement claiming that “securing the Internet of Things has become a matter of homeland security.” In light of the potential involvement of Russia in the 2016 election, officials are as cognizant as ever about the threat that smart devices pose. Virginia Senator Mark Warner, a member of the Senate Intelligence Committee and co-founder of the Cybersecurity Caucus, has articulated his belief that everyone – private citizens and government alike – should “up [their] game” to make sure devices are protected against hacking. Lawmakers’ articulations have underscored the importance of consumer and citizen involvement in cybersecurity and have steered away from any sort of sweeping government regulation. But actions sometimes speak louder than words, and US policy has avoided direct intervention on the consumer end of things, instead focusing on underlying software and computer mechanisms, which are more closely tied to aspects of production. This strategy is akin to the military stocking up on arms and provisions but never training soldiers how to use them. The market is a two-sided mechanism, and a problem cannot be solved by one party alone. While securing networks is obviously of great importance, for the majority of the population (who are not particularly familiar with IT and cybersecurity), the jargon used by officials is distant and unfamiliar. While consumers are being told that networks are being strengthened, they are rarely given relevant information and see no tangible effects of the changes in their own lifestyles. What’s more, issues with smart devices typically arise after their production. A network can’t be breached if it hasn’t been created yet.
Moreover, the recent allegation that the CIA has been spying on Americans through their televisions and other smart devices using a system named “Weeping Angel” underscores the necessity of informing consumers of the true capabilities of their devices and the possible implications of ownership. The paradox here is of course that the government has justified this unique form of surveillance in the name of national security – a contentious assertion. Regardless of how they feel about the morality of this endeavor, however, consumers have a right to know that this window into their lives exists in the first place.
The banning of a talking doll has introduced a new method of dealing with the threats posed by devices featuring internet connectivity: blatant market intervention. The German government, under direction by the Bundesnetzagentur (Federal Network Agency), banned the “My Friend Cayla” doll after the agency found the “smart” doll’s Bluetooth connection to be especially susceptible to hacking of recorded conversations, violating basic ideals of privacy. Now, German children are no longer able to purchase the toy because of its potential risk, despite the fact that there has been no official confirmation that such an act has happened (although some watchdogs have dubiously claimed that the data recorded have been sold to Nuance Communications, a firm that works with governmental agencies).
Such a bold step by a federal government – outright banning a product from stores’ shelves – is relatively unprecedented in the technological sector, which is usually seen as the future of the modern economy. But the concept of a ban of smart devices is not new: such bans have previously been implemented within much smaller domains. British Prime Minister Theresa May made headlines last year when she prohibited smart devices from being used in her cabinet “due to concerns that they could be hacked by Russian spies.” Apple watches, thus, play no part in British politics.
Germany’s nationwide policy and Britain’s practice at 10 Downing Street rest upon the notion of vulnerability. Whether attacks have been prevented by the reduction of device connectivity will never be known; these, after all, are preventative measures. While it is likely that they have been effective in protecting privacy and ensuring cyber safety, it is also important to note that such responsible government intervention is not likely to extend beyond the confines of Europe. The European Union, for example, has banned over 1000 dangerous chemicals from being included in cosmetic products while the FDA has taken such steps with only nine in the hopes of not restricting economic productivity, growth, and profits. As a result, millions of Americans apply makeup every day that in Europe has been considered toxic to their health. The United States, in short, has continuously jeopardized the health and safety of its people in favor of big business.
An outright, a preventative ban on risky smart devices is thus, unfortunately, unlikely in the US, due to both the nation’s free-market system as well as consumer prioritization. Most customers would be hesitant to see the markets manufacturing devices that play a crucial role in their daily lives become smaller and more restricted. But the recall system offers an alternative. Typically applied in the context of health, recalls should be a readily-employed action and regulatory measure in the smart-device sector. The existing recall structure within the FDA features varying degrees of consumer recalls, depending on the amount of health risk posed by a product. The “Thomas & Friends” toy train recall in 2007 due to lead poisoning was, for example, a voluntary recall. Although one could argue that cyber-security technically falls within the realm of “health” and thus that of the FDA, politicians have affirmed the place of cyber security within the Department of Homeland Security. Thus far, the tech industry has conducted its own recalls, as with Samsung (not the government) recalling the infamous fire-prone Galaxy Note 7. It is time to move beyond independent corporations – who are inherently motivated by profit – and implement a similar consumer-based recall network and system within the Department of Homeland Security.
The obvious counterargument to such a proposal would be that simply relying on the informed consumer while veering away from devices that seem risky or especially prone to security breaches could prevent an attack. If “smart” devices seem unappealing, or if one wishes to remain off the grid, ideally one would have the choice to abstain and avoid the risks of modern cyberspace completely. But this sort of autonomy or separation from the fast progressions of technology is quickly fading. All vehicles sold in the United States since September 2014, for example, have been legally required to feature Event Data Recorders (EDRs). These smart devices know everything about who you are, where you’ve been, and, most likely, a host of other pieces of information – and where that data is going is also unclear. The legal requirement that appliances as necessary and commonplace as cars feature Internet connectivity signals that the integration of smart devices into our daily lives is becoming unavoidable. Experts have estimated that, by 2020, there will be 30 to 50 billion internet-connected devices in the world. With a predicted global population of 7,758,156,792, this would see 3.8 to 6.4 devices per person, on average.
Whether a ban is necessary, or whether consumers should simply be well-informed and briefed prior to purchasing a smart device, is a matter of debate that depends on one’s position on the scope of governmental reach into the economy. In the US particularly, the federal government is generally hesitant to touch the economy, but more than willing to intervene in situations of national security. This new intertwining of consumerism and security complicates matters, particularly on a philosophical scale: The visibility of a threat does not determine its severity. This debate also foreshadows a future in which previously rigidly separate aspects of society become connected, and previously-held conceptions of security and privacy must be reconsidered.
While strict regulation in the US might be a long-shot (though something to strive for), providing resources for consumers through a robust recall system and possible database that can be referenced prior to a potentially-dangerous purchase, is achievable. A database of the cyber health of a smart device should be as readily available as the nutrition facts of a meal on the FDA website prior to a gourmet indulgence. Consumers should no longer be left in the dark. It’s time for the government to learn from the devices that have made it subject to cyber terror and get smart.