This feels kind of like that.
A fishing sinker made from lead is pretty obvious when you see that warning. There's only one ingredient, lead, and it's obvious why it's harmful. But when you buy a complex product that says "this product contains chemicals known by the State of California to cause cancer or birth defects", the first thing I want to know is what the chemical is, the second is where it is in the product, and the third is why it's there. Nothing in the warnings makes manufacturers tell you any useful information.
I'm pretty interested in how much cadmium and mercury gets into my system because they're bad news for the brain. At the same time, mercury is also in air so it's kind of inescapable. Parts per billion is interesting information because then I can control how much I ingest the way I do for food that is fattening.
Then the print report would basically be a binder full of MSDS-like information sheets, along with the history of measurements recorded on the site.
Online, you could see the threshold levels for single massive exposure and for casual environmental or daily occupational exposures. And maybe enter your age, sex, and weight in kg, to see how likely it is that living in your apartment will kill you.
The generic warning is useless. It ranges from "last month someone found 30cm of thermal receipt paper with bisphenol-A all over it" to "someone once dumped a 55gal drum full of dioxin right into the soil where your vegetable garden is now."
They allowed one single, generic, disclaimer which every site pops up.
If they'd demanded:
- a separate disclaimer for each domain (or at least company) setting a cookie
- a description of the purpose of the cookies (e.g. advertising, remembering log-ins)
Then the law might have actually achieved something.
Basically, cookie warning on site means the site tracks you.
That people display the warning without specific knowledge of a hazardous substance is the fault of the California legislature for passing laws that provide perverse incentives to do that.
If a business could be held liable for posting the warning without a reason why, those warnings would not appear without reason. Ambulance-chaser attorneys perform a kind of arbitrage there, as private-party enforcers, like finding ADA violations at a non-accessible business and suing to force them to settle and make reasonable accommodations, or fight it, pay fines, and make reasonable accommodations. Or like the Florida folks that test their Sunshine Law against various municipal organizations. The munis are forced to settle and open their records, or fight it, pay fines, and open their records.
I guarantee there would be at least one person in California that would go around checking for warnings and asking for the MSDS reports on the hazardous materials on the property. I asked for a MSDS once, and the building manager just about lost his mind. I just thought I smelled toluene, and wanted to check to see if I was right. Their reaction made me think that maybe someone should have been suing someone, and they were just worried that it was going to be me.
As with any complex system, it's the squeaky wheels that get greased. More sensible laws would make California less an object of ridicule for other states. Indiana takes a lot of flak over the pi thing, and Kentucky and Tennessee occasionally get their "ice cream cone in the back pocket" laws waved around, but those are just silly artifacts of law. The California "causes cancer warning" law affects so many businesses, even those outside the state.
And these are places, not products...with gardens. Even if they use organic pesticides, they probably still have to put up the warning.
Therefore no people should be allowed to know?
For what it's worth, I'm not in favour of California's labelling requirements either. But just because something is meaningless to the majority of the population doesn't mean it's meaningless to the entire population. And it is specifically the population that is interested in knowing it that finds it least meaningless!
What would be more meaningful: certifications that act as abstractions for complex problems. Organic kind of acts like this already, and of course there are multiple federal certs for electronics. Having a functioning regulatory system as well as a working civil law system also help.
That's a completely actionable warning. Don't eat the contents of the battery of your cell phone.
Or how about "This carpet contains formeldahyde, which is known to cause birth defects in pregnant women. Limit exposure to this carpet for a few days after installation."
That's a good warning. That tells me what I need to know, what the risks are, and how to mitigate it.
We have to find a middle ground between "has chemicals that may cause cancer" and "a hundred specific chemicals in X quantities that may cause cancer." Abstraction is very necessary as a pragmatic solution, even if full disclosure makes sense as an ideal.
Heck, most places are just doing CYA, they have no idea what specific lists of chemicals their contractors use. For the IoT case, no one has any idea how their devices can be exploited, and merely admit the possibility of exploitation. But that is another issue.
If it is only harmful if ingested you know not to give it to your toddler. If it gives off toxic fumes while burning, well, stay away if you made a fire mistake. etc. The warning itself is pretty useless as it is.
Those places have products that contain the toxic chemical, An apartment building is not poisonous by itself, they contain products that contain the harmful chemical. That's what they should be warning you about.
That stuff is actually easy to track down is what I meant. It is the day to day stuff that isn't.
This is changing. But you still have the problem of over reporting. There are provisions to verify that your use of the material is safe, but it's so much easier, and so much less risky, to just slap the label on.
Kid was born without defects.
It might feel like that, but it isn't. Everything causes cancer. Not everything needs to have an Internet connection to a service to function, not essentially at least. It's only these people looking to monetize or "h0ok all teh th7ngs up!!1!eleven!" that are shoveling crap that no one asked for, but everyone is too lazy to object to. I've got a pair of wireless earbuds, completely modern kickstarted project. They function not just without an Internet connection, but even without a paired device. You can load music onto them like an iPod (remember them? they didn't have to be connected to a cloud to have thousands of songs).
Good design is possible if you care; bad design is trying to shoehorn required "connectivity" into something that doesn't need it.
 - For certain values of everything.
Everybody uses their own homegrown solution, which depends heavily on the hardware they have to work with. This means that some companies get it right and many get it wrong. Yeah, the biggest problem is companies shoehorning connectivity to products, but the second biggest problem is that there really isn't a standard for securing that connectivity.
No. The real problem is that a device you bought requires internet access for
no good reason, spies on you ("collects information") with no good reason, and
becomes useless garbage once the company that sells it goes out of business or
decides to terminate the product line or just grows to dislike you, all that
for your lightbulb in the toilet to dim to the beat of played music.
For IoT to be useful at all, the devices would need substantial configuration
possibilities, like where and with what protocol send data to, or better yet,
whom to allow to fetch data from the device. But this would be only for
hobbysts, as general public is not interested in tinkering.
Much as HyperCard, Excel, etc have allowed non-nerds to solve their own problems or scratch an itch, there is room in IoT for these people to tinker. They just need the right tools and framing.
Sidenote, those earbuds sound interesting. Could you point me to them?
Bragi's The Dash: https://www.bragi.com/thedash/
But ya, take out the internet connection, and no more problems. Take out the battery and the risk of fire/explosion also goes away.
Yes, that's true. What I'm saying is that not everything needs to be connected to the Internet, and requiring things to be connected to function fully is stupid and anti-consumer. By requiring the label on things that don't essentially need an Internet connection, it would allow those of us discerning consumers to avoid the crappy products.
> But ya, take out the internet connection, and no more problems. Take out the battery and the risk of fire/explosion also goes away.
The fire/explosion risk doesn't go away (power bricks have been known to cause fires). And electricity is essential to electronic devices functioning; Internet connectivity is not.
One exception might be the vibrator spyware "feature" which was clearly on purpose.
I took it more as a jab at the terrible software practices in this IoT goldrush than a serious proposal to add actual warning labels to their packaging.
Technically, the sign wasn't wrong, but come on California...
In some areas "this product not for sale in CA" is a marketable feature. On small engines it means it's tuned to run well instead of minimum emissions. For gas cans it means you don't need three hands to pour from them. For riding mowers it means you don't need to go out of your way to engage several redundant safety mechanisms in order to operate it (In addition to reasonable safeties like a seat switch and shifter that can't easily be bumped).
I can't think of one off the top of my head but I'm sure there's equally "pants on head" consumer safety laws about things other than garden/lawn equipment and/or in states/countries other than CA.
(BTW, this is post is the cliff notes of a conversation I had with my coworkers at a tech company so it's not like we're a bunch of hicks complaining that the guards on our saws prevent us from fitting oversized blades.)
If you were around when the air quality in LA was almost as bad as what we are seeing now in places like Beijing, you might agree with some of the provisions that were enacted (and were hugely successful at reducing pollution not only in CA, but elsewhere due to said "features".)
If you do have an area with known-dangerous substances, and don't put up the sign, you get hit with a penalty significant enough to hurt. If you don't have anything dangerous, but do put up a sign, nothing bad happens to you. So rather than actually check for what's there and put up the sign only when relevant, everyone errs on the side of "better put up the sign just in case".
What chemicals do you think have been included without scientific basis?
I got it home, opened the box, thinking I had a new watch!
Nope. You have to connect it to the internet and let it phone home first. It would not tell time, permit you to manually set the time, or let you explore that watch at all, until it spoke with it’s mothership.
I put it back in the box, and tossed it in the closet, and it’s still there, and now it’s completely unusable because the company collapsed.
If that counts as crazy, then lock me up, because I'm crazy too. I'll second everything you said, but I'm not so sure it's entirely ignorance - I believe a large number of people just don't care (which is ignorance of another kind).
Ok seeing we talking IoT what standard: of the top of my head mqtt, coap, http/rest, soap? Those are just communication protocols. Now we still need to standardize the application data layer jsonschema, swagger/openapi, wsdl? and most of the time the vendor wants to own the application for their benefit. Also the classic xkcd of standards leading to more standards is so true.
As you mentioned the problem lies with the general public, don't care attitude. Hopefully there is enough that will try to educate and help their peers.
But a lot of us is going to learn the hard way how criminals used our iot devices against us to rob us blind and only then change will truly start to take place.
The general public doesn't care about freedom of press. Let's take that away. The general public doesn't care about elections. Let's take that away.
People use these self serving assumptions of ignorance to empower themselves. You have a ton of devices and things you use in your everyday life. Why should a doctor or civil engineer need to understand the details of software and hardware technologies to get value from it? Do all software folks understand the details of medical stuff or their home construction?
That's why you need regulations, so vague terms like the 'general public don't care' are not used to abuse them.
I wouldn't argue so much for standards of technology, as for standards of conduct. It's funny you mention doctors and civil engineers, two professions with high ethical standards precisely because they went through the same painful growth the software industry is going through now.
The 'general public', quite frankly, is ignorant about a great many things. And let's be honest: it is very rare indeed to be the kind of person with the aptitude, time and willingness to become a polymath to the point that you'll never be scammed in any field, ever. It is incumbent upon us, the knowledgeable and ethical practicioners of our field, to hold not just ourselves, but our whole industry to a higher standard. Thus, discussions such as this one on HN where we point out that IoT devices could cause a world of hurt because of all the make-a-quick-buck hucksters who couldn't be arsed to do due diligience.
High ethical standards enforced by a court of your peer professionals, who can ruin your career if you break the code of conduct. The last part is, unfortunately, crucial, because ethics can quickly go out of the window when people face monetary pressures.
> It is incumbent upon us, the knowledgeable and ethical practicioners of our field, to hold not just ourselves, but our whole industry to a higher standard. Thus, discussions such as this one on HN where we point out that IoT devices could cause a world of hurt because of all the make-a-quick-buck hucksters who couldn't be arsed to do due diligience.
I strongly agree. And I feel there should be loud naming and shaming of companies with anti-consumer practices like these.
One thing I feel we can teach the general public, though, is the distrust towards the cloud and SaaS model. IoT devices can, and should, communicate point-to-point or in your LAN. If a device needs an Internet connection to work and doesn't have a damn good reason for that, one should avoid it.
Speaking of planned obsolesence, it would be nice to be able to take a working 40yo. fixed camera and tell it it's a barcode reader and scheduled wildlife counter, or otherwise to take a power profile change, if not also distinct (llvm, CoolWave, Bluetooth 4.1 profile) promise or callback schema. Maybe tell the shakeweight that you're putting it in the closet in a manner than shaking is no excuse to dissipate more than 21mW. Certainly get (MSDS-ish # circumstance) links from devices that deal in goober or tree nut oils or PVC with flame retardant adjuvants, etc. maybe or maybe not explicitly asking things to McGuyver themselves into a bootstrap industry they don't belong to.
Currently I have a bunch of cheap WiFi cameras, all made by D-Link. The thing I like about D-Link cameras is that when you put them on a WiFi network that isn't allowed to access the internet they still work as expected.
The cameras themselves have all of the smarts to do motion detection and email short recordings, they can also FTP images somewhere or you can use something like Zoneminder to handle things. None of this requires them to phone home or make use of some kind of cloud service.
Of course, D-Link does have a cloud service, but it's not required. To me it seems like the best of both worlds - the easy-to-use cloud service for those who want it, plus the ability to work standalone for those who don't want to use their service.
Why doesn't someone build a video doorbell that works like this? D-Link keeps making and selling these cameras, so clearly there's some kind of market for products that have a cloud service but don't require it.
When the vendor stops updating the app that goes with a 5-yo product that they no longer sell, at some point that app will no longer work under the new version of your mobile OS (iOS 16? 17?), and you'll have to give up on it.
There's a huge amount of obsolescence coming down the pike in 5-10 years.
I think that's okay, overall. These things should all be considered prototypes and shouldn't be expected to last forever. [I also think a certain about of obsolescence is sensible and even good given the potential upsides to maintaining people or teams capable of designing, manufacturing, and supporting specific products or services.]
Not all technological changes are advances.
None of those grafted on services for me, I really have yet to see anything that was so compelling that I would give up and consent to essentially renting a device and having an account with some service to make it useful.
That way you also don't need to warn anybody about the lousy security, I'm 100% convinced that those companies that are exploited are merely the tip of the iceberg, that for each of these there are a vast multiple that were exploited but never found out and that the remainder also isn't as secure as they should be.
Running a secure service with devices in the field is hard, harder than I give most companies credit for and those companies that could pull it off (Amazon, Apple, Google, Microsoft and a couple of others) are usually the ones that I would trust even less with my data because of their ability to add it to the pile they already have.
I do for a few things. I pay T-Mobile so I can make phone calls with my cell phone. I also pay Netgear for some Arlo cameras.
I'm more willing to get devices that have external services if the company offering them will likely be around for the life of the device. For my phone, I'm happy if T-Mobile lasts two years and for Netgear, I'm counting on around 5 years.
That's a good rule, but good luck opting out once most manufacturers no longer give you an option.
The irony is that this is Hacker News and so many people building those things hang out here. If we want to make a difference, we have to start making a difference.
I've long advocated the basic idea from the article here, but in a much more blunt way, with explicit warnings about the potential consequences:
Identity theft is the fastest rising crime in COUNTRY.
The average victim loses $X permanently and takes Y months to get their life back.
THIS PRODUCT DOES NOT MEET PRIVACY STANDARD Z SO YOU ARE MORE LIKELY TO BECOME A VICTIM IF YOU USE IT. COMPETING PRODUCTS MAY BE AVAILABLE.
(Or something along those lines. You get the idea.)
Which is more likely, that companies will actually create more secure devices, or that companies will simply label their insecure devices as required knowing full well that most consumers will ignore the labels? How many people read the TOS for anything they sign up for? How many Hacker News users, who should know better, read the TOS of anything they sign up for? Do people stop smoking because we put cancer warnings on cigarettes? Some, maybe, but enough for cigarette makers to make their products healthier?
It seems to me that the most likely result of labelling IoT devices would be to consumers and businesses to accept that lack of safety as an acceptable tradeoff for whatever features the device offers.
It's hard to separate effects, but certainly here in the UK where we now have aggressive labelling restrictions on packets and visible displays in shops and strict limits on smoking in most public places, smoking seems to be much less of a problem than it used to be. In particular, culturally among younger generations, social smoking is no longer the norm in the way that perhaps it was for their parents or grandparents.
I see no reason that similarly explicit labelling requirements for dangerous IoT devices couldn't help, particularly if also combined with restrictions on use in contexts that could affect others.
Failing that, I personally have no problem with powerful regulations that pose an existential threat to businesses that are deliberately and flagrantly cavalier with security or privacy in the online era (and I write that as someone who is typically very cautious about regulatory over-reach and unintended consequences).
To me, that combined with a campaign of education and raising consumer awareness might be more effective.
While this sounds like a wonderful idea (and one I would subscribe to), it doesn't address the fundamental problem with IoT security.
Most operating systems have updates made available on a monthly, weekly, or even daily basis, in order to keep them secure. Mostly, we know how to do this, the operating system generally auto-updates, and the people producing the OS keep up to date. This is necessary because the time from discovery of a bug to exploitation of a bug can be very short.
IoT devices rarely have this. A Meile washing machine should last 20 years, but there is no way I'm leaving a computer with a 20-year old OS on the internet. That's just asking for trouble. There's also the point that OS makers generally have a clue about computing security, but IoT makers generally do not.
A computer with no way of updating the OS for security (i.e. an IoT device) has a usable lifespan of maybe a couple of months. If you're lucky.
For example, in my country, it is typically the merchant who sells you a physical product who will be on the hook under consumer protection legislation if the product fails to meet acceptable standards somehow. It's implicit that they would in turn try to recover any losses from their own suppliers later, but that's not the end customer's problem, and the merchant is the one who loses out if they don't have such a recovery mechanism available.
However, that's hardly fair if there's a third party involved (the developer of some software component within the product) who can update it in whatever good or bad ways they want without any knowledge or consent on the part of the merchant. It is particularly unfair if that third party is also a relatively large or even monopoly supplier and can dictate more-or-less arbitrary terms to merchants selling their products, who typically do not benefit from a baseline of legal protections against exploitation in the same way that end customers do.
In short, our entire framework of consumer protection and product liability laws has been built around the model of a linear supply chain resulting in a single point and time of sale, but that model simply doesn't apply any more in many cases.
In fact, depending on how you view "intellectual property" laws, anything that isn't public domain could be considered a "grafted on service"
And how do you know, pre-purchase, whether it does?
By requiring a warning label on it, as the title suggests. Doesn't seem like such a silly idea now, does it?
> Doesn't seem like such a silly idea now, does it?
I never said that.
My navigator is an elderly TomTom, my phone an old Nokia and so on. I seem to be stuck in stuff that is now a generation or two behind the times but I've yet to be convinced that the 'new' stuff is better in a way that outweighs the privacy and security risks.
Personally, I actively do not want OTA updates, or much of any remote communication to or from my car at all, that isn't 100% isolated from all the essential vehicle control, safety and security systems.
I can tolerate the idea of a vehicle-initiated automatic emergency call system, or a remotely activated but otherwise independent tracker device as an anti-theft measure. These have a clear and beneficial purpose for me as the owner/driver, and if strictly limited to that stated purpose they pose minimal privacy, security or safety concerns.
Anything beyond that, I would rather do without. And I'll maintain my current car indefinitely rather than buying any of the current generation of might-work-or-might-kill-you stuff. The lack of effective regulation and oversight in the auto industry was scary when it was just mechanics, it became more scary when software started to eat the industry, and it's just plain terrifying in the new, connected era.
Good article though, and I definitely agree that these issues with IoT devices should be made more prominent.
It mostly seems to be cases like this one, where the first image is concealed or contextualized in the article but treated like a normal header image by Slack. I think one that got me worst was a piece responding to someone else's content. Slack simply pulled the quoted text and picture at the top - which looked like sharing the original article, instead of a response to it.
It would indicate that the device is self-contained and has no connectivity.
I see some suggesting "no connectivity" but that would just sound like a negative thing. Typically you list features, not things it doesn't have. Sure, if you pause to think about it, we (on HN) would all figure out the benefit. But many people might not pause nor figure it out.
Independent also doesn't sound exactly right, but perhaps it's just that nobody ever used it to describe this before and I'd need to get used to it.
Edit: "Dependency-free" is not as common a word and means the same thing. That might be a little better.
> It would indicate that the device is self-contained and has no connectivity.
Very good one.
A good candidate would have been "smart", but unfortunately it is already taken to mean the opposite.
But I get your point. Now I would like to have some "smart" devices, though, so beyond your label for self-contained devices I kindly ask for a label for devices that stay on local network.
 - industrial pesticides are better than "pesticides" that still let you claim the "organic" label.
But IMHO such devices aren't the problem. I can't think of many (any?) devices where I'd want an unconnected one and can't get it. The problem are connected devices that come with unexpected extra connections (networked camera that wants to talk to cloud service etc). Maybe "service-less" for that?
The problem can be the Z-wave/ZigBee controller which may very well require Internet and Cloud access to "phone home."
I avoid using IoT devices that I can't re-program or if nothing is available except some proprietary/cloud driven device I isolate them into their own little network space, so they can't attack the rest of the network or "phone home" unless I let them. Sometimes, that isn't possible and that's when 30 day return privileges come in real handy.
The ability to trace the packets coming off of most IoT devices is fascinating and sometimes scary. A lot of devices are like the recent OnePlus smartphones that record and send most everything to their "true master" the manufacturer of the device. At least, with a Oneplus you can fix that, by reflashing the phone.... which is not true of most IoT devices being sold today.
Have you noticed that BestBuy seems to only sell IoT devices that will "phone home?"
Old enough to remember also printed, well written, exhaustive manuals coming with them? ;-)
"This device is inherently insecure and could be remotely operated by persons unknown anywhere in the world."
Also maybe they should be honest and just write: "This device will stop working at any time the company behind it gets bought and/or decides to abandon the product line."
WARNING: This product warps space and time in its vicinity.
WARNING: This product attracts every other piece of matter in the universe, including the products of other manufacturers, with a force proportional to the product of the masses and inversely proportional to the distance between them.
CAUTION: The mass of this product contains the energy equivalent of 85 million tons of TNT per net ounce of weight.
HANDLE WITH EXTREME CARE: This product contains minute electrically charged particles moving at velocities in excess of five hundred million miles per hour.
CONSUMER NOTICE: Because of the "uncertainty principle," it is impossible for the consumer to find out at the same time both precisely where this product is and how fast it is moving.
ADVISORY: There is an extremely small but nonzero chance that, through a process known as "tunneling," this product may spontaneously disappear from its present location and reappear at any random place in the universe, including your neighbor's domicile. The manufacturer will not be responsible for any damages or inconveniences that may result.
READ THIS BEFORE OPENING PACKAGE: According to certain suggested versions of the Grand Unified Theory, the primary particles constituting this product may decay to nothingness within the next four hundred million years.
THIS IS A 100% MATTER PRODUCT: In the unlikely event that this merchandise should contact antimatter in any form, a catastrophic explosion will result.
PUBLIC NOTICE AS REQUIRED BY LAW: Any use of this product, in any manner whatsoever, will increase the amount of disorder in the universe. Although no liability is implied herein, the consumer is warned that this process will ultimately lead to the heat death of the universe.
NOTE: The most fundamental particles in this product are held together by a "gluing" force about which little is currently known and whose adhesive power can therefore not be permanently guaranteed.
ATTENTION: Despite any other listing of product contents found hereon, the consumer is advised that, in actuality, this product consists of 99.9999999999% empty space.
NEW GRAND UNIFIED THEORY DISCLAIMER: The manufacturer may technically be entitled to claim that this product is ten-dimensional. However, the consumer is reminded that this confers no legal rights above and beyond those applicable to three-dimensional objects, since the seven new dimensions are "rolled up" into such a small "area" that they cannot be detected.
PLEASE NOTE: Some quantum physics theories suggest that when the consumer is not directly observing this product, it may cease to exist or will exist only in a vague and undetermined state.
COMPONENT EQUIVALENCY NOTICE: The subatomic particles (electrons, protons, etc.) comprising this product are exactly the same in every measurable respect as those used in the products of other manufacturers, and no claim to the contrary may legitimately be expressed or implied.
HEALTH WARNING: Care should be taken when lifting this product, since its mass, and thus its weight, is dependent on its velocity relative to the user.
IMPORTANT NOTICE TO PURCHASERS: The entire physical universe, including this product, may one day collapse back into an infinitesimally small space. Should another universe subsequently re-emerge, the existence of this product in that universe cannot be guaranteed.
I saw some folks recommending punitive damages against IoT companies that ship this insecure junk. Well how about prosecuting software devs who introduce security vulnerabilities?
It works and is profitable. Just ask any advertiser. And it is nice. It increases corporate profits. What could be nicer than that?
I guess the main point the author is trying to make is that data can get compromised, and some people might not be aware of that.
Nothing new or groundbreaking.
I honestly don't see a problem with requiring this and enforcing it with the corporate death penalty. Need I mention Equifax?
He could've used any other image from the post as the featured one.
> This package is sold by weight, not by volume. Packed as full as practicable by modern automatic equipment, it contains full net weight indicated. If it does not appear full when opened, it is because contents have settled during shipping and handling.
Not entirely unreasonable note, but nothing to do with IoT