Bad Digital Law Is Fueling the Internet of Things Dumpster Fire

One day you’re using your Hewlett-Packard printer, same as always, and the next day it tells you the ink cartridge is empty. You use a high-quality, third-party cartridge and it seems too soon for it to have run dry. No problem, you’ve got a replacement – but it doesn’t work. Huh, you think. Nothing has changed, but you did update the machine’s software a little while ago. Did HP just screw you over?

Yes. Yes it did.

That’s what happened in late September, when HP included technology called Digital Rights Management (DRM) surreptitiously in what it said was a standard security update for OfficeJet Pro printers. The DRM rendered third-party cartridges unusable, thus forcing consumers into the waiting arms of HP’s salesforce. DRM is a tool that limits the way people can use their purchased technology. Corporations say they need to protect their intellectual property, but open information advocates and cybersecurity researchers say DRM makes the web wildly insecure.

When cyber activist Cory Doctorow heard about HP’s antics, he was not happy. He’s a longtime advisor to the Electronic Frontier Foundation, and drafted a letter to HP president and CEO Dion Weisler voicing his disproval.

The stakes go far beyond ink cartridges: As Doctorow laid out in a keynote speech this week at the O’Reilly Security conference in New York City, bad digital law is threatening to hold consumers hostage to the whims of corporations — as in the HP printer example — but also to make all of our connected devices, the Internet of Things, more susceptible to hacks.

The key driver in all of this is the Digital Millennium Copyright Act, a U.S. law that makes it illegal for security researchers to disclose DRM vulnerabilities. “Researchers need permission from companies to disclose defects, which gives companies a veto over embarrassing news about their own products,” Doctorow said.

And in this world, ignorance is not bliss. “Preventing disclosure doesn’t prevent discovery. It just means the vulnerabilities you discover and can’t tell us about don’t become public knowledge until they become so exploited in the wild that you can’t help but find out about them,” Doctorow told the conference goers.

“This is why the Internet of Things dumpster fire has been allowed to rage,” Doctorow said.

Sure, not being able to access Netflix is a pain, but think about a potentially undisclosed defect in the braking system of a self-driving car, and it’s easy to see how the DMCA prioritizes corporate profits over human lives.

Think DRM is just for printers and DVDs? Think again. Corporations use DRM in everything from voting machines to medical devices, including, you (maybe) guessed it: a rectal thermometer. “They’re putting DRM up our literal asses,” Doctorow said.

He and other security researchers are circulating a proposal that includes two straightforward demands: that devices obey their owners, and that disclosing facts about a product’s security should be legal.

It’s worth listening up now, otherwise the next fire might rage where the sun don’t shine.