Bruce Schneier: IoT + DMCA = More Monopolies, Limits On Consumer Choice

New submitter OldMan17 writes: On Dec 24, while many of us were busy in a frenzy of commercial excess and socially-conditioned good cheer, The Atlantic published an article by Bruce Schneier predicting that the IoT will be abused in conjunction with DMCA to make our lives worse instead of better. Some of the precedents he cites are old news, but I expect we will have a lively debate in the comments as to whether the over-arching conclusion is justified by his arguments. When everything is online, laws made for "the internet" suddenly apply to everything.

The Internet of Things is Stupid (IOTIS)

[mbone]

The Internet of Things (IOT) is being driven by commercial interests that are more interesting in spying (known in commercial circles as marketing) and in control. Benefits will accrue, but they will not accrue to the people paying for the gear, which makes the IOT value subtracting for the average citizen.

Re:Reasons why I don't like the Internet of Things

[fustakrakich]

Internet of Things devices could watch me while I sleep.

So does Santa Claus... So be good, for goodness sake!

I respect Bruce, but...

His example of the Hue dustup was a poor, poor choice as example there.

1) Hue bulbs use ZigBee Light-Link Profile.
2) The bulbs (all of them...ALL OF THEM in the IoT space right now) cannot be re-flashed.
3) In order to get a permanent private key for each SKU shipped using ZigBee LL Profile, the devices must conform to the spec and properly interoperate. So, they can't dink with the bulbs, period.
4) The only place you can even possibly DO what Phillips attempted to do would be to dink with the final phases of the LL handshake, wherein the coordinator (the gateway puck) would allow federation with the mesh or not at the last part of the process, based on manufacturer and manufacturer ID, and just drop the federation request on the floor if it didn't match the list.
5) It's not DRM, per se. Worse, it's NOT compliant with the ZigBee spec. Not sure how the Consortium would handle a revocation of things like that, but the Coordinator in that configuration no longer complied with the spec (which is to allow Home Automation and Light-Link protocol devices ONTO that mesh and be able to control them, period.
6) Better yet, there were competing products (Iris, Wink, etc.) that could work with Phillips' crap because of the ZigBee spec. While some of them don't have an "API" to drive it via PC, some do- and moreover, some of them let you have ZB and Z-Wave light controls signal lights on and off or to federate clusters of bulbs with a control panel that acts like a Light Switch. Phillips just simply cut their own throats by trying this. People can go buy up their RGB bulbs or Osram's...and get the same basic functionality as Hue provided...for less money in most cases.

Re:I respect Bruce, but...

Not really.

What Phillips did was effectively refuse to send control codes to non-Phillips bulbs. So you could still use non-Phillips ZigBee lights and they'd still help form the mesh network, you just couldn't turn them on or off or dim them or whatever it is that Hue does. And, of course, a lightbulb that can't be made to light is essentially useless even if it is helping your bridge communicate with a distant bulb.

But you're right, you should (in theory) be able to throw away the Phillips hub (the part that communicates from the app to the bulbs) and switch over to a non-Phillips hub and get control of your lights back. Just not with the existing app.

Which means that involves setting up your entire system from scratch, rebuilding everything you had set up in the Phillips app in the new app, and potentially means your physical switches that Phillips sells no longer works.

And, of course, any new bulbs you buy from Phillips presumably won't work with the new bridge. And there may be some "special features" that only work with the Phillips bridge but who knows what those would be.

Re:White People Problems

[mlts]

Here is where things get nefarious. IoT are like social networks. In the past, you could just tell people where to stick it when they talked about their livejournal, MySpace, or Orkut stuff. However, if one doesn't have a LinkedIn account, FB account, and a Twitter account, you will be turned down for jobs.

I know this firsthand. Had a job interviewer tell me that I was too old for IT work and show me the door because he wanted to read/follow my Twitter account, and I told him that I didn't have one.

IoT has the potential for being just like that. For example, the Bluetooth deadbolt. It might be that apartment managers and other landlords install IoT security devices because it makes their job easier to lock out tenants being evicted, know who is going into a tenant's place, or to let maintenance in on a schedule regardless if the tenant wants it or not. For more flexible for the property owner, and the tenant would have no choice in the matter.

Insurance can also demand IoT devices, say CCTV monitoring and file storage, or IoT deadbolts and other devices so they can be assured that a property is secured when the owners are away. If this isn't done, they won't renew the policy.

Then, there is the phone home aspect. Pull the internet connection on a modern console, it halts. I wouldn't be surprised if a future HDCP spec that requires all devices to authenticate with a central server for a healthcheck every so often, would require that all TVs and such be always on and in communication. As per the EULA of the TV, video and audio would also be sent back for "IP enforcement purposes". If someone disagrees with that... well, good luck with the no-sue arbitration agreement they agreed to...

Next comes devices. Take the refrigerator for instance. Good luck trying to find a completely mechanical one with a thermostat and compressor that runs for decades. Most have various computer controls. It wouldn't be surprising that IoT functionality is important, and no network connection means the device does not function, especially if the fridge maker starts demanding license keys to activate the ice maker, crisper section, and such.

The key is to not just avoid buying IoT shit, but make it -damn well known- that you will never buy that because you don't want another route an intruder can trespass into your home. Because IoT security is so weak, and there is zero incentive for companies to actually do something about it, it needs to die on the vine.