Contrast and compare these two scenarios:
You buy a thing. Say, it’s a kettle. You make hot water with it, maybe it whistles when it hits the boiling point. That’s about as fancy as it gets. You use the kettle for years, if not decades, until you lose it in a move, damage it, or decide to get a new one.
Now imagine you bought an internet-enabled kettle. It allows you to set the kettle to a boil when you’re away from the kitchen, and monitor the water’s temperature from your phone. Perhaps you can even program it to boil water at certain times of the day.
After just two years of use, the kettle is going strong, but one day you get an email from its manufacturer: the kettle you bought is no longer being serviced or updated, and in a year they will cease to support it. At that time, your kettle will suddenly no longer work, and there’s nothing you can do about it.
While the second case with our kettle is just hypothetical, the idea of an internet-connected device becoming suddenly obsolete is a reality.
Just this year we’ve seen two high-profile situations involving IoT devices hitting sudden obsolescence. The first came when Google acquired the company Revolv, and subsequently shut down all support for the Revolv devices, leaving Revolv owners with $200 bricks.
And much more recently, with Fitbit acquiring the smartwatch Pebble, the Pebble’s warranty has been voided immediately and there are now warnings that “Pebble functionality or service quality may be reduced in the future,” according to Pebble’s CEO.
To be clear, it’s by no means a sure thing that Pebble will follow the IoT Brick Road, but current indications are at least cause for concern.
Can manufacturers be held accountable, and if so, how?
Should we just expect this kind of thing to happen and that the cord will be cut suddenly on the event of an acquisition, upgrade, or plain-ol’ “I don’t feel like updating this any more”-itis?
If a manufacturer decides that fixing its product’s buggy software is too much work, could they (or should they) just suddenly shut down the service entirely?
For early adopters of IoT devices, perhaps this is an acceptable risk: a nuisance, yes, but still part of being at the cutting edge of technology.
But IoT devices are now leaving the realm of the geeky set and are going mainstream: IoT thermostats are everywhere and an increasing number of children’s toys now have some kind of WiFi capability.
What’s going to happen when these devices are no longer just for the more technically literate? While it’s unlikely that lives are being seriously disrupted by a smartwatch shutting down, the stakes are only going to get higher.
As consumers, should we expect that when we buy a perfectly functioning, expensive device – perhaps one that controls our home’s security or temperature, or just one that we don’t expect to need to replace for many years, like a teakettle – could become completely useless with zero warning or recourse?
If we don’t want to accept this as our future, realistically what can we do? In the case of Pebble, the consumer warranty was immediately voided, and the only chance of a refund was if you happened to purchase your watch from a retailer whose return policy was still valid.
But if you simply just want your perfectly usable device to keep on working, there’s not much you can do but hold on to hope that the manufacturer or the new owner – in this case, Fitbit – will continue to support your device.
Even if you are more tech-savvy and could finagle loading custom or open-source software onto your device, there’s the tricky issue of DRM: you may not have the right to make any changes to the software, depending on what your device’s End User License Agreement (EULA) states. (We all read those, right?)
Thankfully, the growing ubiquity is highlighting the deficiencies in IoT devices as they become obsolete or pulled off the market. In the United States alone, the EFF is targeting laws, including the oft-maligned DMCA, that restrict what consumers can and can’t do with IoT devices they own, in hopes that consumers can gain greater flexibility in how devices they purchase can be used, repaired, customized, and updated.
If we can successfully reform these laws, the greater the chances that consumers will no longer get a nasty surprise when a maker hits the kill switch on their device.
The even-bigger problem: no set of standards for IoT security
There is, of course, a much bigger discussion about manufacturer responsibility for the security of what they make, not just for small IoT devices, but also self-driving cars, smartphones and yes, software.
There are no common standards for software or smart devices – although there are of course laws on data protection. That’s not to say people aren’t working on it: UL’s Cybersecurity Assurance Program specifically addresses security practices in consumer devices.
However, there’s no consideration in most of these standards for keeping the consumer protected with regular security updates, or supporting security updates for the entire reasonable lifecycle of a product. A manufacturer certainly shouldn’t be expected to keep a device updated in perpetuity, and sunsetting software versions and devices is a reasonable course of action, but what’s a reasonable timeline?
And perhaps more importantly, what risk can or should the consumer bear? Should we be able to keep using our IoT kettle even if its software is no longer being updated, or would that out-of-date software pose too great a risk to the greater IoT infrastructure? Should IoT device manufacturers better plan for obsolescence by providing a way for these devices to work in some limited, offline capacity once they are no longer updated or supported?
The various industries pumping out new IoT devices are still trying to figure all this out, and there are no clear answers yet.
The burden does fall on the consumer for now, but that means we also have the power to ask the important questions and pressure manufacturers into realizing these issues must be considered.
As the industry catches up with consumer demands, we need to be smart about the devices we support with our money. Otherwise, we run the risk of letting the lowest bidder set priorities for the manufacture and longevity of devices we purchase – and when it comes to our security, we can’t afford to make too many mistakes.