The point is that you don't try to cover all bases, just certain broad categories. Any product manufacturer that wants to avoid hassle can just not do shady things in those ways at all and then they don't need to worry about it at all.
The experience with GDPR in the EU so far seems to have been that the clear elements were generally felt to be reasonable, and businesses that weren't doing shady things would already have been in compliance with most of them anyway. The problems with GDPR have more been around ambiguity and the unnecessary and sometimes disproportionate red tape imposed even on "good actors". It was a similar story with the slightly earlier update to EU consumer protection rules.
I don't see why we couldn't learn from experiences like those and develop a reasonable regulatory regime for devices with embedded sensors and/or connectivity.
No external connectivity? Nothing to disclose. External connectivity? Do you use a customer-defined network connection or establish your own (and if so, how)? What's your policy on providing security updates? What guaranteed minimum support period are you offering, and what will happen to the device past the end of that period? Maybe if you or any of your business's officers or controlling interests have been responsible for a serious breach in the past, you also have to disclose that with prominence that reflects the recency and severity of the failure, so being careless about security becomes a sticky and toxic label rather than just a lawsuit that is a cost of doing business.
Not depending on outside services? No need to disclose. Depending on outside services? You need to state a minimum period where you guarantee your device/functionality will keep working, whether each outside service is under your control, what identifiable data is changing hands, what will happen to the device if each external service is changed or discontinued, etc.
Not including any sensors of defined categories (camera, microphone, location, etc.)? No need to disclose. Including sensors? You need to state how to tell whether they are in use, whether you provide a physical switch to disable them that software can't override, what they are used for, whether any data they collect could be transferred off the device, etc.
I don't see anything unreasonable about this, because anyone making such devices is going to be spending considerable time and money to include those sensors, that connectivity, or that use of outside services, so there's no credible claim that they don't (or shouldn't) know exactly what is going on. Requiring a few lines of specific details to be provided in a standardised format under the sorts of specific conditions I mentioned above doesn't seem either unrealistic or disproportionate as we move into a world where more and more devices do come with some or all of these three liabilities.
The experience with GDPR in the EU so far seems to have been that the clear elements were generally felt to be reasonable, and businesses that weren't doing shady things would already have been in compliance with most of them anyway. The problems with GDPR have more been around ambiguity and the unnecessary and sometimes disproportionate red tape imposed even on "good actors". It was a similar story with the slightly earlier update to EU consumer protection rules.
I don't see why we couldn't learn from experiences like those and develop a reasonable regulatory regime for devices with embedded sensors and/or connectivity.
No external connectivity? Nothing to disclose. External connectivity? Do you use a customer-defined network connection or establish your own (and if so, how)? What's your policy on providing security updates? What guaranteed minimum support period are you offering, and what will happen to the device past the end of that period? Maybe if you or any of your business's officers or controlling interests have been responsible for a serious breach in the past, you also have to disclose that with prominence that reflects the recency and severity of the failure, so being careless about security becomes a sticky and toxic label rather than just a lawsuit that is a cost of doing business.
Not depending on outside services? No need to disclose. Depending on outside services? You need to state a minimum period where you guarantee your device/functionality will keep working, whether each outside service is under your control, what identifiable data is changing hands, what will happen to the device if each external service is changed or discontinued, etc.
Not including any sensors of defined categories (camera, microphone, location, etc.)? No need to disclose. Including sensors? You need to state how to tell whether they are in use, whether you provide a physical switch to disable them that software can't override, what they are used for, whether any data they collect could be transferred off the device, etc.
I don't see anything unreasonable about this, because anyone making such devices is going to be spending considerable time and money to include those sensors, that connectivity, or that use of outside services, so there's no credible claim that they don't (or shouldn't) know exactly what is going on. Requiring a few lines of specific details to be provided in a standardised format under the sorts of specific conditions I mentioned above doesn't seem either unrealistic or disproportionate as we move into a world where more and more devices do come with some or all of these three liabilities.