Caveat 3.10.21
Ep 68 | 3.10.21

Unregulated IoT devices: What could go wrong?


Bob Ackerman: You've got a huge population of devices where security hasn't been a priority, and the lineage of those devices is not documented and, in many cases, is suspect. What could possibly go wrong?

Dave Bittner: Hello, everyone. And welcome to "Caveat," the CyberWire's privacy, surveillance, law and policy podcast. I'm Dave Bittner. And joining me is my co-host Ben Yelin from the University of Maryland Center for Health and Homeland Security. Hello, Ben. 

Ben Yelin: Hello, Dave. 

Dave Bittner: On this week's show, Ben looks at Virginia's new privacy legislation. I dig into a study on engagement with far-left and far-right content on Facebook. And later in the show, my interview with Bob Ackerman from AllegisCyber on the potential effect of federal regulation on the IoT security space. 

Dave Bittner: While this show covers legal topics and Ben is a lawyer, the views expressed do not constitute legal advice. For official legal advice on any of the topics we cover, please contact your attorney. 

Dave Bittner: All right, Ben, let's dig into some stories this week, as we do. Why don't you kick things off for us? What do you have for us here? 

Ben Yelin: Sure. So I know we've been Maryland-centric recently, so we're going to move slightly to the west, on the Delmarva Peninsula... 

Dave Bittner: (Laughter). 

Ben Yelin: ...And talk about the state of Virginia, which just passed a consumer data protection act. This was signed into law this past week by Governor Ralph Northam. So this is the second such law in the country after California, although it is not as robust and strict of a data privacy protection law as the California Consumer Protection Act. And this law was actually supported by some of the big tech companies, so specifically Amazon. And the reason why Amazon's support was so crucial is that Amazon is building one of its new headquarters in Arlington, Va., so, you know, they need to be within the good graces of the Virginia government and vice versa. 

Ben Yelin: What the legislation does, just like the CCPA, is allows residents of Virginia to opt out of having their data collected and sold. They can also see the data that companies have already collected about them, and they can go in and ameliorate the effects of that collection. So they can correct that data or they can delete it. 

Ben Yelin: Now, there are a couple of reasons that this article mentions - by the way, I'm reading this from The Washington Post, from their technology section. A couple of reasons why this law is not as strong as the California law - the first is it does not grant a private right of action. So Virginia residents are not going to be able to directly sue these companies for violating their personal privacy, and that's one of the most strong and controversial aspects of the California law. 

Ben Yelin: Another aspect of this that makes it a little, you know, more toothless than California is that it's going to be enforced by the attorney general rather than an office set up specifically for enforcement of the statute. And a lot of that just has to do with resources. You know, if you have a state attorney general whose, you know, portfolio is going to be every legal issue that comes across his or her desk, that's just going to be less resources devoted to consumer data privacy protection. 

Ben Yelin: That leaves the country in a really interesting place. We now have two states who have enacted these consumer data privacy protection laws. There are several states where legislators or other political actors are considering passing such laws, so we might get to a point where we have, you know, five or six of these laws. They might differ in some important respects. And these companies are now going to have to worry about complying with perhaps several different consumer privacy statutes. 

Ben Yelin: So I think it just enhances the need, you know, at least in the medium to long term, for Congress to step in and set national standards. You know, I think the states, as the cliche goes, are the laboratories of democracy. I think it'll be a good opportunity to see how these laws work in practice, you know, whether they are effective enough. But in the long term, I don't think it's particularly sustainable to have 50 separate state regulations on consumer privacy, when we're talking about something that is by definition interstate - the internet. So that's where we are in Virginia. 

Dave Bittner: Yeah, that's - it's interesting to me, Virginia giving folks lots of lead time on this as well. I mean, it's not going to kick in until January 1 of 2023. 

Ben Yelin: Yeah, who knows what's going to be going on in 2023. Seems like a long way into the future. 


Ben Yelin: So California had a lead time in its law as well. It wasn't as long. I mean, I think the lead time is important because what happened in California is the law went into effect even after that lead time, and both consumers and the tech companies were just confused about a number of provisions. Coincidentally, that happened around the time that the COVID pandemic started, so resources were thin in the relevant California state offices, and there was just a lot of chaos that was caused by not having a long phase-in period where people could really understand how the law works. And I think that's what Virginia is trying to avoid here. So, yeah, I mean, normally, just any customary state law that's passed usually comes into effect within the upcoming calendar year, so it was definitely a conscious decision that they made. 

Dave Bittner: Well, when a law like this has such a long lead time before it goes into effect, is there tweaking that happens between now and then, or is it pretty much set and then they wait for it to go into effect before they start, you know, deciding whether there is unintended consequences and, you know, so on and so forth? 

Ben Yelin: So this statute, you know, is scheduled to go into effect in 2023 unamended. What this article says is that the governor has convened a working group to recommend potential improvements to the act to make it perhaps more in line with California's act - maybe adding some sort of private right of action, making some of the other provisions a little more robust. You know, there's no guarantee that anything will come from that work group. As you and I both know, any work group or commission is usually a stalling tactic when you don't actually want to do something. 

Dave Bittner: (Laughter) Right. But you can say that you're doing something. 

Ben Yelin: Exactly. But I will say, you know, he's put a work group together of the important legislators who are involved in passing this particular statute. And there are a lot of issues that are unaddressed. One thing - a couple of things they mentioned in this article, this law doesn't address privacy concerns related to AI or facial recognition. So those are two things where, you know, perhaps sometime before the 1 of the year in 2023, they might want to add that on to this piece of legislation, and they can do that in a separate piece of legislation. So those are things where, you know, you don't necessarily have to wait until the law goes into effect to see an impact; those are things you can, you know, do just as a matter of policy. 

Dave Bittner: And two years is a lot of time for, I can imagine, big data breaches to occur that could move public opinion one way or the other and perhaps - I don't know - trigger another look at this, right? 

Ben Yelin: Absolutely. I mean, that's the risk you take by postponing it - you know, the enactment of any law by two years is that conditions on the ground might change. Things in the world were very different in January of 2019, which is about as long as we're going to have to wait until January 2023. And if there is a big data breach that affects the residents of Virginia - and I should note, you know, probably many residents of Virginia are already familiar with big data breaches because there are a lot of federal employees there... 

Dave Bittner: Right (laughter). Right. 

Ben Yelin: ...That are part of the OPM... 

Dave Bittner: Yeah, I was going to say, the letters OPM ring with certain resonance for them. 

Ben Yelin: Yes, I would guess Northern Virginia - probably a higher percentage than you would expect are in that OPM system. But, yeah, I mean, there could be some sort of catalyzing event where, you know, legislators start to feel the pressure to move stronger and to move faster. But I almost think this isn't giving them quite enough credit. This is only the second law of its type in the country. Being able to do this while getting buy-in from the tech industry is really an impressive feat on the part of the state of Virginia. And they are now pioneers in the realm of data privacy protection. Kudos to them for that. 

Dave Bittner: Yeah, it's interesting. I guess for no particular reason, I was a little bit surprised to see this come out of Virginia. I'm not 100% sure why, but I guess it's not the state that I would have thought to have been leading the way on this. So, like you say, interesting for them. 

Ben Yelin: Yeah. Virginia's changed a lot politically over the past couple of decades. But more than that, I mean, it has a very highly educated workforce, particularly in Northern Virginia, which kind of lends itself to this type of legislation, where it's people who are very familiar with the tech industry. Like I said, you know, with the new Amazon headquarters moving to Arlington, Va., there's going to be a lot more of those type of employees and employers there. So, you know, I think it's pretty well situated among states to have this law go into effect. 

Dave Bittner: Yeah. All right, well, I should note that we've got Heather Federman. She's the VP of privacy and policy at a data discovery firm called BigID. And she is scheduled to be on the show in the next few weeks, and we're going to be digging into some of the details here. She's got some real expertise on what's in this bill, so we'll look forward to having her on the show, I believe, later this month. 

Ben Yelin: Absolutely. And she will undoubtedly be able to give you more insight than I can. 

Dave Bittner: (Laughter). 

Ben Yelin: So I'm glad that she'll be on the show. 

Dave Bittner: Yeah, yeah. All right. Well, it's an interesting story for sure. 

Dave Bittner: My story this week actually going to link to a couple of different sources covering this one, to the actual report and then some coverage from the Protocol website. This is a study from New York University about engaging political news on Facebook. And this study has found that far-left and far-right misinformation get the most engagement, but the far-right gets the most (laughter) engagement, like, way above anything else. And I think this is a fascinating study. 

Dave Bittner: They look into different organizations who are on Facebook Groups, and they're relying on the organizations NewsGuard and Media Bias/Fact Check, as well as Facebook themselves to kind of independently label these different organizations in terms of their political leaning and the quality of the media that they publish. And some of the graphs here show that it's really pretty stark here how much more engagement far-right media gets on social media - on Facebook in particular - than other types of media. 

Dave Bittner: You know, again, to be fair, far-left gets more than center-leaning or slightly right, slightly left, you know, those sorts of things, but it's more in the cluster with the rest of the types of presentations of news, and the far-right stuff is in its own separate category. What do you make of this, Ben? 

Ben Yelin: It's a fascinating study. You know, there are a couple of things at play here. One is demographics. I think far-right audiences just as a - and this is a broad generalization - tend to be older and less computer literate and probably more apt to believe misinformation and thus, you know, take that opportunity to click that link. So that's one hypothesis for it. 

Ben Yelin: Another is that these days, right-wing misinformation is just frankly more - not only more prevalent in the news atmosphere, but just a little bit more sensationalized to the extent that it's rather entertaining and can lead you down a rabbit hole. You know, so when you think about something like QAnon, it's something that obviously started in the fever swamps, but millions of people became very invested in it. I mean, even though it was a completely false conspiracy theory, I've read a million different articles of, I lost my father to QAnon because first he heard about it on this obscure online forum, and then he started seeing links on Facebook and started clicking it. 

Ben Yelin: So when you have that sort of very prominent conspiracy theory... 

Dave Bittner: And the algorithm keeps putting it in front of you. 

Ben Yelin: Right. It recycles the QAnon stories because it knows that you've clicked them in the past. Then that effect can kind of feed upon itself. 

Ben Yelin: You know, I also think when you're trying to decipher why there is more right-wing misinformation versus left-wing misinformation, a lot of that is traced to just the very nature of the election itself. So you had an election where Biden was declared the winner five days after the election took place. And, you know, as soon as that happened, President Trump started contesting the results in court, but also in the arena of public opinion. And I think that really galvanized his supporters, and we saw that culminate on January 6. 

Dave Bittner: Right. 

Ben Yelin: So, you know, you're studying a very particular time period here where the right was very energized around something that was false, that was pure misinformation. 

Dave Bittner: Right. So it makes sense that that would be attracting eyeballs despite the fact that it's so clearly misinformation. That it's getting the most attention, it's understandable that it would be, I suppose. 

Ben Yelin: Yeah. You know, and I think any politically extreme content is naturally going to get more eyeballs largely because it's more interesting, it's more entertaining. I mean, how many people that you know are going to read, you know, a brief on the difference between the corporate tax rate in the Trump plan and the Biden plan, you know? 

Dave Bittner: Right (laughter). 

Ben Yelin: It's not the type of things that's going to get clicks on Facebook or any other social media. 

Dave Bittner: Benghazi, Benghazi, Benghazi (laughter). 

Ben Yelin: Yeah, exactly. Forward, forward, forward, forward. Yeah. 

Dave Bittner: (Laughter) Right, right. 

Ben Yelin: You know, those are the types of things that get a lot of eyeballs. But I think, you know, the buy-in from leadership is a big difference. I mean, we are all prone to believe conspiracies when inexplicable things happen. Certainly, the left was not immune to it. Particularly after 9/11, you know, a lot of the left-leaning people in college that I knew got really into the "Loose Change" video that claimed that 9/11 was a false flag. 

Dave Bittner: Right. 

Ben Yelin: I think it's because, you know, you're disoriented. Bad things have happened. You're more prone to believe conspiracy theories. And I think what you don't want is leaders to feed into that natural instinct to believe conspiracy theories. And that's what happened with President Trump is you had this permission structure from him and some of his most prominent supporters to believe this misinformation. I think that's part of the reason that those posts got so many more clicks than equivalent posts from the left side of the spectrum. 

Dave Bittner: Right. There's another fascinating element to this that they dig into. There's a whole section here about how far-right news sources suffer no misinformation penalty, as they describe it. And there's basically a graph here that shows the interaction of followers of some of these groups. And if you look at every one of the groups except for the far-right groups - so we're talking about the far-left, slightly left, center and even the slightly right - there's more interaction with information that is not misinformation, not labeled as misinformation. Right? 

Dave Bittner: So even on the far left, more that is not misinformation than misinformation. But when you get to the far right, the misinformation bar shoots off to the right on the graph, where there's way more misinformation being engaged with than stuff that is not misinformation, than accurate information. And these organizations don't seem to be suffering a penalty for that. I think that's really interesting. 

Ben Yelin: It's fascinating. There's this political science term of elite signaling, where it's - you kind of take the cues of your favorite political leaders. And I think that explains a lot about this phenomenon here is you have Trump and his disciples telling his most loyal followers that you shouldn't - not only shouldn't trust the media, but you should definitely not trust these big tech companies when they try to moderate content and label something as misinformation or false, that they are the ones who are lying to you. We're telling you the truth. 

Ben Yelin: And I think that has really taken a hold on a relatively small movement, but certainly a significant movement on the far right. When you've been primed to distrust mainstream sources and particularly to distrust these tech companies - I mean, they really, really dislike Facebook and Twitter for their - you know, what they perceive as political bias. So I think, you know, when they see a story that they are primed to believe and want to believe and see that it has that misinformation label on it, they might be even more eager to click it, saying, you know, I don't want to let this bias get in the way of my desire to have this information. 

Dave Bittner: Right. Another thing they point out here is that there is a call that comes often from the far-right side who - saying that social media companies are censoring them or quieting their ability to spread the word. And this study shows that that's not true. That's the opposite. I mean, you look at these graphs, and the far-right messaging is reaching way more people with way more interaction than any of the other categories. 

Ben Yelin: Yeah. I mean, do yourself a favor and look at the daily list of top 10 Facebook posts with the most interactions generally. You're going to see, like, Ben Shapiro, other right-wing sources, One America News Network, Dan Bongino. They're going to make up the top 10. It's very rare that a left-leaning source makes up the top 10. 

Ben Yelin: Facebook is interesting because, counterintuitively, I think most young people who trend more to the left side of the political spectrum have kind of abandoned Facebook now that their grandparents are on it. 

Dave Bittner: (Laughter) Right. 

Ben Yelin: And they're just using different applications. So that means that Facebook is left for a proportionately older demographic, which happens to be, you know, more right-leaning. 

Dave Bittner: Right. 

Ben Yelin: So it makes sense. But, yeah, it does sort of put to bed this idea that there's an inherent bias, particularly in the algorithms, if - you know, when you look at those top 10 lists, you know, they are, by and large, conservative sources. 

Dave Bittner: Right. I just - I also think it's fascinating the sort of situation it puts leadership at places like Facebook in of trying to moderate these things or trying to get the misinformation off of their platforms when their platforms are built on interaction. Right? 

Ben Yelin: Yeah. 

Dave Bittner: Their profit is built on interaction. And when it is so starkly clear that this is where the interaction is happening, how do you deal with that conflict of interest? 

Ben Yelin: Yeah. I mean, it's a rather perverse incentive structure. I mean, that's the problem with Big Tech generally is the incentive is to get more clicks and more eyeballs. The things that get more clicks and more eyeballs are the things that are probably most damaging to our civic life and our political system. 

Dave Bittner: Right. 

Ben Yelin: You know, and I don't think this problem has an easy solution. I mean, you can't begrudge these companies necessarily. I mean, I sort of do. But, you know, theoretically... 

Dave Bittner: (Laughter). 

Ben Yelin: ...You can't begrudge them for prioritizing, you know, something that increases their bottom line. 

Dave Bittner: Right. 

Ben Yelin: You know, I think the only way to change it is if over the long term, you start to change the incentive structure. So that's posts that are misleading or websites that foster the spread of misleading information get fewer eyeballs and suffer some sort of reputational harm. 

Dave Bittner: Yeah. 

Ben Yelin: I think we're just a very long way from that happening. You see that particularly with, like, YouTube algorithms. You know, so much of it is you get people who start searching for, like - and I don't understand kids these days. I'm not even that old. But apparently, kids... 

Dave Bittner: (Laughter). 

Ben Yelin: Like, teenagers like to watch other people play video games... 

Dave Bittner: Right. 

Ben Yelin: ...Which I will never understand. But that's beside the point. 

Dave Bittner: (Laughter) Just wait. Your time will come. 

Ben Yelin: I know. 

Dave Bittner: My teenager spends lots of time watching other people play video games, and your kids will get there, trust me (laughter). 

Ben Yelin: They'll get there, yeah. My kids - my 4-year-old is into unboxing, and I'm still trying to understand that. 

Dave Bittner: (Laughter). 

Ben Yelin: But to circle us back around here, you know, you've seen that phenomenon where because a lot of other people who enjoy video games end up kind of dabbling in alt-right internet content, a lot of people are inadvertently steered toward radical material just by virtue of the algorithm. 

Dave Bittner: Right. 

Ben Yelin: And, you know, that's something that - it is ultimately the responsibility of these platforms. They certainly have the right to prioritize what gets the most clicks, what increases advertising revenue. But I think they also need to be accountable for the decisions that they're making. 

Dave Bittner: Yeah. I think it's also worth mentioning, worth acknowledging that, you know, it can be tricky to have these conversations about these policy issues. And, you know, every time we do, we have letters - we get letters because any time you're critical of either side, you know, left or right, or any time we present a story that could be perceived as being critical to either side, it tends to get somebody's dander up. 

Dave Bittner: I think, you know, Ben, you and I both have our personal leanings, and I think anybody who listens to this show is - it's not that hard to figure out where we probably stand on things. But I do think we make a good faith attempt to try to present a fair - both sides of any of these stories in a fair way to the best of our abilities, given our own personal, you know, limitations and biases, which we acknowledge. 

Ben Yelin: Absolutely. You know, and I think just by acknowledging your own biases, but also giving the opposing view its fair shake and actually contending with the arguments and not, you know, propping up strawmen, I think, is critically important and what we try and do. And oftentimes, there really are difficult questions and, you know, two sides to every issue. 

Dave Bittner: Yeah. 

Ben Yelin: So I think it's only right for us to give the other side a fair hearing. 

Dave Bittner: Yeah, yeah. And we do appreciate folks writing in and calling and leaving us messages. We have a call-in number. It's 410-618-3720. You can call and leave us a message, or you can write to us at We do read everything that comes in, and we do appreciate your kind notes. 

Dave Bittner: Ben, I recently had the pleasure of speaking with Bob Ackerman. He is from a company called AllegisCyber. Our conversation focused on the probable effects of some federal regulation that may be coming along in the IoT security space. I should note that Bob is a partner at DataTribe, who are investors in the CyberWire. Here's my conversation with Bob Ackerman. 

Dave Bittner: I want to start off doing some level-setting here. In your estimation, where do we find ourselves on our long-term journey when it comes to IoT security? 

Bob Ackerman: I think we're in the early stages of the first inning. I don't think that we've actually even begun to appreciate what the IoT threat landscape looks like, you know, let alone the ramifications of that threat landscape. 

Dave Bittner: What makes you say that? Why do you think we're still lagging so much? 

Bob Ackerman: The market tends to be pretty reactive, and, you know, we tend to wake up to the reality of a threat once the threat has been demonstrated. And so I think, you know, within the cybersecurity community, we understand the potential magnitude of the risks associated with IoT devices, but it hasn't been demonstrated. You know, and I think outside of the cybersecurity industry, there's very little realization of the potential ramifications. You know, I think we've got a list of complex challenges ahead of us, and that list is sort of dynamically prioritized based on understood threats. And I don't think IoT is there yet. 

Bob Ackerman: At the same time, you know, if you live in this world, you understand that we're looking at tens of billions going to hundreds of billions of IoT devices. Every one of those devices is an endpoint - entry point into a network. Those devices are - have never been designed to be secure in most cases. They're designed to be functional. The lineage of those devices is not documented in terms of, you know, how many contributors to each of those devices actually are embedded in a device, let alone what is the heritage of that technology. So you've got a huge population of devices where security hasn't been a priority. And the lineage of those devices is not documented and, in many cases, is suspect. What could possibly go wrong? 

Dave Bittner: Yeah. Well, you know, you spend a lot of time in the startup space working with a lot of companies who are out there trying to solve a lot of these hard problems. What makes the IoT problem such a tough nut to crack? 

Bob Ackerman: Part of it is understanding where are you going to engage in securing IoT devices. Do you try and pick up security, you know, within the enterprise, or do you try and pick up security at the IoT device level? That's sort of a fundamental question. 

Bob Ackerman: I would argue that you have to do both. But engaging at the device level is very, very difficult because, again, there's a lot of OEM technology in these devices, and the cyber risks are associated with each one of those contributed components coming through that OEM channel. And so is it the device integrator that own security? I would argue yes. And then, how does that device integrator ensure that the components that they are integrating are, in fact, secure, you know, basically supply chain risks? 

Bob Ackerman: You know, I think it's an area where, you know, there have been some examples of compromised devices. You look at ReFirm Lab's work in identifying vulnerabilities within video cameras coming out of China, for example. 

Bob Ackerman: But, you know, these devices tend to be low-cost, and, again, security is an afterthought. A lot of them end up being procured by consumers who don't think about security at all or are driven by price point and functionality. And, you know, the color of a device may be more important than whether the device is secure or not. So, you know, you've got a global network of devices being built out, a lot of it driven by consumer not thinking about security. Again, you know, what could possibly go wrong? 

Bob Ackerman: You know, it's one thing when we're integrating devices within the enterprise. You've got a security team that focuses on security and takes that as a priority in selecting suppliers. But much of the global footprint around IoT devices is being built by consumers, who have a hard time resetting their passwords with some frequency, let alone understanding the potential vulnerability of an IoT device that's got OEM technology coming from around the world, and is it or is it not secure? 

Bob Ackerman: So at some level, it seems to me that to tackle the consumer side of this, we need some sort of an Underwriter Lab metaphor for assuring the security and integrity of these IoT devices. I think that would help the consumer market quite a bit. 

Dave Bittner: Yeah. I've wondered about that myself - if you had some sort of labeling the way that, you know, UL Labs has done with electrical devices for over a century, I suppose. Could companies use that as a differentiator when - if somebody's standing in the store or browsing through that Amazon website, could they make an informed decision that, I'm going to choose the device that's been certified to have at least a baseline level of security built in? 

Bob Ackerman: Yeah. I think that is a - that's an obvious first step that has huge payoffs. Is it perfect? Is it totally conclusive? No. But it's a hell of a lot better than what we have today. I think it's a great opportunity for Underwriter Labs or somebody else to step into that environment. 

Bob Ackerman: Of course, you have to build the expertise to be able to look at these devices and detect vulnerabilities. You also then, once a device has been certified, you have to start looking at things like patch management. And if these devices are being dynamically updated, how do you have confidence that those updates are, in fact, clean and pure? 

Bob Ackerman: Again, you look at people that have this expertise - this is reasonably rarefied expertise. ReFirm Labs is always the one that comes to mind for me. You know, this is a team that came out of the National Security Agency that used to operate on the offensive side of the equation. So they - you know, they understand the opportunity, the challenges, the threats and the technology intimately well. I think it takes that kind of expertise to be able to look at these devices and, you know, give it a thumbs-up or give it a thumbs-down. 

Bob Ackerman: But then you've got to look, you know, past that initial evaluation. You've got to look beyond to, are these devices dynamic? Are they being patched? And if they are being patched, how do you ensure the integrity of the patch? And, you know, we certainly see today a lot of these IoT devices are being patched, whether it's, you know, fixing bugs or updating functionality. And, of course, every time you do that - SolarWinds was a great example not related to IoT but still a great example - you run the risk of a device being compromised in the update process. 

Dave Bittner: What about the new federal cybersecurity IoT act? Do you suppose that that may be able to move the needle? 

Bob Ackerman: I think it helps. Again, you know, it's a step in the right direction. But I think it's just a step. All of these things - I think you've got to put teeth behind them. It's one thing to have rules and to have procurement standards. But, you know, I hate to say it. I'm kind of a free market guy. But when it gets to security, it's like safety. It's not sufficient to have regulations. There has to be teeth behind those regulations. There has to be penalties for not complying with those regulations because the consequences of getting it wrong are simply unaffordable. 

Dave Bittner: All right, Ben, what do you think? 

Ben Yelin: I'm a little more worried about the future of IoT than I was before I listened to the interview. 

Dave Bittner: (Laughter). 

Ben Yelin: You know, (laughter) I don't know about you... 

Dave Bittner: Yeah. 

Ben Yelin: ...But that was just my initial reaction to it. I mean, I think because the technology is still relatively new, we haven't protected IoT devices in a security sense the way we have other things that we buy, where there's a seal of approval that your... 

Dave Bittner: Right. 

Ben Yelin: ...Product is safe. So I think that does lend credence to what he was suggesting, and what I think you've suggested as well, that there is a clearinghouse where some third-body agency validates the security features of these devices so that consumers are not left in the dust. 

Dave Bittner: Yeah. I think the thing that concerns me - and I'm not sure how we address it - is that there are literally millions of these devices out there that are installed that are hanging out on the internet for the long haul. 

Dave Bittner: And I usually think about security cameras when I think about this - you know, the security camera that's sitting on a pole somewhere or up in the corner of a warehouse, and it's sort of out of sight, out of mind. It does what it's supposed to do, and it does it well. But you don't know if it's running a botnet. You don't know if it's being used to access the rest of your network because it's been up there for years. There are no updates to it. And it's quite likely that your security team doesn't really think about it or isn't checking it to see what's happening with it. 

Dave Bittner: So even when we get updates, even when we get certifications on the new stuff, there's going to be all of this old stuff that's... 

Ben Yelin: Right. 

Dave Bittner: ...Hanging around. I think it's a good reminder that even if this stuff is working, you should have a replacement cycle on them just so you can get the advantages of some of the new security that goes into newer devices. 

Ben Yelin: Absolutely. I mean, think about all in your own home, the connected devices that you have. I mean, whether it's your thermostat or, you know, if you have a smart speaker... 

Dave Bittner: Right. 

Ben Yelin: ...These are things that are going to be vulnerable. And you just - as you say, you don't, you know, think about there are security vulnerabilities every day, especially if you're not in this field. 

Dave Bittner: Yeah. 

Ben Yelin: So, yeah, you're absolutely right. 

Dave Bittner: Yeah. Well, our thanks to Bob Ackerman for joining us. Always a pleasure to speak with him. 

Dave Bittner: That is our show. We want to thank all of you for listening. 

Dave Bittner: The "Caveat" podcast is proudly produced in Maryland at the startup studios of DataTribe, where they're co-building the next generation of cybersecurity teams and technologies. Our coordinating producer is Jennifer Eiben. Our executive editor is Peter Kilpe. I'm Dave Bittner. 

Ben Yelin: And I'm Ben Yelin. 

Dave Bittner: Thanks for listening.