Tougher rules for sellers of internet-enabled devices in the UK
43 points by timmb 1 year ago | 68 comments- askvictor 1 year agoWe had to recently look at this as we sell our product in the UK. The rules are really quite pissweak. From the article:
* that password procedures are more secure, including ensuring any set by the manufacturer are not left blank or using easy-to-guess choices like "12345" or "admin"
Reasonable. But that's a _really_ low bar.
* that there is clarity around how to report "bugs" or security problems that arise
i.e. an email address published on the vendor website. No actual requirement to take action.
* that manufacturers and retailers inform customers how long they will receive support, including software updates, for the device they are buying
which means nothing if the manufacturer goes bankrupt.
- gnfargbl 1 year ago> The rules are really quite pissweak.
Ah, but you need to look at how the UK government has implemented this [1].
The law itself is the Product Security and Telecommunications Infrastructure Act 2022. That law makes reference to "security requirements" with which manufacturers must comply. Importantly however, the actual security requirements aren't specified in the Act itself. Instead, they're specified as regulations set by the Secretary of State. As I understand it, regulations are easier to update than acts, and here the government is actually obliged to review the suitability of the regulations at least every five years [2].
In theory this allows the government to apply salami tactics: start with some regulations (the 2023 version) which are indeed so weak that no manufacturer could have reasonably objected to them, but then to add more requirements over time, hopefully ending up at a point where we have some more impactful requirements placed on this stuff. Whether the government actually does that, and over what timescales, remains to be seen.
[1] https://www.gov.uk/government/publications/the-uk-product-se...
[2] https://www.legislation.gov.uk/uksi/2023/1007/regulation/10/...
- Beretta_Vexee 1 year agoMany major brands, particularly in the construction industry, rebrand smart locks, meters, house automation and smart relay equipment of unknown origin with their own brand names. Since they're the ones who put the products on the market, they're the ones who will have to provide maintenance and safety updates, regardless of whether they're an OEM or not.
People were unhappy to discover that their cloud-connected smart lock was no longer working after 2 years. And states don't want to have a large population of vulnerable equipment that could be used to amplify state-sponsored attacks on their national networks.
This is the purpose of the European Cyber Resilience Act.
- chrisjj 1 year ago> Since they're the ones who put the products on the market, they're the ones who will have to provide maintenance and safety updates
But these rules make no such requirement.
- chrisjj 1 year ago
- physicsguy 1 year agoI think the third one has no effect on startups but it could have a big effect on for e.g. the Google's of this world who buy small companies then kill their product line or end support after a couple of years.
- graemep 1 year ago> that manufacturers and retailers inform customers how long they will receive support, including software updates, for the device they are buying
and importers.
This is the usual requirement in UK law for anything like this (e.g. safety, manufacturing defects). Retailers are responsible for what they sell, and importers are responsible for what they import. If you buy it on credit the credit provider (e.g. a credit card provider) is responsible for a lot of things too (not this AFAIK, but for things like faults in what you bought).
- hyperman1 1 year agoThis is what the Brexit contras were warning for. The UK will still have to follow EU law, because they want to sell stuff in the EU. They just lost their voice in the process to write law
- switch007 1 year agoIt was 95%* about immigration so none of those arguments mattered
* number pulled from my behind. But it was surely very high
- ImHereToVote 1 year agoThis is ultimately a good thing since UK politicians are mostly selected for by class. It's good for the EU that these useless eaters don't get to write legislation.
- switch007 1 year ago
- jstanley 1 year agoCan you explain the credit thing?
Surely a credit provider is just lending you money?
Money is fungible.
If I have £100 already, and someone lends me an extra £100, and then I buy two things that both cost £100, and one of them is faulty, how do we determine whether the credit provider is responsible?
- joncrocks 1 year agoThere are some extra protections on credit card purchases that you don't get from buying things with cash/debit cards
https://www.moneysupermarket.com/credit-cards/guide-to-credi...
- graemep 1 year agoIt kicks in when the credit provider provides credit for that particular purchase. Common examples are credit card payments and car finance.
- joncrocks 1 year ago
- hyperman1 1 year ago
- matt-p 1 year agoThis is V0, the actual requirements are regulations, which can be updated really easily. Much easier to pass a law with very basic requirements and increase them later.
This is much better than nothing, which is what most countries have.
- graemep 1 year agoI would actually prefer a low that (in addition?) required a reasonable standard of care with regard to security, imposed responsibility for consequential loss for negligence, and left the courts to interpret it.
- tsimionescu 1 year agoAnything that relies on suing major corporations over unclear standards is doomed to mean nothing.
- matt-p 1 year agoYou can already sue a manufacturer for consequential loss if you can prove negligence?
- tsimionescu 1 year ago
- graemep 1 year ago
- mschuster91 1 year ago> Reasonable. But that's a _really_ low bar.
... one that even companies like Cisco routinely fail [1], and completely forget about chinesium "smart" devices where the extra 10 cents to provision a unique local password and print it on a label would ruin the profit margin.
> which means nothing if the manufacturer goes bankrupt.
Yep but now customers can hold the seller accountable if that is violated, which will lead sellers and importers to either demand a cash escrow from vendors to account for dealing with refunds should the vendor go bankrupt or that there will be some sort of code escrow industry formed, similar to insurance - should the vendor go bankrupt or cease support prior to the communicated date, the code escrow will release the source code to the sellers/importers so that they can do firmware updates on their own.
[1] https://www.tomshardware.com/news/cisco-backdoor-hardcoded-a...
- 1 year ago
- exe34 1 year agoThere should be a requirement to release security updates for $X years or release the code as open-source.
- gnfargbl 1 year ago
- Beretta_Vexee 1 year agoIt's a greatly diluted version of article relative to IoT from the European Cybersecurity Act (Regulation (E.U.) 2019/881 of April 17 2019), 4 years after everyone.
https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELE...
Nothing new or interesting. If the products were already on the market in the European Union, they had already been subject to stricter requirements for 4 years.
The only change is that seller now have to display this information in the UK, whereas before they were not obliged to do so.
- petepete 1 year agoWhile this move is clearly sensible the number of people importing absolute junk from Temu/AliExpress/Shein means millions of homes will be exploitable regardless.
- gnfargbl 1 year ago> Most smart devices are manufactured outside the UK, but the PSTI act also applies to all organisations importing or retailing products for the UK market. Failure to comply with the act is a criminal offence, with fines up to £10 million or 4% of qualifying worldwide revenue (whichever is higher).
-- https://www.ncsc.gov.uk/blog-post/smart-devices-law
Will the government actually go after AliExpress/Shein/Temu? Dunno, but they have the option.
- Vinnl 1 year agoI'm not sure how it works elsewhere, including the UK, but I believe here in the Netherlands, ordering from Aliexpress counts as importing, i.e. if you were to sell that on to others (like a drop-shipper), you're the retailer, but if you just keep it for personal use, then that's at your own risk.
Edit: tried to find a source again, [1] is the closest I could find and at least is reliable (but in Dutch).
[1] https://www.consumentenbond.nl/online-kopen/bestellen-bij-bu...
- gnfargbl 1 year agoI checked and I think you're correct.
Temu's T&Cs for the UK specifically say that
> You agree that, where applicable, you will act as the importer of the products purchased
-- https://www.temu.com/uk/terms-of-use.html
So yep, on the face of it, this does look like a pretty big loophole.
- gnfargbl 1 year ago
- Vinnl 1 year ago
- pjc50 1 year agoMuch of the time the Aliexpress products provide the same functionality for far less than Western brands. Sometimes even a bit more functionality. But I'm still a bit wary of mains-connected ones.
- globular-toast 1 year ago> But I'm still a bit wary of mains-connected ones.
That is wise. YouTubers like BigClive regularly tear down Chinese products and you can bet on things like unconnected earth wires and poor separation between high/low voltage parts. Anything that plugs into mains should come from a known manufacturer and a reputable dealer (not Amazon, AliExpress etc.)
- Ekaros 1 year agoAt least here we have government agency that mandates recalls on the shoddy stuff bought from local stores. So getting money back is simpler. Even if the quality by amount of recalls is probably not that far...
- noneeeed 1 year agoLikewise. Connecting to the mains is my main red-line on what I've prepared to buy from unknown brands with names that were pulled from a scabble bag.
- mschuster91 1 year agoI'd add lithium batteries to the list. There's no way short of a teardown you can verify what battery vendor, which quality grade and especially which kind of protection circuitry was used - and even if there's analysis videos from youtubers available, there is no guarantee that the manufacturers haven't swapped stuff around during production runs to account for price and availability changes, or that the manufacturer doesn't suffer from supply chain issues.
Granted, established brands can be similarly impacted, but unlike some alphabet-soup dropshipper from Amazon, brands like Anker, Samsung, Apple or the likes have an actual reputation to lose so their incentive to keep safety in mind is way higher (and yes, even they can fail, both Samsung and Apple had their bad battery issues in the past).
- mschuster91 1 year ago
- globular-toast 1 year ago
- hyperman1 1 year agoI regularly see the same product on AliExpress and in cheap EU shops. Most Ali things have a CE mark.
Most of my electronics has an FCC mark, even if it means nothing here. (I presume USA inhabitants see CE marks?) Globalization means it's cheaper to make 1 product, compliant with US and EU, then sell it from AliExpress too. This is exactly what the EU is counting on.
- karma_pharmer 1 year agoChinese manufacturers claim that marking means "Chinese Export". They have some ridiculous story about how the curvature of the "C" is different when it means "Council of Europe".
I know, it's bogus, but this is their explanation.
- hyperman1 1 year agoChina Export is a nasty one indeed. I recognize them by looking at the line between the 2 ends of the C : If the middle left of the E falls on the same line, it's a fake.
- hyperman1 1 year ago
- Dalewyn 1 year agoAs far as Suspicious Chinese(tm) goods are concerned, I always just assume any claimed certifications are fake with no citable basis.
- karma_pharmer 1 year ago
- izacus 1 year agoThere isn't "millions of people" doing that. Geeks do that. The rest buy locally.
- Symbiote 1 year agoCompanies like wish.com and amazon.co.uk advertise in mainstream media, and are widely used for buying low-quality goods from China.
- Symbiote 1 year ago
- InCityDreams 1 year agoDarwin at work?
- petepete 1 year agoI was typing on my phone, the word 'explosive' was accidental but definitely fits in with the theme of crappy electronics!
I edited the original post.
- petepete 1 year ago
- gnfargbl 1 year ago
- surfingdino 1 year ago> that manufacturers and retailers inform customers how long they will receive support, including software updates, for the device they are buying
This is important. I noticed Epson publishing information on the length of support for their printers already.
- Fizzadar 1 year agoHeh, saw the UK in the headline and expected another leap towards our 1984 inspired future. Nice to see a change that actually benefits us that live here! Small step in the right direction.
- skapa_flow 1 year agoFinally UK does not have to deal with EU regulations. They just do it. Unironically congrats from the mainland.
- skapa_flow 1 year ago
- leoedin 1 year agoThe law itself says very little about what products do - it works similarly to other laws around machines and devices, where the heavy lifting is relegated to industry accepted standards. This is how CE marking (and the somewhat stalled UKCA mark) works - the law says you have to show that your device complies with industry standards, you produce a bunch of documentation showing this, you can give it a CE mark. It's all self-certified - there's no central body which will check.
It was surprisingly hard to work out the actual standards you need to comply with. It seems it's mostly ETSI EN 303 645, which is an IoT security standard for consumer devices. This is actually a fairly pragmatic checklist of things your device should do. It's a good thing this is now mandated by law. You can see the standard here: https://www.etsi.org/deliver/etsi_en/303600_303699/303645/02...
There's an ARM "Platform Security" framework which cross-checks against that standard - so if you can tick all their boxes you're compliant with the law. https://www.arm.com/architecture/psa-certified
It's nice that this standard is openly available - so many of the standards you must comply with to legally sell a product in the EU are hidden behind expensive paywalls. It's absurd that complying with EU and UK law requires paying a 3rd party sometimes hundreds of Euros.
- rcxdude 1 year agoI think the law itself only mandates a very small section of that standard: more or less 'no common default passwords' and 'have a means of reporting security bugs'.
- rcxdude 1 year ago