Abstract

As the regulatory landscape for the Internet of Things (IoT) evolves, vendors are moving towards certifying their products for security. Thus, we need to understand who is liable when certification failures result in harm, i.e., when certified products have vulnerabilities that are exploited to cause harm to users. This paper addresses the fundamental and timely question that has significant implications for vulnerability detection in certified products: who is liable for harm resulting from vulnerabilities in certified products, and who should be so liable? Through a qualitative analysis of contractual documents from 20 IoT vendors, this paper investigates how liability is currently defined in vendor-user contractual terms. This analysis then incorporates an expert survey of 18 legal professionals to examine their perspectives on liability within this context. Our analysis leads to 14 key findings (F1 – F14) that show how vendors exclude liability to the maximum extent with (sometimes unlawful) exclusions, and how the perspectives of legal experts lie in stark contrast to what we observe in contracts (which are drafted by lawyers). We distill our findings into three key themes that call for a robust and clear liability framework, creating an incentive for IoT vendors to ensure that their IoT products meet proper security and privacy standards.

Document Type

Conference Proceeding

Publication Date

2025

Publication Information

Proceedings of IEEE Symposium on Security and Privacy (Marina Blanton, William Enck, and Cristina Nita-Rotaru, eds. IEEE Computer Society Conference Publishing Services, 2025)

Download

Share

COinS