We’re lucky to live in the US. One of the things we routinely take for granted in our country is the general safety of virtually all products available to us, regardless of marketplace. Especially with physical goods like food, toys, automobiles, and cosmetics.
There’s a ton of product safety testing in the US by multiple types of organizations.
There are government institutions responsible for safeguarding most physical goods available for purchase by US citizens like the USDA, FDA, FTC, Product Safety Commission, and NHTS. Plus a variety of self-regulating industry organizations (like IIHS for cars), compliance testing orgs like Underwriters’ Labs, and also non-profit watchdogs like the Environmental Working Group. There is a sizable amount of product safety testing happening in the US. Huzzah.
But there are two key problems. First of all, product testing is completely absent when it comes to consumer software and most software driven products. As we’ve noted repeatedly there is no widely adopted safety standard for software1, whether it’s a mobile app, embedded in a medical implant, in your TV or your car. There simply is no discipline called “product safety” for software. I’m not going to go into the myriad hypotheses around why this is the case. I think the biggest one is that if we’re not bloodied and broken in some obvious way, we don’t see harms. Just look how long it took the world to identify and hold big tobacco accountable for harms that are only perceptible over a long period of time.
Secondly, product safety testing isn’t bulletproof. More to the point, product safety testing isn’t immune to the incentives and needs of the entities that fund and support the testing organization. Safety risks are constantly falling through the cracks of even the most rigorous safety testing organizations. For most software, industry’s financial incentives don’t align with prioritizing consumer safety, especially when the harms are hard to see. [That’s being gracious. Harms fall through the cracks even when they’re obvious—see the salmonella reference below.]
And there’s a third important dynamic at play: product safety is often an a posteriori consideration, meaning product safety considerations appear after a product is launched and in use.. Creators of new technologies and innovations can’t fully predict the safety risks that emerge from widescale adoption, even under the best of teams. Misuse and abuse case identification as a part of product definition is a fledgling practice, if present at all. It takes extremely imaginative minds to conjure up the emergent ways technologies will harm in the future, though a priori product safety assessment as a cultural norm in software development is what’s needed.
But there’s a more nefarious dynamic at play when it comes to product safety and it’s the pervasive tactic of placing the onus for product safety on the consumer. I’ve recently come across two examples of this in US product safety history.
I recently watched “Poisoned: The Dirty Truth About Your Food” and learned about the 1974 legal decision2 supporting the USDA’s claim that salmonella was “not an adulterant”. Note that the USDA is responsible for keeping meat, poultry and fish safe for US citizens. In other words, the USDA was saying that salmonella is reasonably safe for people to ingest. The documentary cites media at the time essentially saying: “It’s the housewife’s duty to cook the poultry properly and keep the family safe.” (In that case, housewives really should be making a SHIT TON more money, but I digress.) The point here is, note how the onus for safety is neatly shifted onto the consumer.
The second occurrence was from Ralph Nader’s seminal product safety book, “Unsafe at Any Speed” where he shines a light on this same thinking for the inherently dangerous design of the 1960-1964 Chevy Corvair. For those unfamiliar with this landmark case, if the front and rear tires weren’t inflated just so, the vehicle was liable to flip all by itself, earning a reputation for one-car accidents. So, if the drivers of Corvairs drove the car gingerly enough, if they fastidiously kept the tires properly inflated, they what? Earned safety? Otherwise, too bad for you, car flips. Yikes. Thankfully, in 1965 the car was redesigned eliminating the treacherous stability problem.
Instead of stability being inherent in the vehicle design, the operator is relied upon to maintain a required pressure differential in front and rear tires. This responsibility, in turn, is passed along to service station attendants, who are notoriously unreliable in abiding by requested tire pressures. There is also serious doubt whether the owner or service man is fully aware of the importance of maintaining the recommended pressures.” (page 24, “Unsafe at Any Speed”, Ralph Nader)
So who is responsible for product safety? What’s the manufacturer’s responsibility and what’s the consumer’s responsibility for product safety? And what’s government’s responsibility? Surely the bulk of responsibility for reasonably safe products necessarily falls on the manufacturer. At the same time there is also a responsibility for reasonable behavior on the side of the consumer. Like, don’t make toast tub-side. In similar fashion, government also bears some responsibility for safety of its citizens. Though the FTC is doing more to keep people safe from software harms than the Product Safety Commission; and the FCC also covers safety considerations on telecom products. So it’s confusing.
The California Privacy Protection Act also pushes the burden of safety onto consumers by allowing technology to, by default, surveil, collect, share and sell data to its heart content unless and until the consumer “opts out”. Boo.
At ISL, we take a simple view of it.
We believe product safety is a human right.
That might sound extreme, but so long as the world turns on the axis of capitalism, consumer product safety really must be a fundamental human right. The manufacturer must be accountable for reasonably safe products. Meaning, the consumer, using the product as expected, using it normally, should be safe.
ISL is here to help. We fill the missing gap by defining software product safety standards, measuring and quantifying safety risks in mobile apps and websites. While we in the US wait for more comprehensive federal laws, building products that comply with the ISL safety standard will go a long way towards product compliance with both GDPR and CPRA.
As noted above, safety features are quite often a posteriori; they evolve over time, once we know what the actual harms and risks are. Cars didn’t start off with safety belts, windshield wipers, and headlamps. We would NEVER accept it as the consumer’s responsibility to add basic safety features onto their car. Imagine if we had to install our own seat belts and airbags.
But that’s what we do with software/internet connected technologies. The burden is always presently on the users of technology to keep safe, which is absurd. If connected tech manufacturers can’t keep track of where a user’s PII information is going, how can it possibly be the consumer’s responsibility? Manufacturers say: “Here, use this. It’s going to be GREAT. It’s going to improve your life in every possible way. We’re not going to provide you with any clear or detailed info into what’s actually happening that might be risky to you. And if we do, it’s going to be long, complicated legalese that you’ll never have time or wherewithal to read it. But trust us.” Again, imagine if that’s what automobile manufacturers did? We’d never stand for it.
Once again, ISL to the rescue with Safety Labels for mobile apps. One day, independently provided product safety labels will be the norm for connected tech, and we’re leading the charge to keep everyone more informed about the risks. And by “everyone” we mainly mean developers, enforcers, policy makers, litigators, technology procurers, and journalists. Yes, the labels can be used by consumers, but they won’t be indispensable until there are more and safer alternatives. So for now, we’re focusing on providing tools and data for the people who can make connected tech safer.
Because safe products are not the consumer’s responsibility.
- ISL has a standard, but it’s not widely known or adopted yet: https://internetsafetylabs.org/resources/specifications/isl-safe-software-specification-for-websites-and-mobile-apps-v1-1/
- American Public Health Association vs. Butz https://casetext.com/case/american-public-health-association-v-butz