This is highly subjective to lawsuits and makes a very good reason to utilize an LLC or C-Corp for business activities. I would never provide a product/service to consumers without legal protections from their endless capabilities of using things incorrectly and blaming someone else.
1 Like
I agree, I would never really advocate anything but an LLC at minimum for anything security related. I doubt, however, that the legal liability is as bad as some are suggesting. There are plenty of professionals already installing a variety of non-proprietary products together without consequence. Home automation is not exactly a novel idea, it is merely more accessible now. There is no exact standard of the insurance or contracts, but the liability is less than you might think. Most insurance companies would classify a smart home installer as a "Low Voltage Electrician", which generally carries pretty low costs. The odds of burning down a house with any of this stuff is very slim, even lower when you consider how much of this stuff has shifted to battery powered, even in professional installations.
1 Like
The legality and licensing requirements are tricky and vary by state. In some states the home owner can do "changes" and minor "repairs" but in others the simple thing of changing a switch requires a licensed electrician. It's a sticky mess. Definitely nothing less than an LLC otherwise you're literally sticking your own neck out there!
As for the VPN thing, I dont think this would be as big of an issue as suggested. I have to agree with erktrek on this one:
Getting the user to run the vpn client app on their device is fairly trivial though. I would probably spin it as "extra security" for your remote home access.
I saw it mentioned somewhere, either here or on a security camera forum. So many business professionals required to use a VPN simply to access work emails on a regular basis. Oftentimes it is a security standard. Familiarity with VPNs is rapidly increasing and I think it can be easily spun as a necessary security measure, which it is.
In Europe if it would come to court that you would in some way mislead the customer you would be in some trouble.
Just see how many times fb or google or msft were sued in europe just ve because of their T&C
In what way is this misleading the customer? It's literally more secure to use a vpn. It's just more hassle, hence why he said "spin it". There is no misleading there lol.
It's hard to explain to be honest.
But in summary if you granted yourself more access that what is strictly necessary you are liable.
There is workaround though. You can build your RPI with a custom build where your RPI can only communicate with a specific macaddress (the HE) and all other traffic is rejected.
Just an Example, a company (that should be kept anonymous for legal reasons) built an a device, that device collected confidential Information like workforce habits and patterns, that data would be stored on the hard drive to drive usage statistics. On the T&C was written that all data collected was not shared external to the device and was used only by the device to generate usage data analytics.
However this device had also a support function that when activated would grant access to the device as root through a dedicated VPN with an HW token provided by the customer.
Company reached an agreement with one of her customers for 1.7 million dollars for data breach as it failed to ensure that their employees that connected to the device would not have access to customer data.
3 week later the company issued a FW update that encrypted all customer data that could only be decrypted with customer authorized HW keys.
2 Likes
I agree about LLCs - relatively easy to set up. You can be held personally liable under certain conditions.
I usually work with a licensed Electrician for wiring (network, power, AV) on these kinds of projects. Keeps the builder happy and reduces my risk.
1 Like
The issue is if I am supporting the HE chances are I'm supporting the computers on the local network, assisting with firewall configuration/WiFi connectivity with the routers etc as well. I guess like you said you would need a very specific agreement between both parties.
We have similar restrictions with personal medical records called HIPAA Requirements.
Exactly you would need specific binding legal agreements. Being the key operative word specific.
1 Like
Yeah I apologize, because I slightly misunderstood what you were saying. Since were talking about two different use cases of VPNs in this thread. But yes you have absolutely opened my eyes to something that could be a potential liability. We will certainly make sure to protect ourselves against this. I think carefully worded legal agreement plus your recommendation of specific firewall settings is also necessary. Definitely will only allow our vpn machine to communicate to the necessary components of the system.
1 Like
Been there (i do mentoring/coacing to startups) so just sharing my experiences.
Also ensure that you have internal processes flows that can be audited if it ever comes the case you need to demonstrate that you have internal failsafe in place. A nice Visio workflow demonstrating the process will do.
1 Like
