The R Street Institute hosted an expert panel last month to explore ways in which the “internet of things” is affecting cybersecurity, privacy and ownership rights. With cyberattacks on the rise and increased adoption of networked devices, these issues are now at the forefront of tech-policy debates.

The panel included University of Washington law professor Ryan Calo, Pepperdine University law and public-policy professor Gregory McNeal, Owners’ Rights Initiative Executive Director Andrew Shore and George Mason University law professor James Cooper.

The internet of things erodes traditional concepts of ownership. If the software in your fridge or thermostat is licensed, how does one transfer the license to new homeowners? Shore advocated for the You Own Devices Act—better known as “YODA”—which would allow the transfer of software ownership for the purposes of security updates and bug patches.

Privacy is another challenge. Calo highlighted a scenario in which one’s home’s devices become, in effect, “tiny salespeople,” offering products for sale and eroding spaces traditionally reserved for privacy. Calo further added that the internet of things presents opportunities for companies to communicate privacy information in ways people can digest.

Cooper argued the traditional notice-and-consent privacy model inadequately informs consumers. However, the existence of sensor-heavy environments does not mean that we need a new regulatory regime to protect privacy. Instead, the Federal Trade Commission should continue to pursue a harm-based approach. Both Cooper and Calo agreed that notice is better than the heavy-handed approach of dictating how devices are designed.

McNeal said he believes companies’ incentives need to change before they will improve their cybersecurity and privacy practices. Right now, privacy and cybersecurity are viewed as compliance tasks, rather than mission-critical features. Thus, cyberattacks—such as “ransomware” and distributed denial of service (DDoS) attacks—are becoming more prevalent and attracting the attention of lawmakers.

But sloppy government mandates for device security could harm innovation, by adding costs to businesses. They also could diminish security by mandating outdated solutions or lead to baked-in vulnerabilities, such as backdoors for government access.

Video of the full panel is embedded below:

Featured Publications