Encryption does not prevent you from doing that, just everyone else.
Of course, with non-free software and walled gardens, that might involve some amount of reverse engineering, injecting a CA certificate in a trust store so you can run a MitM proxy, or do something to bypass key pins, but that's never really stopped anyone from finding out what an application is sending on the wire.
You acknowledge that there is a certain amount of traffic that ought to be encrypted, so you really need a solution for all applications either way.
Effectively, I feel like it does prevent you from doing that due to the reverse engineering necessity. The time multiplier between engineering vs reverse engineering is too large.
Who's going to spend the time hacking through {random Chinese smart lightswitch clone #8392727} that's sold in small volume?
There's going to need to be a legal "right to decrypt traffic" on black boxes, if we're serious about this.
And that's where we run into problems. How do we make it so that You can decrypt the traffic from your devices, but random hackers, your ISP, the NSA, etc can't? It's the same arguments against special decryption keys for the Government - a backdoor for one entity can be exploited by other entities.
How do we make it so that You can decrypt the traffic from your devices, but random hackers, your ISP, the NSA, etc can't?
The suggestion made at https://news.ycombinator.com/item?id=13303650 of terminating TLS at the border addresses this --- traffic on the public Internet is encrypted, but is decrypted in the private local network. In some ways it is similar to a VPN. I run a filtering/adblocking proxy that works in the same way.
Any pointers on what the encapsulation for that would look like? It seems like one good option, but I'd say it's only feasible if it doesn't require work on the part of the manufacturer.
My other thought was just mandating a method of loading CA certs onto all IoT devices using an open standard connector. If the owner so chooses.
Of course, with non-free software and walled gardens, that might involve some amount of reverse engineering, injecting a CA certificate in a trust store so you can run a MitM proxy, or do something to bypass key pins, but that's never really stopped anyone from finding out what an application is sending on the wire.
You acknowledge that there is a certain amount of traffic that ought to be encrypted, so you really need a solution for all applications either way.