monument valley

It’s 2020 and you get home from work one evening to discover an angry group of neighbors crowded at your apartment door. Inside, your landlady and a team of firemen are attempting to clear up a flood that’s spread throughout the kitchen, bathroom and living room. It’s even run through to your neighbor downstairs.

What happened? Disaster! Your IoT water management software malfunctioned that morning and turned on all the water sources in your apartment at full blast — the shower, the sinks, even your washing machine. Within a few hours they’d flooded the flat, causing thousands of dollars’ worth of damage.

Legally, who’s to blame? Is it you? Did you forgot to install the latest update to your water management software? Is it the plumbing company that connected your faucets to the Internet? Did they make a false connection somewhere? Or is it the software developer, who accidentally worked a bug into the program which meant the flood was likely to happen to someone somewhere?

As has so often been the case with the Internet, our legal frameworks are playing catch up with runaway technology. Gartner estimates there will be up to 6.4 billion Internet of Things devices installed by 2020, the vast majority of which will be in the homes, vehicles or worn on the bodies of consumers. Despite this enormous market, there’s currently very little specific legislation covering the IoT.

This doesn’t mean there’s no coverage. Rather, we have a wide mish-mash of laws, directives, regulations and best practice guidelines. Let’s see what’s already in place and see what the future might hold.

Case Study: TRENDnet’s SecurView Camera

Remember the TRENDnet case from 2013? It was probably the first example of an IoT provider being taken to court. The company’s SecurView cameras were designed to give home owners a method of monitoring their properties — to protect against intruders, or spy on their spouses or to ensure their children were up to no good. TRENDnet gave customers cloud based, real time streaming, so that even when they weren’t at home, they could see what was going on.

The problem was, SecurView wasn’t so secure. According to the Federal Trade Commission, a hacker spotted a weakness in the software’s design which led to over 700 live feeds being posted online.

More Than Just Privacy

Concerns over security top many people's reservations with the Internet of Things. Naturally, no one wants their private and intimate details broadcast over the Internet (unless they themselves are posting them). A survey with 2,062 American consumers showed that 78 percent were “highly concerned” about their data being sold after being collected from IoT devices.

Besides private data simply being sold or hacked in a brute manner, the IoT also poses some indirect issues:

  • The concept of a fridge that automatically orders food when it gets empty seems appealing. However, supermarkets might be able to infer things about us we wouldn’t want to tell them outright. Our choices of foodstuffs say a lot about religious (kosher or halal food for instance) or political beliefs (if you never buy meat or dairy) or medical conditions (if you never buy peanuts)
  • Google Glass may have stalled out of the gate, but we can expect to see similar hardware burgeon in coming years. The ability of strangers to film us without our knowing raises a lot of questions about who owns our image and what kinds of consent will be required to use these tools
  • Writing in CIO Review, Mark Radcliffe asked who would own the data pertaining to a cardiac monitor: the manufacturer of the implant, the physician, the health insurer or the patient. The cardiac monitor is just one example, but raises important questions about ownership of data

There are, of course, hundreds of other potential issues that the IoT raises. So what legislation, rules, recommendations and guidelines do we already have in place?

On the Books

1. Existing privacy laws

At present, we have a mish-mash of laws around the world which, to a varying degree, enforce general cybersecurity in relation to Internet users. Quoted in The Financial Times, Ruth Boardman, joint head of the international privacy and data protection group at law firm Bird & Bird, describes the European Union’s approach:

“The existing directive gives high-level principles rather than being prescriptive so I think it is able to cover the new technology … At the moment people have to ask on some issues of data collection whether consent has been given, and whether it is transparent or proportionate, and it is for people to work out how the principles apply.”

In the US, a January 2015 FTC report recommends a series of practical steps IoT providers can take to ensure they don’t break any existing laws on data security. These include common sense principles such as incorporating security by design and training employees about security.

The story goes the same for the rest of the world. Existing general data protection laws are fairly high level and therefore are expected to cover any issues related to IoT too.

2. Existing labor laws

Many IoT devices are likely to step on the toes of existing laws elsewhere. It’s here that lawmakers and manufacturers need to start taking notice.

For instance, there is a whole range of devices which can be used to monitor employees at work. These devices might not be legal everywhere — in Italy devices whose sole purpose is to monitor employees are illegal. Where do wearable technologies fall in relation to such a law, especially if one unscrupulous manager misuses such a device?

3. Liability

At present, there are many different national and international frameworks covering liability for products and services which malfunction and cause harm, damage or even death. However, we haven’t yet seen how these apply to the IoT. Certainly, some cases will be pretty straightforward, others far less so.

Take last July’s hacking of Chrysler’s Internet enabled jeeps. In the past, a faulty vehicle could be blamed on the manufacturer. However, once third party programs and APIs are involved, it becomes a lot trickier to pinpoint who is at fault for an accident.

4. Ownership

As pointed out above, the IoT makes questions about ownership of data a lot more complicated. We do already have fairly clear laws about who owns, say, private health data. In the US, the HIPAA act covers data ownership pretty clearly, showing who owns the information, who can see it and what they can do with it.

But once again, the IoT conflicts with existing laws here. As in the example of a cardiac monitor above; it’s important — if not vital — that the device’s manufacturer can see your data and update software if necessary.

More Questions Than Answers

For most people, the IoT currently consists of the GPS tracker on their smartphone, perhaps a fitness wristband and an app or two in their vehicle. Some trend setters will already be using IoT tech around the home, but within the next few years this minority will become the majority.

Current legal frameworks seem unable to truly accommodate the IoT and respond to the diversity of specific challenges they’ll present — whether that’s to do with privacy, IoT at work, liability, ownership and anything else.

Legal firms and regulatory bodies across the world are certainly stepping up to the challenge of the IoT and have produced a range of guidelines and recommendations, yet we’re still far from clear, specific laws.

Looking forward, events such as this summer’s IoT Security Summit in Boston will hopefully push these and other issues up the policy agenda. As exciting as the prospect of the IoT is, ensuring a strong legal framework underpins its evolution is key to ensuring it works for, not against us.

Title image by Fre Sonneveld