Lack of existing case law may fuel legal battles in which companies in the IoT market will have the most to lose.
Prosecutors and defense attorneys often cite prior case history to bolster their position. However, legal precedent is sorely lacking when it comes to cases involving the Internet of Things (IoT).
"Many of the legal challenges arising from smart devices that are always sensing and tracking our behavior are new," said the authors of the Mason, Hayes, and Curran Tech Law Blog in the post The 'Internet of Things': Legal Challenges in an Ultra-connected World. "Consequently, it is not always easy to apply existing laws to the range of IoT devices in the market."
As to what might legally constitute an IoT device, Eric A. Fischer, senior specialist at Congressional Research Service suggests:
"Networks of objects that communicate with other objects and with computers through the Internet. 'Things' may include virtually any object for which remote communication, data collection, or control might be useful, such as vehicles, appliances, medical devices, electric grids, transportation infrastructure, manufacturing equipment, or building systems."
In the hope of preventing companies from becoming unwilling partners in creating legal precedent, the Mason, Hayes, and Curran authors present information about legal challenges businesses do not take into consideration, but should. These challenges include:
Privacy and security. As mentioned earlier, legal cases involving sensing and tracking the behavior of individuals are new, and prior case law is nonexistent. The lack of case law makes it difficult to predict court verdicts or how companies involved with IoT devices should handle privacy and security.
Regulations in EU and US. The blog's authors said that the U.S. Federal Trade Commission (FTC) released a report in 2015 that contains the following recommendations for companies designing or developing IoT devices:
- Data security: IoT companies should create devices so they are physically secure out of the box.
- Data consent: IoT companies should let users choose what data they share and promptly notify them of a data breach.
- Data minimization: IoT companies should not collect more data than they need.
The post also said that the FTC guidelines appear fairly consistent with many of the recommendations from the EU's Article 29 Data Protection Working Party Opinion.
Chain of liability. Something not on the books is who is liable when an IoT device malfunctions and causes personal or property damage. The Mason, Hayes, and Curran blog offers an example: "If a self-drive car accelerates too quickly and causes a traffic accident on the M1 motorway, it is complicated to determine who in the chain of supply is liable to the user. Every stakeholder, from the IoT end-supplier in Ireland to the device manufacturer who could be located in China... will scramble to review the terms of their respective contracts and each may try to 'blame' the next party along in the chain of liability."
Complex ownership scenarios. The authors are concerned that gathered data may be exploited for multiple reasons, including target advertising and determining the company's overall strategy. Consumers can be affected as well. "From a legal perspective, ownership of data becomes complicated in a home using a range of connected IoT devices from different suppliers that share the user's data between devices."
Availability of bandwidth and net neutrality. A subject not often discussed is what to do about all the predicted IoT devices and the massive amounts of data they will create. The blog post mentions that unless there is a significant investment in infrastructure, IoT users may be required to pay a premium for unlimited and unmetered access to the internet, which will further fuel the legal battle between net-neutrality advocates and those who favor a multi-lane internet.
Intellectual property. In the rush to be first to market with new IoT products, one company's proprietary technology—in particular, software and APIs—may be infringed upon by competitors. The authors said, "Companies designing IoT solutions should carefully consider how they can protect the IP they create, and ensure they are not infringing upon someone else's IP."
Automated contracts: This will be a fascinating area to observe. There is no case law for when a contract formed between two machines goes bad. The blog post offered an example: "A 'smart' washing machine may know that a user is running low on washing powder and order a box directly from the website of the local supermarket using the user's pre-programmed account log-in details, address, and credit card information."
The authors added that legally, people can set up orders to replace items already purchased over the internet. However, it is unclear whether that applies to a contract between two machines. "The uptake of IoT may also require the review of definitions used in consumer legislation as the current definitions contemplate some form of communication between traders and consumers."
Final thoughts from the authors
The authors pointed out that it is nearly impossible for legal precedent to keep pace with fast-evolving disruptive technologies such as the IoT, which in turn means the industry will likely face regulatory and media scrutiny.
They believe that companies can turn this into an advantage by adapting their products accordingly: "This will allow businesses to differentiate from the competition in the market and position themselves as businesses offering products that help customers interact with their devices while minimizing the challenges of an ultra-connected world."
- 10 ways to implement IoT for business advantage
- The rise of IoT hacking: New dangers, new solutions
- Internet of Things: The Security Challenge (ZDNet special feature)
- Executive's guide to securing the Internet of Things (free ebook)
Has your organization begun to take measures to protect against potential legal issues involving IoT technologies? Share your thoughts and experiences with fellow TechRepublic members.