The Internet of Things: legal considerations
There will be many on-going legal challenges for the internet of things.
What is the Internet of Things?
In the last decade, broadband internet has become widely available. The FCC has reported that in 2015 83% of Americans have access to at least broadband internet access.
As internet access has grown, more and more devices are being created with wifi capabilities. Simply put - the "internet of things" is the idea of connecting any device with the internet. By extension, this means that devices can also connect to each another via the internet as well - without human interaction. The type of devices that can be plugged into the internet of things knows no bounds - everything from cell phones, coffee makers, washing machines, headphones, lamps, and refrigerators are capable of being connected.
This also applies to pieces of a machine. For example, Tesla is rolling out a program where Teslas will automatically update the car's software and, if necessary, automatically schedule a checkup with the Tesla dealership for required maintenance - all without human intervention.
Gartner, an analyst firm, estimates that by 2020 there will be over 26 billion connected devices.
The National Fraud Intelligence Bureau reported that 70% of the roughly 231,000 frauds recorded in 2013 - 2014 included a cyber element. This is a stark contrast to only 40% in 2008 - 2009.
There is no reason to believe this will be any less true regarding the internet of things. In fact, a HP study reported that 70% of IoT devices are vulnerable to attack. The key vulnerability inherent in the IoT model is that a network is only as secure as it's various access points. Earnest & Young published a report on this topic which states "The security of the “thing” is only as secure as the network in which it resides: this includes the people, processes and technologies involved in its development and delivery."
In other words, regardless of *your* level of security - your net level of security is only as good as the network's security as a whole. For example, would it be possible for criminals to use your central heating system to access the digital locks in your home, your computer, or your cell phone? The answer (unfortunately) is yes. In 2014, the U.K. firm Context Information Security confirmed that they were able to hack into a home's wifi network through a wifi connected LED light bulb.
The hacked LED light bulb example highlights a key point that the FTC has honed in on - the distribution of inexpensive devices might actually post a higher risk to consumers because the device makers have a lack of economic incentive to provide software updates and support when security vulnerabilities arise.
In the United States, there is no single, comprehensive federal law that regulates the collection and use of personal data. rather, the US has a patchwork system of federal and state laws that often times overlap with one another. Additionally, many government agencies (the FCC for example) develop guidelines that are considered "best practices."
Thus far, there has been no comprehensive law that has been directed at the possible data protection implications posed by the IoT. Interesting implications include:
- Big Data. These devices will constantly generate immense amount of data about everything from how frequently you brush your teeth to what temperature you sleep best in. In addition to the security risk, companies will need to house more of this data in the cloud and internet telecom companies will need to provide the infrastructure for more bandwidth to support the growth in Internet traffic.
- Open Ecosystem. Currently Microsoft Windows, Apple iOS, and Google Android have created an interoperable ecosystem. Devices can more-or-less interact seamlessly with one another. However this same standard does not yet exist in the IoT. Companies are currently creating private networks that are incompatible with others. In addition to the practical considerations this poses - it also allows for more potential security holes to develop in the network.
Property Damage & Bodily Injury
The IoT, by default, is a network of physical objects that reside in the physical world. These objects, if something goes awry, could cause cause immense physical harm or bodily injury.
There are three key ways that vendors could becoming liable for damage to consumers:
- Software glitch. A malfunction of an IoT product due to a software glitch could result in physical damage to property or to an individual. For example, an insulin pump that fails to properly monitor a person's blood sugar level and deliver insulin properly could harm the individual.
- Outside attacks. A IoT gas range stove that is hacked inside a home could cause property and fire damage. Similarly, sprinkler systems inside an office building could result in hundreds of thousands of dollars in damage if activated by hackers.
Car Hacking - is it a real threat?
The "car hacking" scenario became a real possibility in July 2015. As the Washington Post reported, hackers were able to hack a 2014 Jeep Grand Cherokee while it was driving full speed on an American highway. Actions the hackers were able to take included: blasting cold air through the cars vents, turning on the windshield wipers, and killing power to the car entirely.
Shortly after the story was published, two senators unveiled a new bill aimed at keeping IoT connected cars from getting hacked. The bills sponsors stated "drivers shouldn't have to choose between being connected and being protected... we need clear rules of the road that protect cars from hackers and American families from data trackers."
Should this bill be passed - it would represent a federal standard for IoT connected cards, which would by extension put a burden on car manufacturers to maintain strict levels of security in all automobiles they produce.