An awkward juxtaposition of Philip K. Dick and Richard A. Posner does not likely lead to constructive discussions on a sanguine tech future. If Tim Berners-Lee, one of founding fathers of the Internet, would join our imaginary Dick-Posner dialog, Mr. Berners-Lee would be entangled in another Catch-22 situation. Likewise, the advent of the Internet of Things (IoT) led many legal practitioners into curiosity and confusion over the IoT devices and ensuing legal matters. As might be expected, legal issues related to the IoT are not new to us, because those devices are also connected to the Web via either wired or wireless networks; the IoT is a continuum of information and communications technology (ICT). Technical domains inevitably wind up with a high degree of conceptual confusion and convergence. For that reason, legal scholars and practitioners often transpose Internet Law issues onto IoT questions, although widespread concerns over the IoT are largely scenario-based, where legal issues are not always clear-cut.
An Obituary: The End of Yesterday
Gartner Inc. estimates that 4.9 billion units of IoT devices were in use in November 2015—quadruple the number of cars across the globe. The IoT is “networks of objects that communicate with other objects and with computers through the Internet,” according to Eric A. Fischer, senior specialist at Congressional Research Service. The objects are called IoT devices. The IoT devices can simply be any objects with embedded microprocessors, sensors, actuators, and network connectivity. Smart watches notwithstanding, wearable activity trackers, smart home devices, and connected cars are examples of such devices. Those smart devices can track behavior, say, of users and inventories; detect certain measurements from various sensors; and perform analytics of collected and shared data. How sagacious they are!
This smart foray into mundane physical objects will enrich our lives. These miniaturized electronics, computers or robots transform into data-generating objects. These devices interact with their environment and report information on temperature, position changes, brightness and whatnot. These gizmos help businesses collect and analyze real-time data from the environment, and enhance operational optimization and efficiencies. Consumers share the benefits by employing such reporting and analytic intelligence. As Mark Weiser, a forefather of the IoT, has envisioned, we now live in the intelligent environment “that is richly and invisibly interwoven with sensors, actuators, displays, and computational elements, embedded seamlessly in the everyday objects of our lives, and connected through a continuous network.” The same Gartner report forecasts that the number of the Things will reach 20.8 billion units by 2020.
Building Blocks: A Cobweb of Technology and Regulations
Here’s the theoretical minimum of the smart technology: Key elements of the IoT entail (1) unique identifiers and (2) network connectivity. Technical requirements may vary in applications to specific industries, products or services; also in security levels. Our current struggles with the Things are largely due to a lack of technical capabilities, security and standards. These technical challenges might negatively impact this IoT revolution. In a November 2015 interview with Fast Company, Joe Costello, CEO at Enlighted, an IoT tech company that makes sensor-equipped and web-connected LED lighting systems, said about the IoT that ” We can literally tell you how every square foot is occupied every second of every day.” That’s where we are now. In terms of unique identifiers, our previous IP address system, IPv4, can generate approximately 4.2 billion IP addresses, deficient in what’s required for upcoming device demands. The next-generation IP address system, IPv6, by combining Ipv4 with each devices’ unique physical address, can generate 340 trillion trillion trillion addresses. According to Google IPv6 statistics, the IPv6 adoption rate among Google users reached 8.24 percent as of December 11, 2015. It’s just a matter of time to resolve that identifier problem.
Connectivity is a core issue for the Things, and is supplied through a variety of wired and wireless options. No active universal standards support interoperability and scalability across the IoT systems. New ISO/IEEE standards are in the making. In the meantime, it is too early for Ethernet, Wi-Fi, Bluetooth, and Cellular (either 4G or 5G) to join legacy networks. New network standards like ZigBee, 6LoWPAN, Z-Wave and NFC are also emerging. The connectivity may function when two or more devices speak the same language, called a protocol. A protocol is defined as a set of rules to communicate or exchange data across the devices. Transmission Control Protocol/Internet Protocol (TCP/IP) is the most common language for the Internet. In the IoT sphere, the eXtensible Messaging and Presence Protocol (XMPP), the Constrained Application Protocol (CoAP) and Message Queue Telemetry Transport (MQTT) are major protocols to communicate between objects. Despite the popularity, XMPP and MQTT protocols lack of encryption, vulnerable to unwanted access to the data. Like a human world, each smart object speaks its own native language and does not understand each other. In the hope of standardization, businesses may have more leeway to adopt certain standards because a uniform standard across humongous devices and across the globe is less probable.
The current legal system of data protection has significantly advanced since the 1990s. The current regulatory framework covers a wide variety of information, mainly on health care, finance, education, children, etc.: for example, the Health Insurance Portability and Accountability Act of 1996 (HIPAA), the Fair Credit Reporting Act of 1970 (FCRA), the Family Educational Rights and Privacy Act of 1974 (FERAA), the Right to Financial Privacy Act of 1978 (RFPA), and the Children’s Online Privacy Protection Act of 1998 (COPPA), to name a few. Also, the Freedom of Information Act (FOIA) both protects sensitive private information and guarantees public access to government data. Here, we have certain achievements on protection of children and health information.
In a legal vacuum, the Federal Trade Commission (FTC) has been spearheading research, investigation and enforcement related to the IoT. According to the FTC’s 2014 Privacy and Data Security Update, the FTC’s enforcement was focused heavily on online and mobile infringements of consumer privacy. However, the FTC, in January 2015, issued its report on best practices and recommendations in the context of the IoT businesses. The FTC urges industry-initiative self-regulations of the IoT implementations. The recommendations include: (1) a privacy-by-design approach; (2) minimized collection and retention of consumer data; (3) notice of data use and sharing; and (4) consumer’s choice on data use.
The IoT technology adds new dimensions to old cybersecurity policies and procedures. Security failure not only impairs the IoT functionality, but exacerbates the physical risk of objects themselves. Imagine that a connected unmanned vehicle lost control signals, due to either accidental or malicious interference. The consequence may be severe injuries or death. Nonetheless, the demarcation, a traditional security boundary of the Internet, disappears across the IoT network. There is no traditional firewall available for some networks. Meanwhile, a myriad of distinct protocols and standards parallel the IoT networks. Recently, Open Networking Foundation and Specification Group for NFV announced they are developing new network architectures through virtualization software, like software defined networking (SDN) and network function virtualization (NFV). These architectures may facilitate appropriate access control and authentication via centralized programing capability, also segregating or blocking network paths from certain attacks or security breaches across the different protocols.
In the recent TRENDnet case, the FTC applied Section 5 of the Federal Trade Commission Act to smart devices. TRENDnet is a networking hardware company, incorporated in California. The company’s surveillance gadgets, like cloud cameras, were sold for home use. The FTC alleged that TRENDnet’s 20 IP camera products failed to provide reasonable and appropriate measures to secure the live feeds from the IP cameras from hackers’ unauthorized access to sensitive information at home; and that the camera software was also flawed, with malfunctioning login credentials and privacy settings. As a result, a hacker posted approximately 700 cameras’ IP addresses obtained from the company’s website. Those cameras were broadcasting daily activities from the home user’s IP cameras. Nonetheless, without proper notice to consumers, TRENDnet falsely represented their products as reasonably secure. This is our first encounter with genuine smart device cases, by definition.
The broadband issue also plagues the IoT technology. Although IPv6 may be arguably the optimal solution to the unique identifier assignment of each IoT device, the current spectrum policy may not meet the demands of IoT businesses. By 2020, governmental agencies plan to unleash extra bands of spectrum for commercial uses, in accordance with the explosive volume of smart devices and their traffic. Meanwhile, there have been ongoing efforts to improve the digital divide and to apply the net neutrality tenets. In 2010, the FCC issued its Open Internet Order involving the tenets of net neutrality: transparency, anti-blocking and nondiscrimination. However, in Verizon v. FCC (2014), the court vacated the portions of the FCC Open Internet Order because the FCC “ failed to establish that the anti-discrimination and anti-blocking rules do not impose per se common carrier obligations” on broadband providers. Still, the Verizon court allows the FCC to “promulgate rules governing broadband providers’ treatment of Internet traffic.” The solution to the spectrum issue may need an ingenuity that integrates conflicting business strategies.
A Field Trip: Case Law Developments
Privacy matters are intertwined with cybersecurity and data breaches. No single law provides a uniform set of rules governing all the issues related to security, safety and privacy. A majority of legal challenges may be resolved on a case-by-case basis; this makes more sense to us, because the real-world problems are not well-defined as far as the technological aspects are concerned.
Radio Frequency Identification (RFID) technology has been generating arduous legal battles. RFID technology employs wireless microchips for tagging objects for automated identification. RFID is a precursor and competitor of the IoT technology. IDTechEx’s 2015 Report forecasts that 8.9 billion RFID tags would be sold worldwide in 2015. A RFID system contains a data-holding device and a RFID reader. The data from the RFID devices is stored in the separate database system. The recent comprehensive implementations of RFID technology include public school IDs and chip-based credit cards. One security issue is that, without a proper security covering, a random RFID reader can reach the RFID chip up to several hundred feet outside of the device holder’s line of sight. The FTC’s 2005 Staff Report on RFID encouraged industry-led initiatives on self-regulation and identified that the major privacy issue on RFID technology was the database security against unauthorized access or misuse of stored data.
In Hernandez v. Northside Independent School District (2013) where a school district used embedded RFID tags in students’ Smart ID badges for identification, safety and security purposes, the court denied a preliminary injunction sought by a student because the school district provided a RFID tag deactivation option for students without significant burdens. Although the major issue of the case was on a free exercise of religion, the court remarked that “the District has a compelling governmental interest” over the safety and security in the public school system. Furthermore, the court deemed RFID tracking technology as “one of the least restrictive means” among different safety and security methods. However, the fact patterns may be common in other tracking device cases, say, in workplace privacy disputes.
Human usage of technology will have legal and economic implications. Despite legal and political concerns over the IoT, the IoT technology and its environment are still taking shape. Technologists need more time to improve connectivity, apps and security applied to each smart device. In this context, as the FCC recommends, former Ontario Information and Privacy Commissioner Ann Cavoukian’s concept of “privacy by design” may be a good proactive approach to the overall issues. Its seven tenets are: 1) proactive, not reactive; 2) privacy as the default setting; 3) privacy embedded into design; 4) full functionality without trade-offs; 5) end-to-end security; 6) visibility and transparency; and 7) respect for user privacy.
In its infancy, the IoT could evolve into either a benefit or disaster to our future. “I want a web where I’m not spied on, where there’s no censorship,” said Tim Berners-Lee in a 2014 interview with The Guardian, suggesting a new online bill of rights. Voila! It’s a right time to be proactive.
About the Author
Immanuel Kim is a New York bar candidate, interested in technology law and legal technology, bioinformatics, artificial intelligence, big data analytics, and e-discovery.