In the finale of the latest season of HBO’s Silicon Valley, a network of “smart” refrigerators were the unlikely heroes. In earlier episodes, the fictional Pied Piper company installed their innovative software – designed to compress and store peer-to-peer, shared data – in their home “smart” refrigerator. Due to some glitch, the software was downloaded by other refrigerators of the same model. Unknown to the company, the refrigerators continually backed up the data stored in the Pied Piper network, thus serving as the only data recovery mechanism when the network’s supercomputer crashed.
While the plausibility of such an event – appliances saving an entire company’s database – is questionable, the storyline successfully portrays the present and likely future capabilities of the Internet of Things (IoT): the system of physical objects with embedded hardware and software that enable communication with other objects and computers. IoT devices have the ability to recognize persons, objects, and events, comprehend environmental conditions and changes, and react without human intervention.
Nowadays, almost all industries have taken advantage of IoT technology. Retail companies use devices to gather data from in-store observation of shoppers and optimize retail layouts. In health care, microcameras placed in internal organs help determine sources of diseases. U.S. utility companies install smart meters that record detailed power usage and allow for two-way communication with their customers. IoT technology has likewise crept into consumers’ daily lives. Aside from refrigerators and meters (88% of the 65 million smart meters installed in 2015 were for residential users), smart homes have Internet-connected thermostats, lighting, entertainment systems, and alarms. There is a growing market for wearable technology (such as smart watches) that track health indicators and connected cars that offer enhanced operations, maintenance and passenger experience.
Given the benefits that IoT offers, its use is naturally expected to increase. From around 4.9 billion as of 2015, experts estimate that IoT units will grow to between 24 to 30 billion by 2020. Further, IoT will have an economic impact between $4 and $11 trillion by 2025 at a rate of 16.1%. With this projected growth, it becomes imperative for the industry and regulators to address the legal risks affecting IoT. For individual users, the most crucial issue perhaps is the privacy and security of personal information contained in the IoT network.
Many IoT devices are programmed to continuously collect personal data to enhance their functionality and facilitate efficient use of resources. Consumers expressly or implicitly consent to this upon purchase of the devices that promote these features. But, to what extent? What kind of data do they allow to be collected? And how often should data be monitored and gathered?
Users exercise less control over the manner of data collection in IoT as devices often have automatic settings with no user interface to configure privacy preferences. Even in case of changeable settings, the device’s functionality itself precludes discriminate data collection without the user foregoing all or some of its “smart” features. For instance, the Amazon Alexa, once activated, automatically captures all sorts of data– TV programs or background noise – the recording of which may not have been contemplated. Also, IoT devices subject multiple persons to the same data collection activity, e.g., most smart televisions and video game machines are programmed to continually monitor and record sound or room activity. Here, the non-users – third parties who did not purchase the IoT device and are not aware of its presence – cannot be deemed to have consented to the data collection.
Another privacy issue involves the use of collected personal data. IoT companies know the value of personal data and will likely exploit the data beyond the expectation of consumers through aggregation, repurposing, and sharing with third parties.
As IoT devices collect data pervasively, their aggregation may reveal precise aspects of daily activities, habits, and preferences, creating an intrusively detailed personal profile. Further, the bulk of raw and aggregated data in the IoT network may be repurposed with the use of algorithms and analytics engines. In the case of Alexa and similar personal assistants, it is reasonable to assume that the user consented to the use of data to improve the device’s performance. But, can Amazon utilize such data to facilitate targeted marketing in its website? This commonplace strategy is already a major issue with social media and electronic commerce – my Facebook and Amazon accounts seem to know more about my shopping preferences than myself – and is thus an especially significant concern of many smart home users.
An even scarier prospect is data sharing between IoT companies and third parties. Early this year, rumors about iRobot sharing “mapping” data with Amazon, Apple, or Google raised this concern (high-end Roomba models collect data to identify the locations of walls and furniture, which ultimately creates a “map” of the user’s home). In most cases, however, the sharing is done without the informed consent of consumers. Enticed by offers of discount deals or preferential upgrades, users may give a general permission for data sharing without sufficient notice of subsequent use by the recipient entities. Unwittingly, consumers may agree to the transfer of their personal information to companies that will use it to make credit, insurance, and employment decisions.
For instance, many insurance companies offer incentives to install various connected devices, such as moisture sensors, thermostats, smoke detectors, video doorbells, and security monitors, claiming that the collected data will be used to enhance claims handling efficiency and loss prevention. However, the same information is equally useful in underwriting and premium pricing. Various types of data – wall and roof temperature, humidity levels, roofing, plumbing, and mechanical vibrations – predict homes’ structural vulnerability and may be the bases for premium computations. Even assuming that the IoT information are indeed relevant to policy pricing, the data sharing itself, when done without the informed consent of the homeowner, will present significant legal issues.
Another concern is the greater potential for data security breach in IoT (versus traditional computers). The vast network of devices “talking” to each other creates more interconnected links that are vulnerable to attacks. With the equivalence in design platforms across devices, a security vulnerability in one device may impact similar devices connected to the network (as in Silicon Valley above) and may be easily exploited by hackers. Also, particularly with home or personal devices, users rarely understand their internal operations or resultant data streams, and thus may not be timely alerted to any malfunction posing security risks (or actual breaches).
Security breaches are particularly alarming when it comes to smart home and personal devices – a hacker can gain access to personal spaces through video monitors or listen in on personal conversations that are automatically recorded. In one reported incident, a man hacked into an Internet-enabled baby monitor and screamed “Wake up baby!” at a 10-month-old girl.
The Federal Trade Commission (FTC) has initiated efforts at IoT data protection through the filing of administrative complaints for “unfair or deceptive acts” based on IoT companies’ promises and the consumers’ reasonable expectations of security. However, most administrative cases, such as those brought against ASUS (a computer hardware manufacturer) and TRENDnet (a marketer of video cameras), end in settlement agreements that do not involve fines or liability. Finally, in January this year, the FTC filed the first civil case against IoT companies, D-Link Corporation and D-Link Systems, Inc. alleging that they “failed to take steps to address well-known and easily preventable security flaws” that “hackers could exploit … using any of several simple methods”. In the dismissal proceedings, the court ruled that the FTC has authority to regulate data security practices using the “unfairness” prong and that fair notice does not require adoption of data security standards before the filing of enforcement actions.
The FTC has also issued a report containing data privacy and security recommendations for IoT businesses. While the report did not push for immediate legislation, it recognized the need for (1) legislation “to strengthen [ ] existing data security enforcement tools” and “to protect against unauthorized access to both personal information and device functionality”, and (2) broad-based, and not merely IoT-specific, privacy legislation (in addition to baseline privacy standards set by the relevant federal agencies).
Most recently, in August this year, a bipartisan group of senators proposed the Internet of Things (IoT) Cybersecurity Improvement Act of 2017. Among others, the bill generally requires that IoT equipment conform to industry security standards, support patches that address previously unknown flaws, allow password changes, and be free from known security vulnerabilities. While narrow in scope, applying only to Internet-connected devices purchased by federal agencies, this proposed legislation may yet be the most significant step towards improved regulation of IoT in terms of data security and privacy.