The legal considerations of the Internet of Things

Illustration by Gary Neill
Illustration by Gary Neill

Everyday objects are increasingly embedded with software, sensors and network connectivity, and collecting and exchanging data. With an infinite number of applications, legal implications are complex and unpredictable

When it comes to the Internet of Things, everyone thinks about features like their phone turning on their oven. Almost no one thinks about smart cement.

But smart cement is the kind of stuff that really boggles the mind.

Mix cement with nanosensors and it can not only monitor the volume of traffic passing over it, it can measure the pressure that traffic’s causing and alert authorities to stressing, cracking and warping before it causes a bridge or overpass to collapse. Smart cement can also let oil and gas companies know when the pressure inside a well or pipeline is becoming too high, or whether the pipe embedded inside is starting to corrode.

And yes, it already exists.

So does smart asphalt, which can detect and communicate road conditions over Wi-Fi to your car. If your car knows there’s ice ahead, or even an accident, it will warn you. If you don’t slow down fast enough, the car will slow down for you. That begs the question: When it comes to the Internet of Things, who’s actually in the driver’s seat?

It’s a question worth asking as people everywhere jump all over the newest and latest thing.

From home hubs that control light switches, thermostats, and security cameras over the Internet using a mobile app to biometric smartwear – shoes and clothing that measure things like heart rate, breathing, steps and the number of calories expended – hyper-wired consumers want it all. But people don’t necessarily know what they are getting themselves in for, say lawyers who practise in the area.

“How could they? We have no clue where this is going,” says Éloïse Gratton, National Co-leader of the Privacy and Data Security Practice Group at Borden Ladner Gervais LLP in Montréal.

“No one foresaw how the Internet was going to affect things. The Internet of Things is probably the Internet times 30 in terms of impact, and I think there are definitely going to be some privacy scandals. Are we equipped with our current laws? No, we’re not.”

But, ready or not, it’s here.

To step back for a moment, The Internet of Things (IoT) refers to everyday objects embedded with software, sensors and network connectivity.

The sensors monitor and collect your data; the software translates it unto useful information such as preferences or geographic proximity, which is then transmitted by cloud-based apps to computers on the ground to deliver an appropriate real-time response.

Many IoT devices don’t have keyboards or screens, making it difficult for the user to know exactly what the device is doing or who it’s talking to.

Michael Chertoff, a former United States Secretary of Homeland Security, has said he sees a day “where almost everything you do is monitored even if you never agreed to it.”

With everything from your shirt to your car potentially exchanging data about you, the amount of real-time information communicated is mind-boggling, says Adam Kardash, Co-leader of the Privacy and Data Management Group at Osler, Hoskin & Harcourt LLP in Toronto.

“With the Internet of Things you’re going to have an infinite number of applications and we’re not talking about in 10 years, in many cases we’re talking about the here and now. The explosion of devices in the home, the interconnectedness of thermostats, smoke alarms and very soon washing machines and light bulbs is all part of that. I think what will be here in even two years will be astonishing.”

Accenture Interactive released a study predicting 69 per cent of consumers will own a smart gadget by 2019. Technology giant Cisco Systems says the IoT could represent a market opportunity of as much as US$19 trillion.

Many aspects of the Internet of Things, such as having your phone text your spouse as you’re leaving the office or disarm your home security system and turn on the hall lights when you get within 25 metres of the house, seems like nothing more than allowing devices to take over some small mundane tasks.

But that convenience comes at a price.

Concerns over cybersecurity, data-collection polices and privacy are already being widely flagged by various experts around the world.

In Canada, at least some of the data that falls under existing privacy laws may be falling through the cracks, says Kardash. “We already have some challenges about when data is so-called anonymous and when it may be identifiable. The application of privacy laws to the new data environment will be tested, every single feature of existing privacy laws will be tested, by the Internet of Things.”

It starts with something as basic as who has custody of your data.

Many IoT devices don’t have keyboards or screens, making it difficult for the user to know exactly what the device is doing and who it is talking to.

Legally, any company collecting data is responsible for all personal information in its custody or under its control. Having multiple systems using the same data can create a bad legal tangle.

“When you have massive unstructured data sets, and you have the data everywhere in a ubiquitous fashion, which would be the case in the Internet of Things, who controls it? Who’s responsible for it? Who is the accountable entity? What happens if there’s a security incident? Which parties are responsible for addressing it?” Kardash asks.

“Those types of questions, in complex data ecosystems, are very, very difficult to answer.”

Imagine a scenario in which your washing machine measures how many detergent pods you’ve used since your last purchase. It detects you’re running low, communicates with your grocery store, and the brand of detergent you use is automatically added to this week’s delivery. It’s not a very invasive type of information being collected and communicated, right?

But how do you feel about sensors monitoring how much alcohol you drink, what kinds of foods you’re eating and what medications you take?

“The availability of that information could have privacy consequences in terms of potential breaches but also for legitimate uses,” says Alex Cameron, Leader of the Privacy & Information Protection Group at Fasken Martineau DuMoulin LLP's office in Toronto.

“Does your insurer get to know in great detail and with specifics what your habits are what kind of foods you’re eating, your physical habits, health-related information? Is it appropriate it get into their hands, and should they have to get your consent for that?”

While Cameron admits to some unease, he uses his smartphone the way most of us do although he says he is careful with the privacy settings and reads privacy policies carefully before signing up for anything new.

“But I still let my phone track me around so I have the convenience of mapping, for example, or today’s weather. I’m fine with that. There’s a convenience factor that often comes with an exchange of personal information or some degree of tracking, which most people are going to be fine with.

“The problem now with the Internet of Things is that nobody knows exactly what it’s going to look like. My fear is that technology may get too far ahead of the law and that the law’s not keeping pace efficiently. In Canada, we’ve done pretty well and we have a data-protection law that has been pretty resilient, so I’m optimistic we’re not headed towards a dystopian future where those rules are ignored.”

It’s going to be very tough even for companies that play by the rules to frame proper consent clauses, says Gratton. “The average user will not understand the implications of having a certain tool connected and disclosing and sharing information. They won’t. You can draft the nicest privacy policy in terms of user agreement but people don’t read them, and they don’t understand the technology behind it.

“What does consent mean if you don’t understand it and don’t know what you’re agreeing to? It’s difficult to get informed consent, it’s just moving too fast.

“Another challenge is going to be – and I see it now with wearables – people think: ‘A health bracelet, it’s going to be great. It can advise me on all kinds of things.’ They don’t realize this information is available for litigation.”

It’s an area where it just may cause a small revolution for the legal world.

 

In a recent criminal case in Pennsylvania, a woman reported she was asleep around midnight when an intruder broke into her home and sexually assaulted her at knifepoint. She said she awakened to find the man on top of her.

Police, who found no footprints in the snow outside the house, downloaded the data on her Fitbit with her permission. The bracelet monitors things like sleep patterns, the number of steps taken and stairs climbed during the day.

The data collected contradicted the woman’s claims, showing she had been awake all evening and was actually walking around at the time she said she was sleeping and assaulted. She was criminally charged with filing a false report with law enforcement authorities.

In Calgary, a personal trainer who had been injured in a car accident agreed to wear a Fitbit tracker for several months to prove she was much less active than normal for a woman of her age and of the fitness level expected of someone in her profession.

It’s not just wearables that will surface more regularly in police work and litigation. It’s all your chatty gadgets.

“You say you were home on a certain night, now there are ways to find out,” says Gratton. “If the alarm system is connected to the Internet and there’s a company hosting that information, you just go in front of a judge and get it. There’s going to be tons of information available for litigation.

“I sometimes feel people forget, they’re excited about a new tool or device. They’re happy to have information about their driving habits collected, for example, to get lower insurance rates but then if there’s an accident, they may be surprised who has access to that information.”

Heavy industry is generally finding the Internet of Things an incredibly useful litigation tool, says Daniel Gallagher, a litigator at Bennett Jones LLP in Calgary who specializes in product liability cases.

“You can have one piece of equipment at an industrial facility and when this one piece of equipment goes down, it takes the whole plant down with it, and often for extended periods of time. Sometimes the equipment also goes down in a way that the whole machine breaks up and so it can start a fire as well. So these claims end up being extremely large, easily $50 million.

“When you’re trying to pinpoint where things went wrong, it’s very easy for the owner of the plant to say the machine failed so it’s the manufacturer’s fault. But in many cases what happened is that the people using machinery are using it for ‘out-of-design’ conditions.’”

Gallagher, who often does cases involving liability for industrial failures at gas refineries and pipelines, says companies and manufacturers traditionally had to rely on hand-written logs prepared by someone who was there when the accidents happened someone quite possibly involved in it.

 But today, microsensors built right into heavy equipment and even the plant itself provide a running account of the conditions of a machine’s internal components as well as the atmosphere around it, transmitting data such as temperature and humidity levels.

“Operators also have smart glasses, smart watches and smart gear so that they have this ability to see what needs attention the load a machine has handled in the last however many hours, its expected lifetime left, the most recent malfunctions or alerts.

“They call all these microsensors an ‘augmented reality’ in the industrial world, and it has the ability to change things very dramatically. A machine itself can now be aware of its own status, and transmit that data through the Internet. It’s quite amazing.”

Most people agree with two things.

The first is that words like amazing are not hyperbole. The second is that there’s probably no way for the law to keep up with all this amazingness so companies need to be very, very careful about what they do with all the data they collect because privacy law may not be there to support them if it comes to litigation.

But it’s not just privacy issues that dog the Internet of Things. It faces a minefield of security issues as well.

 

One unnamed Toronto-area lawyer (anonymous for reasons about to become apparent) found out the hard way.

He was out of town when someone gained access to his office network through his home network. The point of entry? His nanny cam, which was Wi-Fi enabled but not password protected.

Phil Brown, Counsel in the Professional Development and Competence Department of the Law Society of Upper Canada in Ontario, said in a talk on the Internet of Things that the person who gained access to the lawyer’s home computer was able to “jump onto his office computer through this vulnerability.

“When they were in the process of checking out some of his bank accounts, someone in the office happened to hear the computer buzzing and turned it off because they knew he was away.

“I think that was the only thing that prevented him from having to notify a lot of clients and the Law Society to say, ‘Oh, by the way, we just had a whole bunch of confidential information leave the office and possibly some trust funds.’”

If that doesn’t make you break into a cold sweat, how about this? At the annual Defcon security conference this past summer, a smart refrigerator was hacked, exposing the owner’s Gmail login credentials.

In a real-life situation, instead of a hack-for-show that would have permitted the hacker to read the owner’s private emails, reset their password, lock them out of their own account and even potentially steal their identity.

Stealing cars? Possibly even easier. Videos on YouTube show hackers remotely starting cars and assuming wireless control from kilometres away using the car’s built-in wireless gateway.

Charles Morgan, National Leader of the Information Technology Law Group and Co-leader of the national Cybersecurity, Privacy and Data Protection Group at McCarthy Tétrault LLP in Montréal, calls the security aspect “frightening,” noting that all “the car manufacturers are moving to connected cars.”

He’s not talking just about the potential for auto theft. It’s also the potential for terrorism ramming a remotely controlled car into a crowded public venue, for example. And it’s not just cars.

The IoT also makes it a lot easier to steal commercial secrets, he says, so corporate clients need to be aware that their intellectual property can be compromised.

“From an espionage perspective, there are any number of cases where we’re seeing hacks turn seemingly innocuous devices into spy tools, turning things like a security camera into something that can be used by a third party without authorization.

“Whether you’re talking about prospective industrial espionage, sabotage or a hack designed to collect information, I think most companies are at least potentially a victim.

“From a cybersecurity prospective, what it means is all businesses are going to have to be assessing cybersecurity risk. The cybersecurity issue is huge, and will not go away.”

Morgan says he doesn’t use a smart watch but, even then, “I notice my iPhone has a health monitor that keeps track of how many kilometres I walk or run each day. It’s standard issue. That’s biometric information being tracked and assessed by default into a device that millions of people have.”

The principles that underpin Canada’s privacy statutes – limited collection, identifying purposes, consent, transparency and limited use – were designed for one-on-one transactions between a person and a merchant, he says. In the online environment, that’s no longer the case.

“There is almost no limit to the information collected. Your refrigerator is telling someone something about you, your car is telling somebody else something else about you every interaction you have with a connected product could increase the level of information available.”

That makes privacy compliance especially challenging for companies that sell goods and services into foreign markets. “Products may well be designed for privacy compliance in one jurisdiction but then used or marketed in other jurisdictions,” he says. “It’ll be more difficult than, say, changing a website.”

That could lead some businesses to refrain from selling their products into certain markets.

“Companies that make products – in relation to privacy compliance and the Internet of Things – may have to make some fundamental decisions about the markets they go into.”

 

Regulators in Canada and elsewhere around the world seem to be taking the position that they are okay with the market being self-regulated, says Amaan Gangji, an associate in the Business Law Group at Lawson Lundell LLP in Vancouver.

 “To be honest, the law has a difficult time moving quickly enough. When you’re dealing with such rapid-paced technological innovation, it’s very tough to keep up and create legislation that is open and broad enough to address a moving target.

“So as long as the consumer is made fully aware and can give their informed consent as to what information is being collected, what it may be used for – if they can have the customization to turn off certain settings – I think that’s the direction regulators are moving in. That’s probably the only way to address this issue, because things are coming to market so quickly.”

The challenge , says Gangji, is that most people have no idea what they’re signing up for in terms of how their data is being shared, and don’t necessarily give it much thought. In other words, they may not know who’s in the driver’s seat when it comes to their information and they don’t automatically care.

“I think we’re at a point now where people are a little naïve about how vulnerable they could be,” he says. “A lot of people won’t take the time to read the terms and conditions, they’ll go with the crowd until something bad happens then they’ll start thinking about whether or not that particular app or device is safe to use.

“I don’t know if everybody reads all those terms and conditions. But maybe they’ll start.”