The Internet of Things (IoT) is the network of everyday physical objects which surround us and that are increasingly being embedded with technology to enable those objects to collect and transmit data about their use and surroundings. TVs connected to the Internet and refrigerators connected to online delivery services are just the start of it. In the new world of the IoT, the possibilities are enormous, and the technology industry has so far only scratched the surface of what ‘machine-to-machine’ (M2M) interconnectivity could achieve.
Cisco estimates that some 25 billion devices will be connected in the IoT by 2015, and 50 billion by 2020.[1] Analyst firm IDC makes an even bolder prediction: 212 billion connected devices by 2020. This massive increase in connectedness will drive a wave of innovation and could generate up to $19 trillion in savings over the next decade, according to Cisco’s estimates.
But the ingenuity and innovation which companies will apply to turn the IoT into practical reality is constrained by law and regulation. Existing issues may take on new dimensions and, as technologies combine, so will the legal consequences of those technologies.
In this article, we look at the prospects for the IoT as well as the likely legal and regulatory factors that will affect the development and growth of IoT technology and the markets that such technology will create.
Background
The phrase ‘Internet of Things’ was first coined in 1999 to mean the connection of everyday objects and devices to the Internet. The idea was that ‘If we had computers that knew everything there was to know about things – using data they gathered without any help from us – we would be able to track and count everything, and greatly reduce waste, loss and cost. We would know when things needed replacing, repairing or recalling, and whether they were fresh or past their best. We need to empower computers with their own means of gathering information, so they can see, hear and smell the world for themselves, in all its random glory.’[2]
But back in 1999, the technology required to make the IoT concept a reality was expensive, slow, reliant on dial-up Internet and limited by inadequate storage and processing power. Fast-forward 15 years, and the landscape in 2014 looks very different. All the key factors have converged to create the ideal conditions to harness the power of M2M connectivity: smartphones, Wi-Fi and broadband connectivity are now ubiquitous; storage capacity ‘in the cloud’ is growing rapidly; sensor technology has developed sophistication while becoming cheap enough to deploy in almost any location; and data handling technology makes it possible to process large volumes of data in real time.
Coupled with improvements in the ability to process and analyse vast quantities of data – i.e., ‘Big Data’ – the possible applications for Internet-connected devices are seemingly endless. Imagine stepping through your front door to find that your watch has downloaded to your computer details of your heart rate, pulse and vital signs, the thermostat has turned the heating up because of the cold weather outside, the bath has run automatically, and later, while you sleep, your baby’s clothes monitor her breathing and heart rate while she sleeps. All of this technology is now available, although, in some cases, still at considerable cost: Wi-Fi-enabled Internet fridges currently cost a cool $3,700 (£2,300).
The uses of the IoT in a commercial context are also exceptionally wide-ranging: ATM data can be used to provide location-specific advertising to consumers via their smartphones, logistics companies can provide real-time parcel tracking services, and motor insurance providers can use telematics to monitor driving behaviour in order to charge tailored premiums.
The IoT also looks set to revolutionise other sectors, including health care, with hospitals providing care via remote monitoring systems, and energy, with the advent of so-called ‘smart metering’.
As with previous waves of technology revolution, the consequences for business will be significant, in ways that are both foreseeable and unforeseeable. Just as the DVD destroyed the market for VHS movie rentals, the huge rise in Internet-enabled TVs seems likely to have the same effect on DVD sales as downloadable video-on-demand becomes ubiquitous. Other outcomes of connecting physical objects in the IoT are harder to predict: not only will existing functionality of separate objects be strengthened by M2M, but new functionalities will be created.
Challenges in Implementation
The market for the IoT is still in its infancy and there are many challenges involved in deploying a solution. As with any eye-catching new technology, a lot of the hard work that goes into implementation often goes unnoticed.
In the case of the IoT, organizations will have to overcome significant initial hurdles in order to ensure that the solutions adopted are legally appropriate. In many cases, these include a number of the issues that are traditionally seen to be ‘outsourcing’ type problems – e.g., implementing a scheme of contractual relationships necessary to implement and support the technology; choosing whether to partner with a service provider in order to develop and implement a particular solution; and determining whether and how to use an external agency to harness the necessary computing power to implement fully the solution.
One key internal issue that many organizations will also have to address is the question of who within the business is actually responsible for implementation of the IoT as a product solution. A lot of the tasks required for IoT implementation will fall within the traditional roles of a business’s ICT leaders, even though the solution itself may be customer-facing.
Implementation of the IoT will also involve many of the operations parts of a business and this will need to be split appropriately within the architecture that the business employs. The question will be what solutions can be implemented as part of an overall scheme that is flexible enough to work with the types of devices and operating systems that a business has to deploy. Many of the end-to-end solutions that IoT requires involve the following key functions:
· Device and infrastructure management platform. The IoT requires operators to be able to operate software on devices remotely, without taking the network of sensors out of service. Clearly, where this is performed remotely, security of the device and infrastructure management platform will be crucial.
· Data Filtering. The IoT relies on sensors that produce vast amounts of data, but not all data will be relevant to any given application. Accordingly, a key challenge facing developers of IoT solutions is how to identify the thresholds and configurations to process only the data that is necessary for a specified purpose, and filter out the data that isn’t relevant.
· Analytics Platform. This is necessary to manage the huge volume of streamed data collected from remote sensors and devices and manipulate it in real time. This may well be integrated with an organisation’s approach to ‘big data’ elsewhere in its business. But, whatever the platform (and whether internally provided or outsourced), it should be set up to work with data from different device types and locations and configure it in a way that is useable by the business.
· Security. If the IoT has a weakness, it’s security. Dealing with issues of privacy and data security is essential. Precautions against misuse of data need to be designed into IoT solutions from the outset.
· Integration. The efficiency and performance of any IoT solution will often depend on the connectors that enable applications to collect and analyse the data and engage in two-way communication with the remote sensors where necessary. Integration requires standards and, as the old saying goes, the great thing about standards is that there are so many of them.
The fact that technology is rapidly evolving and the relevant industry players are still changing means that future flexibility is also something that businesses need to focus on. Most large technology businesses have an established approach to the market and, while the first wave of solutions may well be focused on a particular application, businesses should invest wisely to ensure that the same sensor network and data infrastructure can be deployed to take on multiple applications.
The IoT has great potential to generate new sources of revenue, improve efficiencies and allow businesses to both increase profits and cut costs. While it is the internet-enabled products that catch the eye, it is longer term investment in the underlying technology infrastructure itself that is now required and which will ultimately pay dividends. The easy, media-friendly pin-up for the IoT may be the Internet-enabled refrigerator, but the reality is that the average consumer will replace his or her fridge no more than once per decade – and, most likely, not for improved functionality but just to keep the milk cold.
IoT Beneficiaries
Apart from humble consumers who might soon start to see practical changes to their daily lives as a result of the IoT, a range of companies in different sectors have already targeted the IoT as a driver of future sales, although the actual take up of IoT-enabled solutions is still extremely low. But asking whether a CIO ought to be considering the effect of the IoT on his or her business is like asking his or her 1990s predecessor whether they are planning on using the internet. The key is: how do you work out how to create business value for the technologies that combine in the IoT?
If the trajectory of the IoT proceeds in the same way as other disruptive technology developments, the initial winners seem likely to be providers of infrastructure and data centre capacity, as well as microchip designers. Existing businesses with a strong data security element ought to have a key role in the IoT.
Companies that tailor their products to harness IoT capabilities and build in the key elements identified above will be the initial front-runners: so, for example, semiconductors need to continue to evolve in terms of size and power draw as well as enabling functionality to improve connectivity between sensor devices and the cloud, and the continued addition of new devices; infrastructure providers need to integrate their products for maximum flexibility while still ensuring significant levels of data security.
Consumer product manufacturers are perhaps the most obvious potential beneficiaries of the IoT as long as they can devise and roll-out IoT-enabled products whose functionality consumers want to pay for. But if history teaches us anything, it may be that, just as software giants became more valuable than the hardware sellers that capitalized on the first wave of the computing revolution decades ago (Microsoft vs IBM, anyone?), the long-term winners are less likely to be today’s major consumer product brands and more likely to be the companies that master and monetize the data to create entirely new markets.
Many of the best uses for the IoT will be much less glamorous than consumer products. Companies can realize significant energy cost savings through real-time analysis of HVAC and other building environmental data, for example.
Indeed, Google’s $3.2 billion purchase of connected thermostat producer Nest in January 2014 shows that the real market for IoT may take shape in ways that we cannot yet anticipate. That acquisition was less about a cool thermostat and more about disrupting the entire energy supply industry. If the Google and Nest combination can develop a product that proactively saves its users money on their home energy bills by juggling user and utility interaction and harnessing usage data, that puts Google in a strong position to continue its disintermediation efforts into a whole new sector.
The Old Problem Squared
In the new world of the IoT, the problem is, in many cases, the old problem squared. Whilst the opportunities of the IoT are great, so are the challenges. The combination of technologies and data multiply the potential legal and regulatory issues. Contractually, the explosion of devices and platforms will throw up the need for a web of inter-dependent providers and alliances, with consequent issues such as liability, intellectual property ownership, and compliance with consumer protection regulations.
The IoT also raises a raft of data-related legal and ethical issues, associated primarily with the collection and use of the vast quantities of data processed as a result. The IoT will enable the creation and sharing of massive new reservoirs of data about individuals’ habits, behaviour and personal preferences, thereby reinforcing global society’s reliance on data, and making the laws and regulations which protect data privacy and limit data use even more fundamentally important.
Government and Regulatory Attention
The IoT looks set to be the focus of government attention. In a recent speech at Europe’s CeBIT tech conference, UK Prime Minister David Cameron announced that the British government would be spending an additional £45 million in funding for research in areas linked to the IoT, which, following a series of other funding announcements in this area, takes the total pot to £73 million. Mr Cameron stated: ‘I see the internet of things as a huge transformative development – a way of boosting productivity, of keeping us healthier, making transport more efficient, reducing energy needs, tackling climate change‘. Sir Mark Walport, the UK government’s chief scientific adviser, is now expected to carry out a review into how these new technologies can be best exploited.
Regulatory bodies, including the Federal Trade Commission and the EU Commission, are turning their attention to the potential privacy and security issues that the IoT undoubtedly presents.
In 2013, the EU Commission published a report on the results of its public consultation on the IoT, along with a series of accompanying fact sheets (together, the ‘Report’), highlighting that ‘the development towards an IoT is likely to give rise to a number of ethical issues and debates in society, many of which have already surfaced in connection with the current Internet and ICT in general, such as loss of trust, violations of privacy, misuse of data, ambiguity of copyright, digital divide, identity theft, problems of control and of access to information and freedom of speech and expression. However, in IoT, many of these problems gain a new dimension in light of the increased complexity.‘
At the top of the list of issues facing law and policy makers in this area are the following:
- Loss of privacy and data protection. The difficulties of complying with the principles of privacy and data protection, such as informed consent and data minimisation, are likely to grow considerably. The EU Commission has stated in its Report that ‘It can reasonably be forecast, that if IoT is not designed from the start to meet suitable detailed requirements that underpin the right of deletion, right to be forgotten, data portability, privacy and data protection principles, then we will face the problem of misuse of IoT systems and consumer detriment.’
- Autonomous communication. One of the most significant IoT-related data privacy risks stems from the fact that devices are able, and intended, to communicate with each other and transfer data autonomously. With applications operating in the background, individuals may not be aware of any processing taking place, and the ability for data subjects to exercise their data privacy/protection rights may therefore be substantially impaired.
- Traceability and unlawful profiling. Last year, researchers at Cambridge University demonstrated[3] that incredibly accurate estimates of race, age, IQ, sexuality, personality, substance use and political views could be inferred from automated analysis of their Facebook ‘Likes’ alone. Similarly, although the objects within the IoT might individually collect seemingly innocuous fragments of data, when that data is collated and analysed, it could potentially expose far more than intended by the individual to whom it relates, and indeed more than those Facebook Likes. The data collected, in combination with data from other sources, may reveal information on individuals’ habits, locations, interests and other personal information and preferences, resulting in increased user traceability and profiling. This in turn increases the risk of authentication issues, failure of electronic identification and identity theft.
- Malicious attacks. The IoT provides hackers with more vulnerabilities to exploit and creates significant security risks. Such risks could take a variety of forms, depending on the nature of the data and device in question. In the context of e-health, the collection and rapid exchange of sensitive personal information in an interconnected and open environment not only increases risks in respect of patient confidentiality, but also has the far more alarming potential to endanger life. Take, for example, the remote programming of a heart pacemaker, or a drug dispenser configured to administer medication in response to a patient’s condition. A system failure or more sinister malicious attack on such device could have dire consequences. In the context of energy, hackers could target smart meters to cause major blackouts, and in the context of home security, it takes little imagination to contemplate the potential effects of a system failure or malicious attack. Such threats to security and privacy vary considerably and the breadth of challenges presented means that a one-size-fits-all approach to policy and/or regulation is unlikely to work.
- Repurposing of data. The risk that data may be used for purposes in addition to or other than those originally contemplated and specified by the data subject becomes even greater in the IoT. Repurposing of data may be contemplated even before data collection begins. For example, regulatory bodies, insurance companies and advertising agencies, among others, may seek access to data collected by others. Controls are needed to ensure that such data is used only in the manner consented to by the data subject. Whilst an individual might be happy for his fridge to know how many pizzas he eats each week, he might be less comfortable if he knew that that information was being passed on to his health insurance provider.
- User lock-in. As is the case for existing technologies, the IoT increases the risk that consumers may become locked-in to a specific IoT service provider, thereby impeding their ability to retain control over their data and their right to move from one provider to another.
- Applicable law. With IoT devices, systems, users and service providers located in any number of jurisdictions, the global nature of the IoT means that various national laws may be applicable, each providing different levels of protection. This may give rise to questions of conflict, difficulties in enforcement and confusion among consumers.
The Future Regulatory Landscape
Looking ahead, the question is, what approach should be taken by law and policy makers to address these issues?
In response to the EU Commission’s public consultation, a large number of industry players questioned the legitimacy and appropriateness of public intervention in an area which is still arguably in its infancy. These stakeholders maintained that the existing legal framework, including data privacy, competition, safety and environmental legislation, is sufficient to protect end users’ interests, and inappropriate governance at this stage may stifle investment and innovation. Conversely, the majority of individual respondents argued that economic considerations should take a back seat to the fundamental issues of privacy and security. They contended that specific rules should be developed and enforced to protect end users and to control the development of IoT technologies and markets.
Keeping in mind (i) the international dimension of the IoT, (ii) the resulting need for interoperability, (iii) the importance of a harmonised internal market and (iv) the universality of the fundamental rights to privacy and data protection, the EU Commission commented that it would be inadvisable to allow divergence at a member state level of the law and methodologies in this area. That is, of course, a statement of the obvious.
A sceptic could be forgiven for thinking that the UK government’s investment in IoT research would be better spent finding a way for the main governments of the global economy to harmonize and reduce the regulatory burden that could handicap the growth of the IoT.
But avoiding legal and regulatory fragmentation across key jurisdictions is a forlorn hope. Regulatory differences will occur, just as has happened with Cloud, with data privacy and with many other regulated technologies. The truth is that governments just don’t act quickly enough to keep up with new technology, and don’t have the power or inclination to agree completely on harmonized legal and regulatory approaches to new technologies.
Europe
The EU’s draft Data Protection Regulation (the ‘Draft Regulation’), which is currently going through the EU legislative process and is expected to be adopted in 2015,, will go some way to provide the necessary harmonisation – at least within Europe. It will replace the existing Data Protection Directive 95/46/EC and will have direct effect, not only for organisations established in the EU/EEA, but also for any organisations that collect and process EU/EEA residents’ personal data. Some of the measures that we might expect to see as a result of these developments are as follows:
- Privacy by design and default. In its Report, the EU Commission noted that individuals’ privacy, data protection and security rights are often not considered at the outset of the design process, and it is unlikely that they will be properly addressed by the market without regulation. The Draft Regulation provides that, ‘having regard to the state of the art and the cost of implementation‘, the data controller must, ‘both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures in such a way that the processing will ensure the protection of the rights of the data subject‘. In addition, the data controller must ‘implement mechanisms for ensuring that, by default, only those personal data are processed which are necessary for each specific purpose of the processing, and are not collected or retained beyond the minimum necessary for those purposes, both in terms of the amount of the data and the time of their storage‘. In particular, those mechanisms must ‘ensure that by default, personal data are not made accessible to an indefinite number of individuals‘.
- Consent. In its Report, the EU Commission emphasised that mechanisms are needed to ensure that no unwanted processing of personal data takes place and that individuals are informed of the processing, its purposes, the identity of the processor and how to exercise their rights. The Draft Regulation defines consent as ‘any freely given, specific, informed and explicit indication‘ of an individual’s wishes; consent can be expressed in the form of a statement or a clear affirmative action that signifies agreement to the processing. Tacit or implied consent could be valid: however, the preamble to the Draft Regulation confirms that silence or inactivity would not suffice. It remains to be seen exactly how these requirements will be met where applications in the IoT act autonomously and/or ‘behind the scenes’.
- Measures based on profiling. As noted above, the IoT gives rise to serious concerns in terms of profiling and user traceability. The Draft Regulation sets out the circumstances in which such profiling, ‘which is based solely on automated processing intended to evaluate certain personal aspects…or to analyse or predict in particular the natural person’s performance at work, economic situation, location, health, personal preferences, reliability or behaviour‘, would be considered lawful. This includes where the data subject has consented, or where, in the context of the performance of a contract, suitable measures to safeguard the data subjects’ legitimate interests have been adduced.
- Privacy policies. In its Report, the EU Commission advised that privacy policies that can be pushed or built into IoT objects should be adopted, with appropriate mechanisms to ensure data privacy. It noted, however, that the technical challenge here is how to enable objects with limited processing power and/or memory to receive and respect such policies. Given the sheer number of IoT devices, the uniformity of such policies should also be considered.
- Enforcement and sanction. The EU Commission also highlighted a need to strengthen and clarify the powers of data protection authorities to ensure consistent monitoring and enforcement of applicable law. Amongst other things, the Draft Regulation introduces significant sanctions for violations of data privacy obligations, including fines of up to 5% of annual worldwide turnover, or €100 million, whichever is greater. The Draft Regulation also extends the concept of mandatory personal data breach notifications to all areas of personal data processing.
In its Report, the EU Commission acknowledged that since the ‘IoT is a special case and more of a vision rather than a concrete technology, we understand that it is complex to properly define all the requirements yet‘. Whilst the Draft Regulation goes some way to address the issues to which the IoT gives rise, it remains to be seen exactly how the law and policy in this area will develop as the IoT itself evolves.
United States
On the other side of the Atlantic, privacy and data security in the IoT is also firmly on the agenda. Regulators in the United States – particularly the FTC – seem to be focused on the same privacy and security issues as their EU counterparts. In terms of how these concerns manifest in a regulatory context, the FTC is most likely going to rely upon its standard notice and choice framework on the privacy side, and its position that the lack of reasonable security measures to protect consumer data may be an unfair or deceptive act or practice under section 5 of the FTC Act. To that end, future FTC enforcement is most likely to focus in particular on two main areas when it comes to IoT: (1) providing notice and choice when a networked device is not consumer-facing; and (2) how to ensure that devices that are part of the IoT ensure reasonable data security.
We have various indicators of why the FTC will focus on these particular issues:
· Workshop on the Internet of Things. The FTC held a workshop examining privacy and security issues surrounding the IoT in November 2013. The workshop focused on those issues related to increased connectivity for consumers, both in the home (including home automation, smart home appliances and connected devices), and when consumers are on the move (including health and fitness devices, personal devices and cars). The FTC will publish a best practices report about the IoT at some time in 2014. The key themes articulated by the FTC at the workshop itself were: (1) the risks to consumer privacy from the collection, analysis, and unexpected uses of large amounts of data about consumers; (2) the possibility that traditional notice and consent frameworks will not be sufficient to inform consumers of how their personal data is being used; and (3) the data security risks of interconnected objects. In her opening remarks at the workshop, FTC Chairwoman Ramirez emphasized that ‘as the boundaries between the virtual and physical worlds disappear,‘ there still needs to be some way to give consumers notice and choice about the information collected about them, and how it is used, even if the device has no user interface.
· TRENDnet Enforcement Action. The FTC brought its first-ever IoT case in December 2013 against TRENDnet, the maker of a surveillance camera system with a range of uses from home security to baby monitoring.[4] The company’s cameras had a faulty software configuration that left them open to online viewing, and in some instances listening, by anyone with the cameras’ Internet address. As a result, nearly 700 live camera feeds were accessed by a hacker. The FTC’s complaint alleged that the company’s failure to reasonably secure its cameras against unauthorized access was an unfair and deceptive act and practice under section 5 because the company represented it had reasonable security measures in place when it in fact did not. This type of case is fairly standard for an FTC data security case; what distinguishes it is that, as the FTC explained, the product involved falls under the IoT umbrella because it is an everyday product with interconnectivity to the Internet and other mobile devices.
· FTC Commissioners’ speeches on the IoT. Two FTC Commissioners have spoken recently about the policy and regulatory implications of the IoT, which gives some sense of future enforcement priorities and the contours of the regulatory framework:
o In February 2014, Commissioner Julie Brill spoke on The Internet of Things: Building Trust to Maximize Consumer Benefits. Commissioner Brill tied the IoT to another major policy concern of the FTC – ‘Big Data.’ She cited Cisco’s estimate that there will be 25 billion Internet-connected devices by 2015, and noted that by the end of this decade, 40% of data could come from connected devices. As a result, her main concern is that data from devices – that consumers might not even know are actually connected to the Internet – can be combined with existing troves of data to make it even easier to make sensitive predictions about consumers, such as those involving their sexual orientation, health conditions, religion and race.
o In October 2013, Commissioner Maureen K. Ohlhausen spoke on The Internet of Things and the FTC: Does Innovation Require Intervention? While the Commissioner emphasized the potential privacy and data security risks posed by greater interconnectedness of devices, her remarks focused more on the transformative potential, and the human benefits, of the IoT. To that end, she sees the role of the FTC as ensuring that businesses have the freedom to experiment and innovate so that the benefits of this technological advance can be realized. Thus, while the FTC should use its traditional deception and unfairness authority to stop consumer harms arising from Internet-connected devices, the FTC should also focus on consumer tips and best practices relating to the IoT.
Finally, a number of U.S. states have proposed legislation on the 2014 docket that is intended to increase privacy protection for consumers. At a federal level, several bills are also in the process of going through Congress. These include the Black Box Privacy Protection Act[5] (which would (a) prohibit the sale of automobiles equipped with event data recorders, unless consumers are able to control the recording of such data, and (b) require that any data so recorded would be considered the property of the vehicle owner) and the We are Watching You Act[6] (which would provide for notification of consumers before a video service collects visual or aural information from the viewing area).
Conclusion
Given the tremendous growth of the Internet of Things, and the predictions that it will continue to grow exponentially, it is likely that the lawmakers and policymakers will play a considerable role in shaping the development of the IoT in the next few years.
The regulatory framework within which the IoT operates is an important factor to consider for technology companies seeking to harness the power of M2M connectivity. The key issue seems likely to be (a) whether the regulators can work fast enough to keep up with what the technology is capable of doing, and (b) whether law and policy in key markets around the world are harmonized – at least in key parts – to ensure that the IoT is allowed to develop in a way supported by applicable laws, not handicapped by fragmented and contradictory legislation.
Businesses implementing M2M-based solutions will clearly need to examine their data privacy policies and approaches to data security in order to anticipate and meet the challenges presented by the IoT.
Amy Collins is based in the London office of Morrison & Foerster and is a member of the Technology Transactions Group and the Global Sourcing Group.
Adam Fleisher is an associate in the Litigation Department of Morrison & Foerster’s Washington, D.C. office. He focuses on privacy and regulatory issues.
Reed Freeman is a partner in Morrison & Foerster’s Washington, D.C. office . Hefocuses his practice on all aspects of consumer protection law, including online and offline privacy issues.
Alistair Maughan is a partner in Morrison & Foerster’s London office. He is co-chair of the Technology Transactions Group and a member of the Global Sourcing Group.
[1] http://share.cisco.com/internet-of-things.html
[2] http://www.rfidjournal.com/articles/view?4986
[3] http://www.pnas.org/content/early/2013/03/06/1218772110.full.pdf+html
[4] http://www.ftc.gov/news-events/press-releases/2013/09/marketer-internet-connected-home-security-video-cameras-settles
[5] http://www.gpo.gov/fdsys/pkg/BILLS-113hr2414ih/pdf/BILLS-113hr2414ih.pdf
[6] http://www.gpo.gov/fdsys/pkg/BILLS-113hr2356ih/pdf/BILLS-113hr2356ih.pdf
