You are probably familiar, at least in concept, with the internet of things. You can use the internet to connect devices to each other – everything from mobile phones and computers to thermostats and toasters. Why do attorneys care about IoT? Consider the huge amount of information these devices gather. Lawyers can help clients protect this data as well as extract information from it to strengthen their cases or influence juries.
Some of these questions already are working their ways through the courts. For example, with Amazon’s Alexa or other personal assistants, can the information stored there be used against them, or is it private? To better understand the legal implications of IoT, Crain’s spoke with Kraig L. Marini Baker, chair of Davis Wright Tremaine’s Technology, Advertising, Trademark and Entertainment practice and a communications instructor at the University of Washington.
Crain’s: How much of your work, both legal and academic, would you say centers on IoT? Would you describe the transition as gradual over the past few years or exponential in a shorter timeframe?
Baker: It is everywhere. Even if people aren’t calling it the internet of things, it’s there. It’s kind of like the beginning, when we had hosted software, or cloud software. Not everyone referred to it as that in the beginning. But now those terms are everywhere.
It is definitely increasing, and I would couch it as more of an evolution. More and more people are offering a product, with some functionality that just happens to hook up to the internet. It’s increasingly a way to sell products. Whether you need it or not, there’s an app that comes with your camera and your refrigerator.
Crain’s: What are the most common devices that people tend to identify as IoT? Are there some devices you would describe as uncommon, or people wouldn't necessarily expect them to collect data?
Baker: Oh, there are so many devices. all common to us. But now they can be connected. So, we’re talking everything from coffee makers to light bulbs.
The big money comes from the industrial side, the data centers and server farms. But the sexy, science fiction stories of connected cars and smart homes, comes from the consumer side.
Crain’s: What are some of the legal challenges associated with IoT?
Baker: The first things anyone is going to think about is privacy and security, and those two are really about data. Kevin Plank. who’s the CEO of Under Armour, describes data as the new oil. He says it’s the thing that will power the information economy.
Ownership of data is interesting. Is it the device manufacturer, the person running the network, the keeper of the devices?
Right now, ownership is defined by contract and click-thru user agreements that users tend to agree to and don’t read. We get these arbitrary users. Not my problem, and there’s a gap in liability and in terms of security coverage.
Consider personal assistants like Amazon’s Alexa, which can serve as an IoT hub and devices can be run through that. So, while I might not take a lot of time with a single device, like turning on and dimming my smart light bulbs, I might create a single setting, so they turn on at 6 a.m., along with my coffee maker.
We don’t really think of these devices and the way they interact in terms of security, like we do our computer. When you think network security, you have a password. But people don’t consider that by hooking all of these devices up, we’re giving people multiple doorways to get to our information.
If you can remember the analog days, and how everyone always joked about the blinking clock light on the VCR because no one knew how to set it. It’s a lot harder to set up IoT, so how capable are consumers when it comes to managing the privacy and security of their devices?
Another important aspect to consider is risk. You may be agreeing to data usage as a way you’re not expecting as a consumer. You get into the Facebook problem happening now. Most everything at issue was permitted. It isn’t like somebody hacked into Facebook. They used info and Facebook but didn’t understand the consequence of its own terms – or they knew how it was used and didn’t think consumers would mind.
Crain’s: What are the legal implications/responsibilities then for manufacturers of connected devices?
Baker: I might say in my terms that I as manufacturer can collect data for diagnostics and to improve my product and network. That seems reasonable on the face. You may come up with a new feature. It may go faster because you have been managing and monitoring use. On the other hand, your device might be listening or learning things that the consumer does not want it to.
For instance, most laptops and phones have “find my phone,” or “track my computer,” features. That can be quite handy. But it can also track where you were. If you were visiting your mistress that day, or taking part in some criminal activity that day, I can subpoena your phone and find out where you were.
We’re starting to see IoT devices being used in criminal prosecutions. Pacemaker data was used in an arson case in Ohio. A case in Connecticut zeroed in on Fitbit data, which indicated a woman had been in her house longer, and walked longer, than the claim that she’d been attacked had indicated.
Data is suddenly used for monitoring folks. I don’t think folks realize that’s being monitored in the way that it is.
Crain’s: How is this monitoring being handled legally?
Baker: We have norms evolving on the Web that this is what my privacy is going to be and then social media changing norms, but people got comfortable and then we moved onto mobile and location data that we had for the first time we had to figure out how we’re going to handle
Suddenly we have categories of data being created connected devices, and we really don’t really have norms much less laws. I think we’re still trying to figure out how we’re going to do that in IoT space
For businesses, which are typically providers of IoT services or consumer of an IoT service. Generally, what I’m trying to help these clients understand are the consequences of the implementation of their devices. What are the risks they’re willing to take on, and what happens if a service goes down that you’re counting on, and how easy is it to switch to another product or a different provider?
We’re always thinking about IP ownership issues. Is there anything being done in terms of customization. Similarly, if I’m the buyer of an IoT solution, I’m expecting there won’t be a lot of headaches in terms of making this thing work with my legacy systems.
Crain’s: What general advice do you provide clients when it comes to ensuring proper use and protection of IoT devices and their data?
Baker: There is a huge business upside to embracing IoT. Great efficiencies. You can protect yourself against risk. Live monitoring. The one overall caution that I would have for a business leader is to say that one shouldn’t just go an adopt something because it’s quote “smart” or has this ability to hook into the internet. Is a feature or function that adds value or solves a problem.
A lot of people will adopt these technologies because they think they’re supposed to. It sorts of solves the problem they thought they had, but then it causes all these other issues down the road.
I wouldn’t recommend they be a late adopter, but I don’t want them to get stars in their eyes because someone says they need to have IoT devices.