Here be Dragons
It was formerly the practice of mapmakers to place the image of dragons at the edges of their known world. To them, ‘here be dragons’ signified dangerous or unexplored territories in uncharted areas. In computer programming, the phrase now has a new meaning. Software programmers sometimes adopt the phrase to indicate sections of particularly complex and obscure passages of code, so that other programmers who would access them are warned.
Today the internet is vast and much of it is unknown, like the unchartered maps of medieval times. Technological progress has always created new legal problems just as it creates new solutions. Violations of privacy, misuse of data, identity theft, ambiguity of copyright, problems of control and of access to information have been an inherent challenge in technological developments. However, with the rise of the Internet of Things (IoT), many of these problems gain a new dimension in light of increased complexity and increased interconnectedness.
The implementation of IoT architecture and the use of RFID tags,[1] creates a number of legal challenges. The questions to be addressed are whether market regulation is sufficient or if there is a need for international or national law to regulate IoT. Further, if it is decided that legislation is desirable, given the constantly changing face of IoT, would existing law be sufficient or is there a need for new laws. If new laws are released this creates a separate challenge in terms of how rigid the final framework is and crucially the framework for implementation.
The question must be addressed as to the balance to be struck between privacy and safety.[2] In the final analysis these two principles should be viewed not as competing opposites, but rather as principles affecting one another.
In addressing the key legal issues which might hinder the so-called “Internet of Things”, this essay will first consider the balance to be struck between IoT and regulation, second the importance of data security in the world of IoT, third security issues raised by IoT and finally a proposed legal framework.
Challenges: Law and IoT
IoT has the potential to improve consumer life on a daily basis in important and tangible ways. Down the line, it is hoped that IoT will provide the basis for ubiquitous computing and enable smart environments. A necessary part of this is that the ‘things’ at issue, across a broad spectrum of devices, will increasingly retrieve data to facilitate their adaptive functionality.[3]
The existing legal issues outlined above will take on new dimensions as IoT develops and technologies combine. The key issue is whether the law can work at an appropriate pace, keeping up with technological developments and not hindering the development of IoT. The second key challenge is in the harmonization of law. If law and policy is not sufficiently aligned in key markets, at least to a basic degree, IoT development will be hampered by fragmented and contradictory legal frameworks.
Both of these requirements that the law be sufficiently flexible, must not leave the consumer vulnerable. As the EU Commission has stated in its Report, it can reasonably be forecast that, if IoT is not designed from the beginning to give sufficient protection to the right of deletion, privacy and data protection principles, there will be serious issues of misuse of IoT systems.[4] The individual who loses from this is the consumer.
The balance therefore is to have a legal framework which is conducive to development, while providing legal certainty and protecting existing rights. These are not future problems, or even emerging ones; these are very much current issues affecting both consumers and the development of IoT. This raises the two of the most significant legal obstacles to IoT – data and security.
Data Harvesting
The significance of IoT in legal terms is that it refers to everyday items not normally considered computers, allowing these devices to generate and exchange data with minimal human intervention. The impact of this is that it may shift the most common interaction with the Internet to becoming a passive engagement with connected devices, rather than active engagement.
The problem with this, and in particular the legal difficulty, is that these objects, from refrigerators to cars, are objects not previously viewed as ‘devices’. Many of these devices will be created by manufacturers not previously dealing in computing or software. In turn this may result in devices which are unsecured though connected to networks.
The full potential of IoT will therefore depend on the ability to respect individual privacy choices relating to a broad spectrum of expectations and consumers. The user specificity resulting from IoT devices provide unique value and utility to IoT users. However, an integral part of insuring this value is respect for user privacy expectations is ensuring user trust and confidence. The reason for this is that IoT fundamentally redefines the way in which personal data is stored, analysed and used.
Potential ramifications include increased tracking and difficulty in ‘opting out’ of certain data collections, given that a necessary part of IoT devices effectiveness is that ability for data streams to paint detailed digital portraits of users. Even seemingly innocuous individual fragments of data, when collated and analysed, can create a detailed picture – much more detailed than was intended by the consumer. A further difficulty arises in cross border data flows, which occur when these devices collect data relevant to consumers in one jurisdiction and transmit it to another jurisdiction with different data protection laws. Therefore, the difficulty arises in unexpected uses of large amounts of data about consumers. IoT relies on vast amounts of data, but not all data will be relevant to any given application. Accordingly, a key challenge for developers is identifying the thresholds to process only the data that is necessary for a specified purpose, and to then filter out the data which is not. These are important challenges, but they are not insurmountable. The balance to be struck is to respect individual privacy choices across a broad spectrum of expectations, while encouraging innovation in new technology.
It is therefore a necessary component of any legal framework that the data controller must ensure that only data which is necessary for each specific purpose is collected and that nothing beyond that minimum necessary is collected or retained. This relates to both the amount of data and the length of time for which the data is stored. In a technological ecosystem designed to allow devices to effectively and autonomously communicate with one another, this difficulty in data collection and storage becomes a very real issue. In this kind of environment, it is likely to become increasingly difficult for individuals to keep track of and control what data is shared and with whom.
Security
The critical issue for IoT is the vast scope of the growing networks and connected devices. This growing network will increasingly incorporate daily and simple devices which will likely not have the level of security associated with more complex devices. The utility of IoT is almost endless. Therein lies the difficulty. It becomes difficult to manage the consequences of that utility. Often these manufacturers will be new to computing and software and may lack the necessary capability to properly equip devices with adequate security. This problem is compounded by a series of devices of limited security capacity being used together. From a legal perspective this raises both issues for consumer security and issues as to liability. Specifically, relating to liability, in determining which component caused a problem.
From a regulatory or legislative perspective these problems may seem new or novel. In fact, they are not wholly new. Many of these security mistakes are and will be similar to those seen in the past in network and software security. As such the regulation needed in relation to secure software architecture is very much applicable to IoT security. The importance of these concerns is exacerbated in the context of IoT by this technology becoming more pervasive and integrated into our daily lives. Any poorly secured IoT device could serve as a potential entry point for cyber-attack and expose user data left inadequately protected. Further the ability of some devices to automatically connect to other devices, again raises the concern of a consumer’s ability to control their data in a connected world.
This represents a new order. Developers and users of IoT devices will have a collective obligation to ensure that users are not exposed to potential harm. Accordingly, a collaborative approach to security will be needed to develop effective and appropriate solutions to IoT security challenges.
Proposed Legal Framework
Measures are necessary to ensure IoT devices’ resilience to attacks, data authentication, access control and client privacy. This is necessary for consumer protection and to encourage trust in IoT devices. An effective legal framework must take the evolving nature of this technology into account and would best be established by an international legislator. Necessary components of this should be that:
(i) data must be authenticated to provide protection and security to consumers;[5]
(ii) to ensure resilience to attacks, devices must be equipped to deal with single points of failure and be equipped to adjust to such failures; and
(iii) information providers and data controllers must be able to implement access control on the data provided.[6]
Given the rapid rate at which IoT develops, it is not possible to create a legal framework that governs every facet of IoT. This is for the better, a heterogeneous approach is required to best protect consumers and encourage ingenuity.
The establishment of an adequate legal framework for the protection of security and data relating to IoT raises the issue as to the appropriate legal source of that framework. Any number of regulatory models are potentially available. However, the possibility of no regulation at all, cannot be considered as a solution to what will increasingly be a complex legal landscape.
National regulation will not meet the global needs of an adequate legal framework for IoT given that transactions through IoT will inevitably be cross-border. In considering the potential for a self-regulatory model, given the at times competing interests of consumers and manufacturers in respect of their data, it is not felt that self-regulation will provide robust enough protection. It has been argued that self-regulation is only adopted by stakeholders to satisfy their own interests and is therefore not effective in the protection of privacy as is the case here.[7] Therefore, for any ultimate legal framework to be effective in the context of security and privacy it must be set by a legislator at an international level.
The balance then must be struck between protecting consumers and encouraging technological advancement. The main protection then for consumers legally should be seen in the general principles of law, such as goodwill, equal treatment, fairness in business activities, legal validity of agreements etc.[8]
Regulatory differences will occur, just as has happened with cloud technology, data privacy and with many other regulated technologies. The difficulty is that governments often do not act quickly enough to keep up with new technology and when rules are created they are too rigid to be practically useful. International and principled agreement is then the best-long term solution to the difficulty of regulating IoT.
Eric Schmidt recently said ‘the internet will disappear’. However, Mr Schmidt did not mean that the internet would cease to exist. Rather it would become so omnipresent that it will cease to be noticed. Therefore, this is not a legal issue which will go away. Rather it must be effectively and comprehensively dealt with.
Conclusion
As the boundaries between the virtual and the physical world disappear it becomes of crucial importance to regulate this area. This is not an idea which is fanciful or futuristic. It affects the consumers and businesses of today.
The Internet of Things is happening now and it promises to offer a revolutionary and fully connected world. Yet this potential will only disappear and be replaced with legal problems, if IoT is not regulated appropriately and strikes that balance between creativity and protection.
Without them, modern business will revert back to the medieval practice of writing dangers off as unexplainable and unpreventable occurrences. The only solution being to mark off breaches with – ‘here be dragons’.
Rebecca Keating has just completed the BPTC and will commence pupillage this coming October. She can be contacted at rkeating@tcd
[1] A Radio Frequency Identification tag (RFID tag), is an electronic tag that exchanges data with a RFID reader through radio waves. Benjamin Fabian, Secure Name Services for the Internet of Things, Thesis, Berlin 2008, at 30.
[2] Pieter Kleve and Richard De Mulder, Privacy protection and the right to information: in search of a new symbiosis in the information age, in: Sylvia Kierkegaard Mercado (ed.), Cyberlaw, Security and Privacy, Beijing 2007, 201, at 207.
[3] Benjamin Fabian, Secure Name Services for the Internet of Things, Thesis, Berlin 2008, at p.1
[4] Report on the Public Consultation on IoT Governance, European Commission, [2013] at 19.
[5] Rolf Weber and Annette Willi, IT-Sicherheit und Recht, Zurich 2006, at 284.
[6] Eberhard Grummt and Markus Muller, Fine-Grained Access Control for EPC Information Services, in: Floerkemeier/ Langheinrich/Fleisch/Mattern/Sarma, at 35–49.
[7] Michael Froomkin, The Death of Privacy?, Stanford Law Review, Vol. 52, 2000, 1461–1543, at 1524.
[8] Ian Brownlie, Principles of Public International Law, 7th edition Oxford/New York 2008, at 19.