Top 5 Legal Issues in the Internet of Things, Part 1: Data Security & Privacy

“The Internet of Things” (or IoT) is an increasingly popular shorthand term for the emerging arrangement of physical devices (other than what we’d typically think of as “computers”) that come equipped with wireless internet connectivity. Examples include smart thermostats, smart doorbells, smart refrigerators, smart cars–pretty much anything that marketers feel the need to insert the prefix “smart” in front of. The new class of wearable devices–from fitness tracker to wireless cameras to smart watches–belong in this category as well.

iot privact - ftcThis is what Google chairman Eric Schmidt was talking about when he said recently that “the internet will disappear.” Rather than ceasing to exist, he meant that what we currently think of as the internet will become so omnipresent and pervasive that we will no longer notice it, any more than we notice air. “There will be so many IP addresses … so many devices, sensors, things that you are wearing, things that you are interacting with that you won’t even sense it. It will be part of your presence all the time. Imagine you walk into a room, and the room is dynamic. And with your permission and all of that, you are interacting with the things going on in the room.”

The IoT has been a frequent topic on this blog for years, and is now entering the mainstream lexicon as the technology begins to manifest itself all around us. As this occurs, the legal issues surrounding this emerging network are becoming even more apparent. Assessing which of these are the “top” issues may not be a wholly objective endeavor, but listicles like this are at least helpful devices for beginning to appreciate the breadth of concerns that the IoT raises and for identifying those which are of greatest concern to each of us.

1.  Data Security and Privacy. Any digital device with an internet connection can, in theory, be hacked. To date, hacking activity has usually been focused on large computer networks (such as corporate servers) and payment collection systems (like Target’s credit card processors). That’s because (a) the systems are distributed widely enough that there are multiple points of access to them, (b) they contain high-value data, and (c) the computer programs that run them are understood widely enough that some number of people who know how to use them will be tempted to abuse them.

None of these conditions were met when smart home devices were merely the province of small, one-off Kickstarter projects. But when mainstream companies get into the IoT game–such as when Google recently purchased Nest, the company that gained its fame through its trendy, internet-connected thermostat–such devices suddenly become plentiful, meaning that there are now many points of access, and at least some of the data they collect is likely to be valuable to someone. Their principles of operation also become much more widely understood. Suddenly, the devices become much more tempting targets.

Additional contributors to the vulnerability of these devices is the speed at which they are being developed, and the general lack of accepted standards or protocols for their operation. For example, relatively few IoT devices encrypt the data they collect and transmit, and many use easy-to-guess passwords and other access credentials.

This is not a future problem, or even an emerging one; it is very much a here-and-now issue. In July 2014, researchers from Hewlett-Packard published a study on the security of 10 popular IoT devices is such common categories as TVs, webcams, home thermostats, remote power outlets, sprinkler controllers, hubs for controlling multiple devices, door locks, home alarms, scales and garage door openers. The researchers identified 250 vulnerabilities, including lack of transport encryption, vulnerabilities in the administration Web interface, insecure firmware update mechanisms and weak or poorly protected access credentials.

A full 70% of the devices in the study transmitted data over unencrypted network services, and 80% used such simple passwords as “1234.” Eighty percent. One wonders how many times such devices will need to be hacked before the public and the law demands more stringent protections.

The gap in privacy protection can be filled in a number of ways. The simplest is the current model; it seems inevitable that companies like Symantec and BitDefender will start offering anti-malware programs for our kitchen appliances and automobiles in the same way they now do for our desktops. But as the diversity and complexity of connected devices increases, more specialized services may be necessary.  It may become customary for individual companies and households to hire digital privacy consultants to audit their individual collections of connected devices in the same way they currently hire vendors to install security cameras or spray for insects.

Meanwhile, the government is paying attention as well. On January 27, 2015, the Federal Trade Commission underscored the urgency of addressing IoT privacy concerns by issuing a report on the topic called “Internet of Things: Privacy & Security in a Connected World.”  Although short on specifics (as FTC pronouncements often are), the report is a harbinger, laying the groundwork for future FTC enforcement action against IoT companies who fall short of implementing its privacy principles (which, at this point, is most of them).

This has been a quick summary of the threat to the privacy and security of data stored in IoT devices. The next post in this series will examine how the IoT can invade our privacy by collecting data about us.