Primer on IoT Devices and the Issues Surrounding Their Development

PBA Cybersecurity and Data Privacy Data Privacy, IoT Devices January 4, 2019

By Mark L. Farina, Klineburger and Nussey


As the gift-giving season concludes and we look toward the promises of a new year, now is the time to consider what additional liability those newly received electronic devices may have in store for your clients.  I am talking about electronics newly integrated in the world of IoT. 


IoT Definition 

Internet of Things, better known as IoT, is a category encompassing physical devices with an integrated capability of connecting to the internet for the reception and/or transfer of data. Have you seen those advertisements for home security systems, garage door openers, lights or even kitchen appliances that operate through your smartphone?  All of these are IoT-enabled devices. 


The addition of microchips and wireless radios enable these devices to join the IoT ranks by allowing connection to your home’s network. Your home network then gives each device a unique “IP number” (think re-assignable social security number) supporting the remote control of the device.[I]


It is important to note that, unlike computers, tablets and smart phones, the primary purpose of an IoT device is not consumption of data from the internet.  Rather, they provide data to the internet or allow for interaction from a distance through the internet.  These capabilities create a proverbial “can of worms” of privacy issues.


IoT Practically Speaking

As with most all microchip-enabled devices, the process of retrieving input from either the sensors or a user creates a digital log contained within the device. This log, typically in programing code rather than human readable text, contains a running list of what the device did and sensed, and when and who initiated the specific task.[ii]


With certain IoT-enabled products, tasks can be trigged remotely, such as turning on the lights before you get home or opening the garage door when your cell phone comes within a designated geographic range.  Other IoT device sensors record human interaction, such as when the refrigerator door is opened.


Voice assistants, a vast and ever-expanding category of IoT, have risen to prominence over the past four years.  These devices, which require a constant connection to the internet, allow for the operation of a plethora of the aforementioned products through vocal commands.  In order to provide such services, manufacturers such as Google[iii] and Amazon[iv] use an approach that involves saving voice requests (including the actual vocal recording) made to the devices on company servers, tied to each particular user’s account. By contrast and staying consistent with its companywide privacy philosophy, Apple instead chooses to use a randomly generated ID number for each request.[v] 


In practical terms, Google and Amazon’s approach yields a more responsive and arguably better product by allowing their software to “learn” about the user over time.  However, this “better” product comes at the cost of privacy for the user as their data now has broader exposure to accidental release through a computer hack.


Applications in Legal Practice

We live in an age of “big data,” where even the simple activities around the home are now being logged and tracked.  This tracking has ramifications in the legal profession as clients seek to protect their privacy, avoid violation of regulations or devise actions to take when an opposing or third-party is not honest or forthcoming.


If your client is a business concerned about IoT issues, their concern should be with both data security and proper user consent regarding such data.  This applies whether the business collects data from a person directly or is using a sensor in the environment around the consumer.


Unfortunately, the technology utilized in IoT is so new, lawyers are left to advise clients without the benefit of guiding caselaw or statutory interpretation.  It is therefore incumbent on lawyers to be thorough in their research and strive to gather the “full picture” of how devices work. 


Business Setup Considerations

It is a safe assumption that most small- to medium-sized businesses lack strong security measures.  These businesses need to take steps to understand how data flows into, is stored within and moves out of their devices.  Employees on the frontline of the business will know and understand this flow, making it imperative that leadership understand the implication of the collection, use and storage of the data.


User Notices and Agreements

For example, any business collecting user data must have a user agreement.  This agreement should include language that ensures all data collection is transparent. The business should also monitor that the data is sufficiently anonymized and the actual use of the data by the business falls within the defined corners of the agreement.  Actual use is far and away the most difficult to plan for.  This necessitates broad language and extensive discussions with the stakeholders who anticipate using this data in the future.


Products that collect environmental data off a sensor, such as the frequency a refrigerator door is opened, still need a robust notice accompanying any product.  Placing the consumer on notice, usually through physical documentation provided with the product, is vital to protecting against any future claims of deception or fraud.


Potential for Software Issues

Complicating business in the IoT sector is the fact that these IoT-enabled devices use software not created by the device manufacturer, leading to blind spots in liability.  Manufacturers must be selective in what software they choose to utilize in order to avoid crippling liability brought about by widespread adoption of their device.  Options usually boil down to open-source or proprietary language.  Both contain trade-offs too numerous to mention here, but all should be reviewed, discussed and noted when preparing for future liabilities.


Best practice is the application of the Federal Trade Commission’s FIPPS principles of: 1) Notice/Awareness; 2) Choice/Consent; 3) Access/Participation; and 4) Integrity/Security.[vi]  By following these principles, most businesses will be well positioned to be insulated from potential liability.


Algorithms for “Smart” Devices

For data collected from these devices to be useful, companies employ computer algorithms to look for patterns.  Finding patterns allows the device makers to make usage assumptions, enabling the device to perform a desirable function without necessitating explicit consumer action.


Unfortunately, these algorithms can be biased based on improper example data utilized by the manufacturer or by the inherent biases of the software programmers who write the software the device uses.[vii]  Legal issues abound when the manufacturer is on notice of such biases and fails to take corrective measures.


Closing

It should go without saying, any new business venture must involve the careful review of process and product to minimize surprises and best control outcomes.  The world of IoT then adds layers of complexity to an already complicated process of taking a product to market.  Therefore, it is important that attorneys and their clients take the time to understand how each product works, specifically focusing on what and how customer data is collected and used.  A lack of understanding will ultimately lead to unwanted costs and liability.


Mark L. Farina, Esq. is an associate with Klineburger & Nussey.

[i] J. Postel, ed., Internet Protocol, DARPA Internet Program Protocol Specification, (September 1981): https://tools.ietf.org/html/rfc791

[ii] Google, Overview of Internet of Things, https://cloud.google.com/solutions/iot-overview (last visited December 24, 2018)

[iii] Google, Google Home Data security & Privacy, https://support.google.com/googlehome/answer/7072285?hl=en (last visited December 24, 2018)

[iv] Amazon, Amazon Alexa Terms of Use, https://www.amazon.com/gp/help/customer/display.html?nodeId=201809740 (last visited December 24, 2018)

[v] Apple, Apple company-wide privacy, https://www.apple.com/privacy/approach-to-privacy/ (last visited December 24, 2018)

[vi] Federal Trade Commission, Privacy Online: Fair Information Practices In The Electronic Marketplace, Report to Congress, Federal Trade Commission (May 2000), https://www.ftc.gov/reports/privacy-online-fair-information-practices-electronic-marketplace-federal-trade-commission

[vii] Will Knight, Biased Algorithms Are Everywhere, and No One Seems to Care, MIT Technology Review, (July 12, 2017), https://www.technologyreview.com/s/608248/biased-algorithms-are-everywhere-and-no-one-seems-to-care/

About: PBA Cybersecurity and Data Privacy

The Pennsylvania Cybersecurity and Data Privacy Committee analyzes cybersecurity issues and educates PBA members about legal, regulatory and industry standards that preserve the confidentiality of protected information.

Leave a Reply

Your email address will not be published. Required fields are marked *