The Internet of Things: Key legal issues

The Internet of Things (IoT) is a rapidly expanding network of everyday web-connected and interconnected smart devices, buildings, vehicles, and other things that are embedded with sensors or microchips, including radio-frequency identification (RFID) chips, that enable them to collect, use, process, analyze, transmit, store, and share data. Experts estimate that by the year 2020, more than 50 billion devices are likely to be connected to the IoT. This Practice Note provides an overview of key legal issues related to the IoT, including the benefits and risks of the IoT and IoT privacy and data security regulation under U.S. federal law.

Types of IoT devices

The IoT developed out of the convergence of multiple technological advances in microelectromechanical systems (MEMS) (also known as micromachines), wireless communications, Internet applications, and other technologies. It includes devices and things for consumer, business-to-business, and machine-to-machine use in areas such as:

• toys and games (talking dolls that are connected to the cloud to enable them to listen to a child’s voice and respond, and basketballs embedded with sensors that measure a child’s dribbling and shooting skills and transmit the data to a smartphone)
• healthcare and fitness (wearable fitness trackers and implantable medical devices)
• home gadgets and monitoring systems that control security, appliances, televisions, thermostats, lighting, window shades, and smoke alarms
• manufacturing (technology that promotes worker health and safety, and optimizes production to meet manufacturing demands)
• transportation and distribution (self-driving vehicles and inventory management systems)
• energy and utilities (technology that monitors energy usage and infrastructure)
• agriculture (technology that controls optimal crop watering and fertilization)
• smart cities (technology that controls street lights or reports drivers’ moving violations)

The IoT generally does not include desktop or laptop computers, although these devices can communicate with IoT devices. To provide IT and software professionals with a common vocabulary with which to discuss IoT technology, on July 28, 2016, the National Institute of Standards and Technology (NIST) announced the release of Special Publication 800-183 – Networks of ‘Things’.

IoT benefits

Because the IoT collects, analyzes, and stores many different kinds of data, it benefits both companies and consumers by:

• Encouraging innovation – communities that promote their use of services connected to the IoT are attracting new residents and businesses.
• Customizing products and services – by using the data received from a wearable medical device, doctors can tailor medication dose and other treatments to a patient’s medical condition.
• Simplifying logistics – by using IoT devices that measure soil and water conditions, farmers can better plan when and where to plant their crops.
• Increasing efficiencies – by using IoT devices that measure road conditions, manufacturers can reroute delivery trucks that encounter bad driving conditions.
• Reducing costs – by using IoT devices that monitor street lights, a city can time them to go on only when they sense that passers-by are on the sidewalk, which reduces electricity use.
• Making life more convenient – by using a smartphone app with a home security system that is connected to the IoT, parents at work can monitor their children’s safety at home.
• Advancing scientific discovery – by using IoT sensors on sea buoys, scientists can gather data about changing sea levels, currents, and temperatures to support climate research.

IoT risks

Although devices connected to the IoT benefit companies and consumers, they also carry certain risks because they:

• Often lack effective security, encryption, or privacy controls, leaving them vulnerable to hackers and other parties seeking unauthorized access to sensitive health or financial information. (For more information on common cyber-attack scenarios and actions that companies can take to prevent or respond to attacks, see Practice Note, Cyber Attacks: Prevention and Proactive Responses).
• Contain inexpensive, disposable microchips. As a result, device manufacturers lack incentives to develop software updates to protect users’ data.
• Provide entry points into other computer networks and systems. For example, on October 21, 2016, a Chinese manufacturer of webcams and DVRs confirmed that weak passwords in its devices enabled a massive Distributed Denial of Service (DDoS) attack on Dyn, a major Domain Name Server host based in New Hampshire, leading to nationwide Internet service disruptions.
• Enable increased government and law enforcement monitoring of consumers’ daily activities in the home, on the street, at the office, at school, or in cars leading to civil liberty violations.
• Enable cross-device tracking by companies, which allows them to aggregate consumer information to create personal profiles without consumers’ knowledge or consent (see The IoT and Big Data Analytics).
• May pose a threat to public safety. This can happen, for example, if:
  • self-driving cars crash due to a malfunction or hacker interference;
  • a drone intercepts an in-flight airplane; or
  • someone with criminal intent obtains the precise geolocation of an intended victim to commit a crime.
• May knowingly or unknowingly lead companies to make discriminatory decisions (see The IoT and Big Data Analytics).

View even more on IoT, including privacy and data security regulations and FTC enforcement by viewing the Practice Note.

About Practical Law

This look at the major issues on the horizon for corporate counsel comes from Practical Law – an online legal know-how service. View all the looming issues now – compliments of Practical Law The Journal, which covers the latest transactional and compliance topics that impact your practice. To gain access to more related know-how resources, please visit us.practicallaw.com.

Follow us on Twitter