You may have heard of the ‘Internet of Things’ (IoT). It is the new buzzword going around about new technologies, along with artificial intelligence and blockchains. But many people are actually already using IoT. If you have a smart watch, a smart refrigerator or an Alexa at home, they are all IoT. However, as much as they make our lives easier, IoT also raise serious legal issues. Here, we will discuss what exactly IoT are and some key legal issues they raise.
What is the Internet of Things?
Simply, the Internet of Things (IoT) refers to devices that are connect to the Internet for the purposes of sharing and collecting data with other devices. Examples include a Fitbit that connects to your smartphone to share data about your health. Another example is a smart light bulb that you can switch on and off with your smartphone.
It is expected that IoT will dominate the future. Everything from your toaster, your car, refrigerator and fitness equipment could talk to each other and your phone and computer. They could share data about your calendar, activity levels, mood, diet and location to each other. With this, your devices can make sure that you’re not late to your appointments and that you’re in shape. They could anticipate what you want or need so that your life becomes a little easier.
On a larger scale, governments can use IoT to collect data about the people’s activities to create smart transport systems. They could make sure our streets are safer through a network of security cameras or sensors that detect suspicious activity.
Companies can also use IoT to track its manufacturing machines, so that they are immediately notified if any of them malfunction. Stores can share data about customer behaviours and preferences to improve customer experiences and products.
Key Legal Issues involving Internet of Things
IoT certainly can provide greater convenience and useful knowledge in our lives. However, there are concerning aspects that can impact our legal rights.
Some key legal issues include the following:
1. Privacy
IoT can collect highly intimate details about your life. Your movements and activities, details about your house and frequented places, your age, health and background can all be collected by IoT. It could also collect biometric data, such as your appearance, fingerprint and voice, much of which smartphones already collect. If the government or company which owns the device or the software has a privacy agreement that allows access to and use of this data, this could severely breach your privacy. This is complicated by the fact that IoT could potentially share data across multiple devices, meaning that data collected by one device can be transferred onto a different device. This could allow entities to collect data that they otherwise would not be able to on a single device.
With your data, companies could create personalised advertisements based on your habits. Governments could implement policies based on what they learn about their citizen’s behaviours. As a more sinister example, companies could sell your data to other companies for whatever purpose they want to use it for. This is what happened in the privacy breach scandal involving Facebook. Facebook sold personal data it collected from users to Cambridge Analytica, which it used for political advertising purposes. IoT will allow entities to collect more of your personal data, which they could use for purposes you don’t necessarily agree with.
2. Security
Related to the above, IoT can put your security at risk. If your devices don’t have robust privacy and cybersecurity protections, your devices could be hacked. Unfriendly entities could access private information about your movements and biometrics which could put your security at risk. Not only this, but hackers could hack into one device to control another device. There are already many devices that one can control remotely via their smartphone, such as lamps and doors. If IoT capabilities expand, one may even be able to control their car remotely. This of course raises serious consequences risks to a person’s physical safety. Driverless trains and cars have already been criticised for this reason. As IoT develop, cybersecurity protections and policies also need to strengthen.
3. Legal liability
When something goes wrong and you’re looking for the person responsible, the question you ask is “who done it?” However, with IoT, the question won’t be that simple. Say that you have a smartphone which has an app. You use the app to control your smart house, such as to open doors, windows and turn on the lights. One day you notice something off about your phone. You return home to find that the television and your box of jewelries are missing. A hacker has hacked into your phone, got into your app and controlled your door to enter the house. Whose fault is it for this security breach? The manufacturer of the smartphone? The creator of the app? The designer of your smart home?
The high interconnectedness that IoT allows means that when something goes wrong, such as via a security breach or a device malfunction, it will be difficult to determine who is responsible. This can make legal battles very complex and expensive. Therefore, as the use of IoT continue to increase in our lives, policies that address legal liability for IoT need to be developed.
What is being done about these issues?
In Australia, laws that specifically address IoT don’t exist at the moment. The Privacy Act 1988 (Cth) and the Telecommunications Act 1997 (Cth) currently deal with privacy and cybersecurity issues. For example, it is an offence under the Telecommunications Act for telecommunication service providers to use or disclose particular personal information about a service user. The Privacy Act also requires collectors of your personal information to disclose how your information will be stored and used. Contractual and consumer protection laws deal with questions of legal liability for malfunctioning devices. However, these Acts are outdated and don’t account for the worsening of privacy and security issues due to IoT as explained above.
Code of Practice on Securing the Internet of Things
In order to address these issues, the Australian Government recently released a Code of Practice on Securing the Internet of Things for Consumers. These are a set of voluntary principles that entities involved with IoT can adopt. Some of these principles include:
- No duplicated default or weak passwords – passwords should be unique, unpredictable, complex and unfeasible to guess, and not resettable to any factory default value that is common to multiple devices.
- Implement a vulnerability disclosure policy – IoT service providers should provide a public point of contact for security researchers and users to report issues
- Keep software securely updated
- Ensure that personal data is protected – data should be collected in accordance with the Privacy Act and privacy settings on a device should be set to privacy protective by default
- Ensure software integrity – software should be verified and if unauthorised change is detected, the device should alert the consumer/administrator
While this Code does provide a useful guideline, it is voluntary and perhaps not strict enough. As IoT rapidly develop and become more integrated into our lives, the law needs to catch up to provide greater protection over our most sensitive information.
Conclusion
As we are already seeing with the emergence of smartphones, the Fitbit and Alexa, Internet of Things are already becoming a common feature of our lives. Many other everyday devices and appliances, such as vacuum cleaners, refrigerators, coffee machines and cars are likely to integrate more and more ‘smart’ features. As these devices communicate information about our movements and habits to each other, they will make our lives easier and probably healthier. Governments can also use IoT to make our streets safer or transport systems more efficient. However, as IoT become more attuned to our lives, more of our privacy and security will be at risk from hacking or use by governments and corporations. The hope is that our laws quickly catch up to these developments in order to safeguard our personal lives.