Internet of things may create a world of legal issues

The internet of things (IoT) looks increasingly as if it will be an internet of lawsuits, where determining liability will pose a challenge for lawyers.

That is according to a group of experts at the RSA Security Conference in San Francisco last week, who discussed the legal difficulties expected as billions of items, from toasters to cars, many of them poorly designed and unsecured, are connected to networks.

The panellists said an initial problem was just defining what the IoT was and the standards that govern the “things” that were its components and their activities.

"From a formal standards perspective, we are in the early days of defining what those activities are, and most of the work published so far is in the IT space," and not the legal sector, said Eric Hibbard, chief technology officer for security and privacy at Hitachi Data Systems.

He said it may be three or four years before standards were developed and that producing them may require involving regulators and legal experts “to instil some sense”.

Critical issue

Jay Brudz, chair of law firm Drinker Biddle & Reath's information governance and ediscovery group, debated whether the IoT should even be considered a separate entity.

“Everything is a ‘thing’, so strike that useless part of the phrase. We don’t need the ‘of’, so we’re talking about the frigging internet,” he said, to laughter.

“To me [the IoT is] a definition of exclusion. We’re kind of talking about everything else” – except PCs, tablets and phones, he said.

A critical issue is the vast scope of the growing network and its connected devices that often will be too cheap or simple to incorporate any reasonable level of security.

“I think we’ve reached a tipping point here. The computational and networking capability that we have – we’re pushing a lot of intelligence out to things like caps on bottles – it’s almost silly what were able to put intelligence into,” said Hibbard.

“But what’s really scary is the massive scale. We’re already struggling to handle the consequences of [tablets].

“And if you look at the manufacturers that are doing this, they’re new to this space.”

This makes them less likely to know much about network and device security.

“A viable product now does not seem to have any thought put in about security. You launch them, then you fix them later,” Brudz said.

Nithan Sannappa, an attorney in the privacy and identity protection division of the US's Federal Trade Commission (FTC), said he believed ongoing legal actions by the regulatory agency would help push manufacturers to focus on security for IoT "things".

“I think the FTC, through our enforcement actions, are hopefully sending a message to industry that they need to think about security proactively.

“We’re also trying to push industry in that direction by getting them to define the update path for devices, which should place consumer pressure on them to properly support devices and maintain software.”

However, Hibbard said that one of the problems was that these devices “are really going to be stripped down, so they’re not designed to be updated or to let you get access to them.

“And, we’re going to see what I call mashups of devices. You might have half a dozen different devices used in a series that were never designed to be used together.

“That, coupled with the smarts that these devices will have, they’ll be making decisions. Some of those decisions, if you get far enough down the path, could have an impact on humans.

“From a legal perspective, this starts to open up some interesting areas.”

Specifically, this will be in liability and determining which component caused a problem.

On the other hand, said Sannappa, the IoT could go in the direction of the mobile industry.

"We have two strong platforms, Google and Apple, where all those [developers for] that platform are given pretty strong guidance," he said.

Hibbard suggested that in some developing areas of the IoT – so-called smart cities, for example – some companies “are absolutely looking at security as a competitive advantage”.

Regulation

From the regulatory angle, Sannappa said the IoT may well be a new space in terms of the types of products that are being marketed to consumers.

“But many of the security mistakes are similar to what we’ve seen in the past in network and software security,” he said.

“So you’ll see some common themes, like companies not doing any kind of secure architecture or not making changes when warned about vulnerabilities.

“The answer from the FTC is that you can look at other spaces to come up with best practice.”

Companies developing products “need a good information governance plan to show you’re properly documenting that work. You need a good information governance process, because that’s key,” said Brudz.

He said companies “should think about this in the M&A [merger and acquisition] context.

“You’re also going to be buying these companies. You’re going to want to take these things and put it in your due diligence, because the liabilities may affect [the value placed on the company].”