New Zealand Law Society · Cyber Law Conference – April 2016 – Clive Elliott QC

The “Internet of Things” represents a real paradigm shift:

The internet of things is here. Few revolutionary technologies have created new value pools, displaced incumbents, changed lives, liquefied industries, andmade a trillion dollar economic impact. That is, until the internet of things (IoT) sprang to life.1

Technology research company Gartner predicts, that by 2020 there will be 26 billion smart interconnected devices in the world. Each object and individual will have a unique identifier. This enables data to be transmitted automatically over a network but without necessarily requiring any human to human or human to computer involvement.

The World Intellectual Property Organisation (WIPO) points out2 that the area of wearable technology includes new innovative areas such as wearable computers or devices; augmented reality (AR); and virtual reality (VR), all of which is manifested in a new trend known as the ‘quantified self’; described by Deloitte as a ‘mass niche’ sector that generated approximately $3 billion in 2014 alone. Accordingly, it is no longer a technical curiosity, but big business.

In its draft Data Protection Regulation, the EU commission has proposed a number of measures to address this phenomenon including a much greater emphasis on privacy, ensuring that privacy by default exists by providing for minimal accessibility of personal data; stressing the need for consent when personal information is involved, providing more comprehensive guidelines on data collection for profiling purposes; ensuring tighter enforcement and providing significant monetary sanctions for breach. All of these are important topics in their own right.

Significant issues remain to be resolved. These include multijurisdictional issues and conflicts between public and private interests. The US Internet Society has produced a discussion document to facilitate informed debate amongst stakeholders. The paper describes the principle issue as follows:

One set of issues surrounds crossborder data flows, which occur when IoT devices collect data about people in one jurisdiction and transmit it to another jurisdiction with different data protection laws for processing. Further, data collected by IoT devices is sometimes susceptible to misuse, potentially causing discriminatory outcomes for some users. Other legal issues with IoT devices include the conflict between law enforcement surveillance and civil rights; data retention and destruction policies; and legal liability for unintended uses, security breaches or privacy lapses.3

Importantly, regardless of the purpose or source of the particular device, one thing in common is that most include some form of cloud service and all have some form of mobile application to access or control the device remotely.

Hewlett-Packard has commented on the rather troubling statistic that 70% of relevant devices contain vulnerabilities involving password security, permissions and encryption. To date, a number of situations have arisen where Internet connected devices have been used for improper purposes; whether in cars, medical devices or children’s toys or TVs.

In February 2015 the U.S.-based privacy group, the Electronic Privacy Information Center (EPIC), asked the Federal Trade Commission to investigate Samsung’s practice of collecting and using customers’ private communications.4 This occurred when interactive voice commands using voice to text recognition software were retained and transmitted by Samsung. EPIC contended that the practice breached the US Electronic Communications Privacy Act, which prohibits the “interception and disclosure of wire, oral, or electronic communications.”

This complaint illustrates the rather graphic disconnect between increasingly smart devices and consumers who are not aware of the capabilities of the technology and are not sufficiently tech savvy to adequately protect their own interests.

Those who are more technically minded will know that one way to defend against IoT attacks is to adequately segment networks. However, this requires the creation of a number of different networks; in other words, having separate networks for IoT devices, personal computers and mobile devices and work-related workstations and servers. Other relatively straightforward precautions include changing the connected device password immediately upon purchase and then regularly changing the password. However, while most users know that it makes sense to change passwords regularly not everyone is fastidious in doing so.

This is just a quick snapshot of some of the issues that we are going to have to grapple with in our session today. We propose to investigate what the IoT means, how it works in day-to-day life (both today and in the foreseeable future) and how in the future it is likely to impact on society and our wider social and legal norms.

1       Sri Solur GM Wearables and IoT HPE. The internet of things and wearables: Driving the next phase of personal computing: h30614.www3.hp.com/Discover/Events/LasVegas2014/SessionDetail/b91e8602-2768-409a-a07a- 487618cdd630. Referred to in the 2015 Hewlett-Packard Enterprise study “Internet of Things Research Study”

2       The Brave New World of Wearable Technology: What Implications for IP? Emma Poole, Executive Research Officer, WIPO, June 2014.

3       The Internet of Things (IoT): An Overview – Understanding the Issues and Challenges of a More Connected World, 15 October 2015 http://www.internetsociety.org/doc/iot-overview.