IoT devices are easy to attack but finding out who to blame for the loss of your data is a problem, warns John D McGonagle
WHO’S at fault when your new smart TV tells your central heating to set at full heat in the middle of July? Or worse, where does the blame lie when your phone’s encryption is easily overriden by a malicious hacker, hell-bent on retrieving your personal information?
Welcome to the Internet of Things (IoT), the network of physical objects, devices, vehicles, buildings and other items embedded with sensors, and network connectivity, allowing them to collect and exchange data with other objects.
Some of these devices are useful, like smart meters able to record consumption of electronic energy. However, some could charitably be described as solutions looking for problems, such as Samsung’s new Family Hub – a smart fridge with an exorbitant 21.5 inch TV display. And some, such as smart irons, seem absolutely useless; if you’ve burned your shirt, you don’t need a smart sensor to tell you.
Google recently spent $3.2 billion to acquire Nest, a company which enables the connection of thermostats to smoke detectors and smart phones. Similarly, Apple intends to bring together simple home gadgets and present them all in its ‘HomeKit’, a single user interface on a smartphone or tablet. It’s not surprising technology companies want to connect everything to the web – it has been established apps lead to more data and subsequently more revenue.
There are, however, privacy concerns which accompany these developments. The expansion into the home and all other areas of a customer’s life allows for a consolidated x-ray view of consumer data, and there’s plenty of evidence to indicate IoT devices are particularly vulnerable to vindictive attack.
California-based software security HP Fortify recently found 100 per cent of smart watches could be hacked and health data stolen and US engineers have hacked the steering controls of Toyota and Ford cars via IoT radios. Baby monitors have even been hacked for no other purpose than in order to shout insults at tired parents. As IoT devices become more widespread, such security breaches will become less forgivable once they affect mainstream consumerism.
Specific contractual issues also arise from sharing big data through connected devices – who is liable if such data is inaccurate? If the data provider is entering into an agreement on a commercial basis, it would be reasonable to expect them to take the risk for the accuracy of the data they provide. If a data provider makes information freely available, its disclaimers must be suitably robust to limit their liability for the use of such data.
Away from the topical drama of data security, big data and cyber-attacks, IoT devices will inevitably malfunction. Last month, a routine software update caused some Nest thermostats to fail without reason. Fixing the thermostats (and restoring heat to homes) required homeowners to follow a complex procedure involving detaching the faulty device from the wall. Liability for faults in products has traditionally been managed through risk-allocation in contracts, and flows from the retailer to distributors to manufacturers. But can you blame the software developer when your smart iron keeps burning your shirt? The investigation of losses will become more complex, and establishing liability will become more difficult as popularity increases.
In the future, a consumer will want their rights to extend to their machines, but traditional analysis of contractual offer and acceptance, and the existence of binding contracts, will become complicated where machines are automatically interacting. After all, it may not always be obvious or implied that a machine has authority to act on its owner’s behalf.
Taking a more strategic view, IoT will undoubtedly lead to the proliferation of valuable technology. However, serious questions still remain. How will it be protected? Will it be patentable? IoT devices will also require cloud computing power to collect, store, analyse, search and deliver vast amounts of data. Cloud computing terms of service are notoriously pro-supplier and many pitfalls await those who do not scrutinise the details.
Remember though that it’s not all doom and gloom – Glasgow recently won £24m of government funding to become the UK’s first “smart city” – and now has IoT streetlights which can turn themselves on!
• John D McGonagle is senior associate in the Intellectual Property and Technology team at DLA Piper www.dlapiper.com