Column

Legal Snapshots From the Internet of Things

Everybody knows that computers are everywhere. This is old news. It used to be that a mechanic could fix an errant brake light in my car for 15 minutes of labour and a 15-cent bulb. Now I need a computer diagnosis and the replacement of a sophisticated multi-function panel. Hmmm – $175.00. Progress!

What may still be news is the degree to which the computers are talking to each other – and if they can talk, then they can be overheard.

Let’s start with cars. Richard and Cheryl Balough point out that the average car these days can run some 70 computer systems, all of them interlinked for completeness of diagnostic capacity and no doubt for ease of design. What this means, among other things, is that all the systems in the car can be accessed through any one system – whether the entertainment system (slip in a compromised CD or USB), the remote-entry key signal (interceptible by by-standers), or even the tire-pressure reader that reports back to the central monitor.

US federal law requires cars to have diagnostic capacity that can be read by mechanics. Not all of these systems are produced by the car’s manufacturers. There is an after-market. This means that the technical specifications are known more widely, and thus available to people who do not have the owner’s best interests in mind. Someone could interfere with a car’s operations, either starting it for his or her own purposes or stopping it unexpectedly. The potential for chaos, not to say carnage, is significant. Vehicle-to-vehicle communication is growing, to avoid accidents or allow the ‘safety’ of self-driving cars. No doubt it brings with it the possibility of hijacking. Could really bad guys attack a whole fleet of cars?

Shrinking the scale for a moment, consider devices implanted in people’s bodies, like a pacemaker. Again to facilitate diagnosis, these devices can often be read and even adjusted without the wearer having to undergo surgery. This makes these devices susceptible to outside interference, accidental or intentional. For example, it is possible to hack into insulin pumps worn by diabetics. The consequences are obviously serious.

One does not need to be the target of an attack, or of negligence, to be affected by it. A US company that was paid to install a robot-controlled parking system in a garage shut the garage down over a dispute with the garage’s owner over the licence fee. Too bad about the cars trapped inside. Remote access makes this kind of interference easier. There isn’t even a parking-lot attendant with a padlock for irate drivers to accost.

Consider as well that a lot of devices that do not yet contain computers at least send data to computers, which can combine and analyse the data in interesting and unexpected ways. Electric cars that are charged on the smart grid may be identifiable individually at the outlet to which they are plugged – so if you are visiting somewhere you should not be, perhaps you should have a full charge before you arrive.

Refrigerators connected to the Internet were a kind of meme for ‘smart’ things for a time – wouldn’t it be helpful if the refrigerator could read the best-before dates on the perishables and report them out to the owner? But do you want your insurance company knowing the amount of deep-dish double-cheese pizzas you are eating? (Perhaps your pizzeria is selling that information, but that’s a different question.)

More tales from the grid can be found in the ‘The Spy Who Came In from the Refrigerator’. Most of the prospects mentioned are at present beyond most Canadian grids’ capacity, but for how long?

Returning to cars for a moment: for an example of the kinds of information that cars are now collecting, consider this article in which Tesla Motors rebuts an unfavourable review by the New York Times by disclosing exactly how far and fast the car was driven, with what percentage of a charge, over the time that the journalist had had it. The car logged all that information automatically and the manufacturer (and anyone else who knew how) could figure it out and report it.

Insurance companies in the US (and Canada?) are offering rate rebates to drivers who allow them access to the on-board diagnostics, since it allows the insurers to analyse the driving behaviour – speeding, for example – and set a rate by how the car is driven. Law enforcement authorities are often interested in the diagnostic systems after an accident. Can your car turn you in? Will the leasing company or the rental agency turn you in, or charge you for violating the rental agreement based on evidence from the on-board system?

Ought there to be a law? We rely here a great deal on section 342.1 of the Criminal Code that prohibits the unauthorized access to computer systems – where the access is fraudulent and without colour of right. The interception of signals to or from a computer system is separately banned.

But how far does colour of right go? Is it acceptable if the terms of use or licence agreement allow the communication? For that matter, will we ever buy anything in this brave new world, or only take a limited interest by licence? What limits can apply in a licence arrangement? A notorious example of a surprising capacity to control ‘things’ remotely (in time and place) was Amazon.com’s erasure of the text of the novel 1984 from its Kindle readers because it turned out that the edition ‘sold’ was subject to a copyright claim. People who had bought the text in good faith found their e-books and study annotations gone. Amazon apologized, but who knows what other powers it might have over what people read on its Kindle e-readers? Can – and does – Amazon track everything Kindle owners read, and their annotations, and does it sell that information? What about the sellers of other e-readers?

Will Canadian privacy laws prevent such incidents or such general tracking? First, one has to know what is happening, and the imagination can scarcely keep up with the reality. PIPEDA applies to commercial collection, use or disclosure of personal information, but just what is ‘commercial’? Reselling personal information is a pretty clear case. A licence ‘agreement’ is not a definitive solution for the party that wants the information, since one cannot collect (or use, or disclose) information even with the consent of the individual unless the collection (use, disclosure) is ‘reasonable’. (PIPEDA s. 5(3) ) That said, enforcement of privacy rights, alone or in the face of a broadly-worded ‘consent’, may not be easy, fast, or cheap.

One hears a lot of talk about the Internet of Things, where billions of objects will be connected to each other, each with its own IP address. We seem to be making uneven progress to that destination, but the pioneers are encountering some uncomfortable challenges. Some of them are elaborations of familiar assaults on privacy, though there is some novelty in the ability of data miners and aggregators to formulate meaningful profiles of us based on apparently fragmentary and insignificant information. Privacy statutes that focus on particularly sensitive bits of data, like credit card or social insurance numbers, are too limited on that Net. Such statutes will never mention the expiry date on your Brie. Fortunately Canadian statutes tend to define personal information more generally.

Other manifestations of the Internet of Things, those based on computer communications among objects we think of as inanimate, such as those described in the opening part of this note, present different challenges. The language of the Criminal Code may be comprehensive, but the best security is in prevention, not prosecution. The challenge will be to keep up with technology so we know what the threats are, and with luck, have some idea how to avert them.

On the other hand, perhaps we do not really want to avert them. We may prefer the convenience, even the cool factor, of interconnectedness. Or we will sell our information directly, for a reduction in our insurance rates.

Is there work for law reformers in the Internet of Things, and if so, where should they start?

Retweet information »

Comments

  1. A couple of related items posted earlier this week on the ULC-Ecomm list: the capacities of General Motors’ Onstar system and a popular overview on web-connected cars. And we had a foretaste of some of these issues in Slaw back in September 2012.

  2. I finished this note by asking if there is work for law reformers in this area. It turns out that the European Commission was asking the same thing. Here is a report on the results of its survey on that subject.

    Do those reasons apply in Canada?

  3. Alerted perhaps by its reading of Slaw, the Federal Trade Commission has asked for public comment on the “Privacy and Security Implications of the Internet of Things.” One has until June to to submit comments.

  4. Bruce Schneier has a typically thorough and knowledgeable review of the surveillance issues on the Internet of things. One of the comments is ‘on the Internet, nobody used to know that you’re a dog’. Capacities are changing.

  5. The vulnerability of cars to being hacked is getting wider recognition. From the article:

    Two years ago, academic researchers hacked a car’s computers through cell phone and Bluetooth connections, the car’s CD player and tire pressure monitoring system. Experts say hacking will get easier as cars increasingly rely on Internet access and computer-controlled safety devices

  6. The FTC has now held its workshop on the Internet of Things. Here is a law firm’s report. The FTC will be reporting itself in a couple of months. Meanwhile submissions may still be made to it. (An archived webcast of the workshop is available on the FTC’s site as well.)

    To some extent it seems to me that the issues that arise in the discussion do so because the US has no generally applicable law of privacy, so each disclosure of each type of personally identifiable information has to be provided for individually.

    Would most or all of the instances discussed in the report raise any questions in Canada about whether PIPEDA would apply, and thus anyone collecting, using or disclosing the personal information would have to have consent of the people connected to the Internet by their ‘things’?