The Internet of Whose Things?

Much talk is heard, many tweets are generated, about the Internet of Things. Interconnected devices are everywhere, from your car to your home to your clothes to your body. This interconnection, it is alleged, will lead to great benefits, though sometimes it is hard to tell how, except for the people who build them.

We have looked at the questions of security they raise and their impact on privacy, as the Net connection pumps out data about your stuff, and by not-very-distant implication about you, to … just whom? With what restrictions?

The privacy authorities in Canada and the US have also been reviewing the IoT, as it is known.

But the embedded devices all contain some kind of program or app that makes them run. In other words, software. And what do we know about software? It’s usually not bought and sold, it is licensed. A lifetime (of the device or of its owner) licence is probably included in the purchase price. There may be little or no notice of its existence or terms, and neither is negotiable.

Some typical licence terms for software involve not copying it, not transferring it to others, and not modifying it. Violating the terms may void a warranty but it may also be said to violate copyright in the software.

If you own an object but there are limits to what you can do with it, what has become of your ownership? Clearly we are all subject to laws of general application that may restrict our use of our property – whether zoning laws for real property or nuisance by-laws for musical instruments or speed limits for our cars. So some restrictions do not affect our notion of ownership.

Basic property law usually makes ‘alienation’ an essential feature of ownership: the owner can transfer the property to somebody else. For physical objects, even copyright law does not prevent that. The US has a doctrine of ‘first sale’ – after the first sale, the buyer can resell without violating copyright. Canadian law is similar, but without that label.

One can pledge one’s property as security for debt – some more readily than others, of course. One can also alter or destroy one’s property – a form of alienation.

But with interconnected devices, these rights may be less certain.


The U.S. Copyright Office considers every three years what exceptions should be made to the rule in the Digital Millennium Copyright Act (DMCA) that people must not circumvent technical protection measures (TPM – also known as digital rights management systems – DRMs). Some of these TPMs in essence restrict users more than is legitimate to protect copyright interests. Thus the Copyright Office has in the past allowed circumvention of TPMs to ‘jailbreak’ smartphones, so that owners could delete apps they did not want, or perhaps change carriers. A list of the exceptions made in 2012 is here.

In the 2015 exercise, the Electronic Frontier Foundation advocated an exception for software that runs many parts of cars. A lot of people like to repair their own cars, or modify the way they run. Also, repair shops independent of the car dealers or manufacturers provide good competitive service. TPMs on the cars’ software can prevent that. The proposal was to allow an exception “for the purposes of lawful diagnosis and repair, or aftermarket personalization, modification or other improvement”.

Some large auto manufacturers strongly opposed any exception. John Deere said that diagnostic codes were already available and authorized dealers had the capacity to repair any of its vehicles. Allowing people to avoid the TPMs would allow “pirates, third-party software developers and less innovative competitors to free-ride off the creativity, unique expression and ingenuity of vehicle software designed by leading vehicle manufacturers and their suppliers”. It would also allow illegal copying of the music and videos on car entertainment systems.

General Motors made a submission as well – saying, in effect, that people did not own their own cars. They had a licence – sometimes express, as with GM’s Onstar program, and sometimes implied – to use the software that makes the car work. At least GM admits that the licences are transferable, even if they do not have a record of transfers.

Public policy considerations do enter into the discussion, apart from property interests. Will a home repair or modification effort properly interact with all the systems in the car? Will some safety features be disabled, intentionally (maybe to make the car go faster) or inadvertently? Will a purchaser of the car know what has been done, and what vulnerabilities have been created? Will a creditor want to seize a car that has been unofficially modified in undetectable ways?

And we saw in an earlier column that people like to disable devices in their car that can stop the car from turning on. There are even businesses to do so. Is it up to copyright law to interfere?

Should the law – intellectual property law, not highway safety law – force car owners to have cars serviced only by authorized dealers? Is that consistent with ownership? Is it consistent with competition law?

Other devices

It is not just about cars. Consider the Nest thermostat – produced by a company recently bought by Google (now Alphabet Inc) for several billion dollars. Nest comes with a multitude of terms and conditions – interlocking more or less consistently: the ‘legal’ link produces a list of a dozen terms and conditions, warranties, disclosures, statements of community and other documents. Some are very long. Many are full of disclaimers about service quality, up time, and functionality with other devices, despite heavy marketing of the interoperability of many other household devices: see ” Works with Nest”. These other devices are of course subject to their own licences and disclaimers, possibly consistent with Nest’s, or not.

If one declines any of these agreements, one cannot use the product – a common experience before now for software, but not so much for thermostats, lights, fridges and other things. When things get smart, they get a mind of their own – or rather, the mind of their manufacturer. Without a conscious meeting of the minds, the owner is nonetheless bound to the limits of use decided by the manufacturer.

And one’s things did not previously generate personal data on their owners and report the data to a myriad of interconnected other devices. Is that any way to treat your owner?

Just the Beginning

The Internet of Things is already pervasive – it has been called ‘everyware‘. Interconnected things number in the billions, and estimates of growth surpass imaginable dimensions. All of those things have software of some sort in them … which limits your right to own the ones you probably thought you did.

At the turn of the century, Jeremy Rifkin wrote of the Age of Access, in which people would own less and less and access what they needed to live by contract or licence. He thought that the lack of property required a re-examination of the social contract on which our society – a capitalist market economy – was built.

Perhaps the new social contract is coming to us by our cars and our thermostats.


  1. David Collier-Brown

    Dave Taht, Vint Cerf, and I (and several hundred others!) raised this with the U.S. FCC last week, pointing out that home wi-fi routers were legally the responsibility of their purchasers, but the vendors and FCC proposed to make the repair of this compliance-critical radio software illegal. See

    As we discovered in the VW case, software can render ordinary commercial products illegal, and also frustrate the policing organizations by hiding the criminality, and then claiming the protection of the law against purchasers even discovering the illegal behaviour, much less correcting it.

    We proposed the FCC write rules allowing the responsible owners to replace the software with legal software which they own, and requiring the vendors to publish the software they do use (with copyright protection, of course) for inspection by the FCC and the purchasers.

  2. David Collier-Brown

    Returning to Canadian questions of public policy, I wonder if forcing a purchaser to buy the car vendor’s “tied” software is something we should allow?

    Conversely, I wonder if a vendor, by attempting to tie the future repair of the car to their own dealers by means of the copyright on software should not be a misuse of the copyright regime, and perhaps the creation an unregulated monopoly?

    It would arguably be a good policy to regulate in the most stringent of terms a monopoly created through the (mis-)application of copyright law to the internal components of a purely “functional” mechanical device with little creative or literary content…

  3. Apropos to the US context and DMCA:
    The Library of Congress came through with Class 21 a day or two ago, adding another exemption to what can be punished under the DMCA pursuant to its fail-safe powers under that Act.
    The LoC has the power to exempt certain classes of copyrighted works from the statute’s blanket prohibition against circumventing technological measures that control access to (i.e. lock up) those copyrighted works.
    In the case of Class 21, we see a fortunate suspension (albeit temporary, because the exemption is only good for 3 years at a time) of what is IMHO a simply ridiculous law. Class 21 deals with vehicle software diagnosis, repair and modification.
    It beggars belief that it should have required such herculean efforts by the EFF and other principled intervenors to suspend the iron hammer of the DMCA — a 1998 law written to penalize software & music piracy (cracking software and CDs) — from being used as a blunt intimidation tool by corporations against researchers and watchdogs whose only wish is to peak out the blacked-out windows of this runaway train and warn us of the pending risks we (the occupants) face. We are hurtling down the track towards a canyon rife with unknown risks (Jeep’s entertainment console’s zero-day vulnerability that allowed hackers to hijack core vehicular controls), deliberate deceptions (VW’s emissions cheats) and corporate power plays (like using anti-circumvention measures under DMCA s.1201(a)(1) to force auto consumers to spend money in the unregulated monopoly of manufacturer-authorized repair shops and tools).
    Laws like the DMCA’s anti-circumvention provisions or DRM protection laws are a good opportunity to reflect on the law of unintended consequences: beware the unintended drawbacks that broad restrictions may have on future consumers; and never doubt that big money will pounce on an unexpected benefits from such legislation.
    The LoC regulation will be published today officially, but is available here too:

  4. Great, thanks, Nate. I knew that the exemption order would be along shortly. Glad to have the link here. (The discussion on cars and farm vehicles is at pages 39 – 43. The exemption takes effect in one year, to give regulatory authorities a chance to decide if they need to limit modification for other reasons than protecting copyright.)

    On the other side of the picture, there is a bill currently in development in the U.S. Congress about autonomous vehicles and highway safety issues generally. Among other things, it would make it a criminal offence punishable by fines up to $100,000 to modify software in motor vehicles, whether to repair them or otherwise, without authorization. Section 302 of the bill:

    Section 30122 of title 49, United States Code, is amended by adding at the end the following new subsection

    (d) It shall be unlawful for any person to access, without authorization, an electronic control unit or critical system of a motor vehicle, or other system containing driving data for such motor vehicle, either wirelessly or through a wired connection.

    ´  CRITICAL SYSTEM.—The term ‘critical system’ means software, firmware, or hardware located within or on a motor vehicle that, if accessed without authorization, can affect the movement of the vehicle.

    ´  Maximum civil penalty of $100,000 per vehicle or part of vehicle affected.

    Clearly some parts of the U.S. government are more beholden to the auto manufacturers than others.

  5. Here’s an accessible overview of the exceptions recently decreed to the non-circumvention rule of the DMCA. While owners of land vehicles may circumvent the TPMs, repair shops may not. So copyright protects not only against copying but against competition in services.

    (h/t Dan Pinnington, for the link but not the comment…)

  6. Not only do your things give personal information to their makers, they may turn you in to the police. This story involves a device in a car that called 9-1-1, though the owner of the car had left the scene of the accident. I suppose overall that’s a good thing.

  7. How many householders does it take to change a lightbulb? If it’s interconnected, householders will need the help of a lawyer. Your lightbulb socket may refuse to take a competing brand, because it’s not approved software (i.e. the stuff sold by the manufacturer of the socket).

    It’s getting a bit personal…