Internet of Things and Law

INTERNET OF THINGS AND LAW

By

Kamran Adil

INTRODUCTION

Invariably, the latest technologies throw up challenges and opportunities; Internet of Things (IoT) is the latest of these technologies, which is developing at a fast pace due to combination of factors like explosive growth of cloud computing and availability of increasingly less expensive electronic devices. The chief question of the relationship of the state power vis-à-vis emerging technologies has not yet settled, and the raging debates include the possibilities of regulating social media platforms like the Facebook by law. The instant write-up is exploratory in nature and may provide a brief survey of the attempted regulation of IoT through law in the US and how the approach taken in the US may become relevant to Pakistan in future.  

THE CONCEPT OF INTERNET OF THINGS (IoT)

The genesis of the concept of Internet of Things (IoT) has been recorded by the Senate Judiciary Committee that was examining the law about connected devices that was enacted in September, 2018. The following excerpt of the Report of the Senate Judiciary Committee provides a detailed resume of the concept and economic potential of the IoT in the following words:

“Kevin Ashton is widely credited with coining the phrase “Internet of Things” (IoT). The concept arose from his research at MIT for Proctor and Gamble concerning “smart packaging.” The phrase refers to technology that allows an ever-growing list of devices to communicate wirelessly with other devices. Two decades later, the concept is well known and has gained increasing steam in recent years. Currently, everything from toasters and baby dolls, to cars and televisions are connected to the internet, gathering and applying a wide range of information. This technology has limitless possibilities. It has revolutionized the capabilities of medical devices and made shopping easier. Industry experts foresee a dramatic expansion in the years ahead with household goods, including refrigerators, washing machines, dishwashers, and thermostats. The CEO of Cisco has declared that IoT will generate $19 trillion in profits.

However, along with the promise that IoT brings comes serious privacy and security concerns. Corporations are rapidly networking the physical world and gathering data from everything. Many of these devices collect a vast amount of personal and intimate information. If not properly secured, this immense amount of private information can be vulnerable to breaches. In addition, many of these devices can be directly hacked into, allowing strangers to conduct surreptitious surveillance on homes or to communicate through devices directly. Perhaps most disturbing, consumers may not even be aware of the full capabilities of these products or the information that is being collected. Recent research indicates that the number of devices will climb from 6.4 billion at the end of last year to 25 billion by 2020. This incredible growth further emphasizes the need to address security and privacy concerns. As recently as last week, the Director of the FBI expressed concerns that the “zombie armies” created by IoT devices can do tremendous harm.”[1]

The above description not only elucidates the origin, concept and economics of the IoT, but also refers to the threats associated with the concept. The ‘zombie armies’ phrase says it all.

LEGISLATIVE EXAMPLES AND PAKISTAN

For a country like Pakistan, where the legal literacy is low and the trade off between the security and privacy is in the favour of the former, the concept may not excite immediate interest. However, in the long run, as and when the societal response increases, the likelihood of legislating on the IoT may gather momentum. In this regard, three recent developments in the US may be instructive to firm up views for any future legislation in Pakistan on the subject.

These three developments are as follows:

I-      In the first development, Republican Senator Mark Warner of the US moved a Bill[2] titled as ‘Internet of Things (IoT) Cybersecurity Improvement Act, 2017’ in August, 2017. The preambular introduction states the aim of the bill in the following words: 

“To provide minimal cybersecurity operational standards for Internet-connected devices purchased by Federal agencies…”[3]

While the law’s title includes the term ‘Internet of Things’(IoT), it does not define the term and instead chooses the term ‘internet connected devices’ and defines it in the following terms:

‘‘Internet-connected device’’ means a physical object that

(A) is capable of connecting to and is in regular connection with the Internet; and

(B) has computer processing capabilities that can collect, send, or receive data.”[4]

The Bill, then, defines the ‘security vulnerability’ as ‘any attribute of hardware, firmware, software, process, or procedure or combination of 2 or more of these factors that could enable or facilitate the defeat or compromise of the confidentiality, integrity, or availability of an information system or its information or physical devices to which it is connected’. The scheme introduced in the Bill is essentially deals with regulation of public sector procurement and the liability matrix as developed under the contract and insurance laws of the US. It also provides for a National Vulnerability Database (NVD) to be maintained by the National Institute of Standards and Technology (NIST)[5]. The Bill is in the process of consideration, but can be used as a sample to study the relationship of the society, technology and law.

II-     The second development is the law[6] that has been passed in the state of California in the US. Californian Governor Jerry Brown signed the Bill into law on 28th September, 2018. The law is styled as ‘the Security of Connected Devices Act’. The preamble spells out that the law is designed to ‘require a manufacturer of a connected device…to equip the device with a reasonable security features that are appropriate to the nature and function of the device, appropriate to the information it may collect, contain, or transmit, and designed to protect the device and any information contained therein from unauthorized access, destruction, use, modification, or disclosure, as specified.’ The law will take effect from 1st January, 2020. The law requires ‘adding of security’ features, but does not require ‘removal’ of anything from the devices. The inclusionary approach instead of exclusionary approach has been criticised by the cybersecurity experts[7].

III-    The third is a Bill that was introduced in the House of Representatives by Robert Ratta on 6th July, 2018. The Bill is titled as ‘State of Modern Application, Research, and Trends of IoT Act’’ or SMART IoT Act. The aim of the Bill is to impress upon the Secretary of Commerce to study the effects of IoT and submit a report to the Congress.

CONCLUDING REMARKS

As stated earlier, the three latest examples of attempted regulation of the IoT by law may not interest the policy makers in Pakistan, but it is likely to inform the students of law and policy that developed countries are trying to respond to technologically spurred societal changes by regulation through law. Pakistan’s experience with law so far may not be very impressive; however, the future lies in regulation not suppression of technologies.

[1] https://leginfo.legislature.ca.gov/faces/billAnalysisClient.xhtml?bill_id=201720180SB327#

[2] https://www.congress.gov/115/bills/s1691/BILLS-115s1691is.pdf

[3] Preamble of the Bill

[4] Section 2(c) of the Bill

[5] Section 3(a)(1) of the Bill.

[6] https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180SB327

[7] https://www.theverge.com/2018/9/28/17874768/california-iot-smart-device-cybersecurity-bill-sb-327-signed-law