The Internet of Things

Hello? Is anyone

there?

Yes. This is your car speaking..

How can I help you?

I need more Spam! OK. I'll

go get some.

Toronto Computer Lawyers' Group

October 23, 2014

Lisa Abe-Oldenburg

What is the Internet of Things?• IoT or the Internet of Everything • Anything that contains a computer processor can act as a self-

contained web server to handle communication and other sophisticated functions

• Imagine a world where everything has sensors, is connected to a wired or wireless Internet network, and communicating with each other• Phones, computers, tablets• Homes and appliances• Cars and transportation• Wearables (computers worn on the body)• Machines (M2M) and manufacturing• Services, e.g. healthcare, energy, payments• Plants, livestock and pets?

Facts and Figures• According to CISCO, during 2008, the number of devices

connected to the Internet exceeded the number of people on Earth for the first time

• According to the Chartered Institute for IT, there are around 200 connectable devices per person on the planet today and it is estimated that by 2020, 50 billion devices will be connected to the Internet

• New IPv6 system, which will replace IPv4, will allow billions of IP addresses to be assigned – one for every object or device in the world (approx. 3.4×1038 addresses)

• Google's acquisition of the connected home technology company Nest for US $2.3 billion, was its second largest ever acquisition (after Motorola)

Examples• A Dutch company has pioneered wireless sensors in cattle so

that when one is pregnant or ill, it sends a message to the farmer

• Plants are now able to be connected to irrigation systems and decide when to water themselves

• Cars can drive themselves• Wearable monitors can track health information and interact

with hospital staff• Fridges can determine what food its owner needs and order

it for them• Machines on assembly lines can talk to each other and order

more parts or request maintenance as needed• And yes, pretty soon your carpet will call an ambulance for

you when you fall and pass out on it…

FOR THE PURPOSES OF MAINTAINING YOUR WELLNESS, I, YOUR

CARPET, WILL BE PROVIDING YOUR

PERSONAL HEALTH INFORMATION TO A DOCTOR. DO YOU

CONSENT?

Privacy IssuesI don't feel

well…

Hey carpet! This guy is about to kick the bucket! Call 911

and notify his doctor!

Privacy Issues

• Which laws and jurisdictions apply? PA, PIPEDA, PIPAs, PHIPAs

• IoT creates challenges across provincial and international borders. Can domestic legislation alone sufficiently protect personal information in the world of IoT?

• Is the data "personal information"? • Definition of "personal information" is generally

considered to be any information about an identifiable individual

Privacy Issues

• SCC in Dagg v. Canada (Minister of Finance), [1997] 2 S.C.R. 403 said broadly: "its intent seems to be to capture any information about a

specific person, subject only to specific exceptions"• Privacy Commissioner in its 2001-2002 Annual Report to

Parliament also stated that:"the definition ['about an identifiable individual'] is deliberately broad…It does not matter who generated the information, or how, or who technically "owns" it…information [is] personal even if there is the smallest potential for it to be about an identifiable individual"

Privacy Issues

• Information that alone does not identify an individual can be "personal information" if, in combination with other information, it could be used to identify an individual

• Federal Court determined that such data, which could be combined with other data to identify someone, is "personal information". See Gordon v. Canada (Minister of Health), [2008] CarswellNat 522 paragraph/line 34

• IoT becomes complicated as it generates BIG DATA. Data, when coupled with other available data, could lead to identifying individuals

Privacy Issues• IoT makes compliance with Privacy Principles underlying all

modern privacy regimes complicated:• Accountability: organizational responsibility for Personal

Information (PI) under its control – Who is in control? Push (chatter) vs. pull data

• Identifying Purposes: at or before the time of collection of PI – Practicality? Individuals may not be aware of any data processing taking place

• Consent: knowledge and consent of individual required for collection, use or disclosure of personal information, except where inappropriate – Informed consent? Sufficiency? Form? Enforceability/binding? Can machines consent on your behalf? Can they bind you to contracts? Consumer protection laws and Internet contract requirements

• Limiting Collection: PI collection limited to that which is necessary for the purposes identified by the organization – Who is collecting? How BIG is the DATA? Combined data can reveal more information about an individual and increase identity theft risk

Privacy Issues• Limiting Use, Disclosure and Retention: PI cannot be used or disclosed

for other purposes. Also, PI can be retained only as long as necessary for the fulfillment of the purpose – how do you control the data and its use or disclosure? Data filters? Handling machine requests for repurposing data? Data on the Internet exists forever!

• Accuracy: PI shall be as accurate, complete, and up-to-date as necessary for the purposes for which it is to be used – stored data vs. real time data? Will machines know what is correct?

• Safeguards: PI shall be protected by security safeguards appropriate to the sensitivity of the information – Assessing sensitivity in what context? Security issues

• Openness: Organization shall make readily available to individuals information about privacy policies and practices – To/from machines? Which organization?

• Individual Access: Upon request, can access and amend info and be informed of its existence, use and disclosure – How does live person get access from machines?

• Challenging Compliance: Individual can challenge compliance with principles to designated accountable individual at organization – Who is this?

Hey Fridge! What food does George have in

there? Just pizza.

How many pizzas does he eat in a

week?

On average….ten.

We'd better increase his life

insurance premium!

George's Insurance Company

George's fridge

Security Issues• Software = hackable• Connection = exposed• Former VP of the US, Dick Cheney, deactivated the Wi-Fi function

on his pacemaker, admitting he was afraid someone might hack it in an attempt to assassinate him

• In PIPEDA Finding #2011-001, the OPC reported on Google's inadvertent collection of data from unsecured Wi-Fi networks as camera cars documented street images for Google's mapping services over the course of several years. Google had gathered PI in excess of the purpose for which it was collected, failed to provide adequate disclosure or solicit consent from the data subjects

• Last year, two IT experts in the US showed how easy it is to hack a car, make it brake, prevent it from braking or even make the driver lose control of the steering wheel

• Corporate espionage and employee issues

Security Issues• The BBC reported recently that a fridge was discovered to be

sending spam emails after a web attack. It was one of more than 100,000 devices used in a spam campaign – Objects are vulnerable

• A recent study by HP found 70% of IoT devices used unencrypted network services and 80% of devices (including their cloud and mobile app components) failed to require passwords of a sufficient complexity and length

• Potential for monitoring and tracking homes or wearables equipped with IoT systems to perform BIG DATA analytics and covert surveillance

• Symantec paper (July 30 2014) found:• All wearable activity-tracking devices can be tracked or located through wireless

protocol transmissions by simply scanning airwaves for signals – can tell when you are not home

• 20% of apps transmit user data in clear text, e.g. login passwords, d.o.b., address, etc.

• 52% of apps don’t have privacy policies• Significant number of apps contacted 10 or more different domains• Shared service sites did not correctly handle user sessions, allowing browsing of

personal data belonging to other users of the site, or uploading of commands to the server for execution

Security Issues• Security of objects as connection points, security of interaction

between objects, and security of the ecosystem itself• New standards, security audits and authentication may be

necessary• OPC Authentication Guidelines – if an organization does not need to

identify for sure who the individual is then they should not be collecting authenticating information. "Risk creep" as more objects become interconnected

• Medical device regulation for connected devices• Recent US Guidelines for cybersecurity in medical devices• No specific guidance yet in Canada• Health Canada case-by-case analysis of vulnerabilities of each device with

regards to patient safety and safeguarding of medical information• European medical devices directives are already undergoing substantial

revision, with the expectation being that two new regulations will come into effect some time in 2015

• Encryption and intrusion detection measures• Data breach notification responsibilities

Intellectual Property Issues

• Things, objects and machines can not only talk to each other, they can make smart decisions and create literary, artistic, dramatic, musical works and inventions based on information they receive, whether from their own sensors, a person or another object or data source

I need some wings so I

can fly!

I can create the flying software, upload it

and design you attachable wings.

Hey 3D printer, I need your

help!

Send me your code and I'll have it done in

a minute!

Who owns machine-generated works?• Who owns the data? Database rights• As machines become even more intelligent, the machines

will be operating not just as tools or sensors collecting data, but also as producers of works with little or no human intervention

• Canadian Copyright Act does not protect literary or artistic works created by non-humans

• Draft Compendium of the U.S. Copyright Office Practices, Third Edition, August 19, 2014 Chapter 300 states that "the Office will not register works produced by a machine or mere mechanical process that operates randomly or automatically without any creative input or intervention from a human author."

• Assuming all machines will produce a random or predictable result

Who owns machine-generated works?

• Artificial intelligence and vast amounts of complex data and information (real-time variables) being exchanged, do not create random or predictable results. May be quite novel or original, like the solution to a complex problem that cannot be solved by the limitations of the human brain. Should the output be protectable as a copyright work or patentable as an invention?

• Dilemmas as to Who is the owner or inventor?• Ownership claims may come from the producers of the

underlying programming, the owners of the machines, the investors in the technology, the network or machine operators, or the end-user subjects about whom the data is being collected, or others

Who owns machine-generated works?

• UK and New Zealand allow copyright protection for computer-generated works

• In those countries, the author of a literary, dramatic, musical or artistic work that is computer-generated is deemed to be the person who makes the "arrangements necessary " for the creation of the work

• Copyright reform needed in Canada to remain a competitive marketplace for IoT and M2M technology

• To protect your machine-generated works in Canada under Canadian copyright law, you should ensure some creativity is contributed from a human author and that the other tests for originality and fixation are met

Patent infringement risk

• For IoT to work, it requires standardized technology• If patents exist in the architecture, third party users may

be infringing• Standard-Essential Patents (SEPs) are patents that are

essential to implement an industry standard• Bodies who set standards impose conditions that patent

licenses should be available to third parties on fair, reasonable and non-discriminatory (FRAND) terms

Patent infringement risk• Court of Justice of the EU is considering Huawei v. ZTE (C-170/13)

• Huawei, China’s largest phone maker, sued ZTE at the Regional Court of Düsseldorf, seeking an injunction for the alleged infringement of an SEP relating to the implementation of the LTE standard

• ZTE, a telecom company also based in China, claimed the demands for an injunction were an abuse of Huawei’s dominant market position, citing it is prohibited under European directive (Article 102, TFEU)

• ZTE claimed that, because it was willing to negotiate a license agreement to use the patent, no injunction could be issued against it

• In addition to submissions by Huawei and ZTE, the Netherlands, Finland and the European Commission submitted their views and concerns as to how the interests of patent owners and standard users should be balanced

• Final opinion of the AG is expected November 20th, and final judgment expected in early 2015

• Will affect future SEPs and licensing

Liability Issues

• Who is liable when the machine gets it wrong?• Is there a valid and enforceable contract, between

machines?• Automated contracts• Provincial consumer protection laws for Internet (text based) or

remote contracts may apply, e.g. requirements for disclosure of terms, writing and delivery, content of agreement, express opportunity to accept or decline, cancellation rights, amendment, renewal and extension.

• Was there negligence? Product liability issues?• Limitations on liability – certain types of liability cannot

be contracted out of• What if machine orders/binds you to something that you

cannot afford?• What if machine gets hacked, or has a data breach?

It wasn’t me! It

was my car!

You hit me!

More regulation to come

• The Canadian OPC is currently conducting various research projects related to the IoT, including a study on intelligent vehicle technology that will look at the impact on privacy of the use of telematics by automobile manufacturers and insurers

• US Federal Trade Commission held a workshop in November 2013 dealing with the IoT and is still trying to figure out the best way of regulating it

• The European Commission has undertaken a number of research projects related to the IoT

• CASL technology provisions dealing with the installation of computer programs, come into force January 15, 2015

Lisa K. Abe- Oldenburg, B.Comm., J.D.

Abe-oldenburgL@bennettjones.com

Tel.: 416-777-7475

www.bennettjones.com

• This presentation contains statements of generalprinciples and not legal opinions and should notbe acted upon without first consulting a lawyerwho will provide analysis and advice on a specificmatter.