Upload
lisa-abe-oldenburg-bcomm-jd
View
51
Download
4
Tags:
Embed Size (px)
Citation preview
The Internet of Things
Hello? Is anyone
there?
Yes. This is your car speaking..
How can I help you?
I need more Spam! OK. I'll
go get some.
Toronto Computer Lawyers' Group
October 23, 2014
Lisa Abe-Oldenburg
What is the Internet of Things?• IoT or the Internet of Everything • Anything that contains a computer processor can act as a self-
contained web server to handle communication and other sophisticated functions
• Imagine a world where everything has sensors, is connected to a wired or wireless Internet network, and communicating with each other• Phones, computers, tablets• Homes and appliances• Cars and transportation• Wearables (computers worn on the body)• Machines (M2M) and manufacturing• Services, e.g. healthcare, energy, payments• Plants, livestock and pets?
Facts and Figures• According to CISCO, during 2008, the number of devices
connected to the Internet exceeded the number of people on Earth for the first time
• According to the Chartered Institute for IT, there are around 200 connectable devices per person on the planet today and it is estimated that by 2020, 50 billion devices will be connected to the Internet
• New IPv6 system, which will replace IPv4, will allow billions of IP addresses to be assigned – one for every object or device in the world (approx. 3.4×1038 addresses)
• Google's acquisition of the connected home technology company Nest for US $2.3 billion, was its second largest ever acquisition (after Motorola)
Examples• A Dutch company has pioneered wireless sensors in cattle so
that when one is pregnant or ill, it sends a message to the farmer
• Plants are now able to be connected to irrigation systems and decide when to water themselves
• Cars can drive themselves• Wearable monitors can track health information and interact
with hospital staff• Fridges can determine what food its owner needs and order
it for them• Machines on assembly lines can talk to each other and order
more parts or request maintenance as needed• And yes, pretty soon your carpet will call an ambulance for
you when you fall and pass out on it…
FOR THE PURPOSES OF MAINTAINING YOUR WELLNESS, I, YOUR
CARPET, WILL BE PROVIDING YOUR
PERSONAL HEALTH INFORMATION TO A DOCTOR. DO YOU
CONSENT?
Privacy IssuesI don't feel
well…
Hey carpet! This guy is about to kick the bucket! Call 911
and notify his doctor!
Privacy Issues
• Which laws and jurisdictions apply? PA, PIPEDA, PIPAs, PHIPAs
• IoT creates challenges across provincial and international borders. Can domestic legislation alone sufficiently protect personal information in the world of IoT?
• Is the data "personal information"? • Definition of "personal information" is generally
considered to be any information about an identifiable individual
Privacy Issues
• SCC in Dagg v. Canada (Minister of Finance), [1997] 2 S.C.R. 403 said broadly: "its intent seems to be to capture any information about a
specific person, subject only to specific exceptions"• Privacy Commissioner in its 2001-2002 Annual Report to
Parliament also stated that:"the definition ['about an identifiable individual'] is deliberately broad…It does not matter who generated the information, or how, or who technically "owns" it…information [is] personal even if there is the smallest potential for it to be about an identifiable individual"
Privacy Issues
• Information that alone does not identify an individual can be "personal information" if, in combination with other information, it could be used to identify an individual
• Federal Court determined that such data, which could be combined with other data to identify someone, is "personal information". See Gordon v. Canada (Minister of Health), [2008] CarswellNat 522 paragraph/line 34
• IoT becomes complicated as it generates BIG DATA. Data, when coupled with other available data, could lead to identifying individuals
Privacy Issues• IoT makes compliance with Privacy Principles underlying all
modern privacy regimes complicated:• Accountability: organizational responsibility for Personal
Information (PI) under its control – Who is in control? Push (chatter) vs. pull data
• Identifying Purposes: at or before the time of collection of PI – Practicality? Individuals may not be aware of any data processing taking place
• Consent: knowledge and consent of individual required for collection, use or disclosure of personal information, except where inappropriate – Informed consent? Sufficiency? Form? Enforceability/binding? Can machines consent on your behalf? Can they bind you to contracts? Consumer protection laws and Internet contract requirements
• Limiting Collection: PI collection limited to that which is necessary for the purposes identified by the organization – Who is collecting? How BIG is the DATA? Combined data can reveal more information about an individual and increase identity theft risk
Privacy Issues• Limiting Use, Disclosure and Retention: PI cannot be used or disclosed
for other purposes. Also, PI can be retained only as long as necessary for the fulfillment of the purpose – how do you control the data and its use or disclosure? Data filters? Handling machine requests for repurposing data? Data on the Internet exists forever!
• Accuracy: PI shall be as accurate, complete, and up-to-date as necessary for the purposes for which it is to be used – stored data vs. real time data? Will machines know what is correct?
• Safeguards: PI shall be protected by security safeguards appropriate to the sensitivity of the information – Assessing sensitivity in what context? Security issues
• Openness: Organization shall make readily available to individuals information about privacy policies and practices – To/from machines? Which organization?
• Individual Access: Upon request, can access and amend info and be informed of its existence, use and disclosure – How does live person get access from machines?
• Challenging Compliance: Individual can challenge compliance with principles to designated accountable individual at organization – Who is this?
Hey Fridge! What food does George have in
there? Just pizza.
How many pizzas does he eat in a
week?
On average….ten.
We'd better increase his life
insurance premium!
George's Insurance Company
George's fridge
Security Issues• Software = hackable• Connection = exposed• Former VP of the US, Dick Cheney, deactivated the Wi-Fi function
on his pacemaker, admitting he was afraid someone might hack it in an attempt to assassinate him
• In PIPEDA Finding #2011-001, the OPC reported on Google's inadvertent collection of data from unsecured Wi-Fi networks as camera cars documented street images for Google's mapping services over the course of several years. Google had gathered PI in excess of the purpose for which it was collected, failed to provide adequate disclosure or solicit consent from the data subjects
• Last year, two IT experts in the US showed how easy it is to hack a car, make it brake, prevent it from braking or even make the driver lose control of the steering wheel
• Corporate espionage and employee issues
Security Issues• The BBC reported recently that a fridge was discovered to be
sending spam emails after a web attack. It was one of more than 100,000 devices used in a spam campaign – Objects are vulnerable
• A recent study by HP found 70% of IoT devices used unencrypted network services and 80% of devices (including their cloud and mobile app components) failed to require passwords of a sufficient complexity and length
• Potential for monitoring and tracking homes or wearables equipped with IoT systems to perform BIG DATA analytics and covert surveillance
• Symantec paper (July 30 2014) found:• All wearable activity-tracking devices can be tracked or located through wireless
protocol transmissions by simply scanning airwaves for signals – can tell when you are not home
• 20% of apps transmit user data in clear text, e.g. login passwords, d.o.b., address, etc.
• 52% of apps don’t have privacy policies• Significant number of apps contacted 10 or more different domains• Shared service sites did not correctly handle user sessions, allowing browsing of
personal data belonging to other users of the site, or uploading of commands to the server for execution
Security Issues• Security of objects as connection points, security of interaction
between objects, and security of the ecosystem itself• New standards, security audits and authentication may be
necessary• OPC Authentication Guidelines – if an organization does not need to
identify for sure who the individual is then they should not be collecting authenticating information. "Risk creep" as more objects become interconnected
• Medical device regulation for connected devices• Recent US Guidelines for cybersecurity in medical devices• No specific guidance yet in Canada• Health Canada case-by-case analysis of vulnerabilities of each device with
regards to patient safety and safeguarding of medical information• European medical devices directives are already undergoing substantial
revision, with the expectation being that two new regulations will come into effect some time in 2015
• Encryption and intrusion detection measures• Data breach notification responsibilities
Intellectual Property Issues
• Things, objects and machines can not only talk to each other, they can make smart decisions and create literary, artistic, dramatic, musical works and inventions based on information they receive, whether from their own sensors, a person or another object or data source
I need some wings so I
can fly!
I can create the flying software, upload it
and design you attachable wings.
Hey 3D printer, I need your
help!
Send me your code and I'll have it done in
a minute!
Who owns machine-generated works?• Who owns the data? Database rights• As machines become even more intelligent, the machines
will be operating not just as tools or sensors collecting data, but also as producers of works with little or no human intervention
• Canadian Copyright Act does not protect literary or artistic works created by non-humans
• Draft Compendium of the U.S. Copyright Office Practices, Third Edition, August 19, 2014 Chapter 300 states that "the Office will not register works produced by a machine or mere mechanical process that operates randomly or automatically without any creative input or intervention from a human author."
• Assuming all machines will produce a random or predictable result
Who owns machine-generated works?
• Artificial intelligence and vast amounts of complex data and information (real-time variables) being exchanged, do not create random or predictable results. May be quite novel or original, like the solution to a complex problem that cannot be solved by the limitations of the human brain. Should the output be protectable as a copyright work or patentable as an invention?
• Dilemmas as to Who is the owner or inventor?• Ownership claims may come from the producers of the
underlying programming, the owners of the machines, the investors in the technology, the network or machine operators, or the end-user subjects about whom the data is being collected, or others
Who owns machine-generated works?
• UK and New Zealand allow copyright protection for computer-generated works
• In those countries, the author of a literary, dramatic, musical or artistic work that is computer-generated is deemed to be the person who makes the "arrangements necessary " for the creation of the work
• Copyright reform needed in Canada to remain a competitive marketplace for IoT and M2M technology
• To protect your machine-generated works in Canada under Canadian copyright law, you should ensure some creativity is contributed from a human author and that the other tests for originality and fixation are met
Patent infringement risk
• For IoT to work, it requires standardized technology• If patents exist in the architecture, third party users may
be infringing• Standard-Essential Patents (SEPs) are patents that are
essential to implement an industry standard• Bodies who set standards impose conditions that patent
licenses should be available to third parties on fair, reasonable and non-discriminatory (FRAND) terms
Patent infringement risk• Court of Justice of the EU is considering Huawei v. ZTE (C-170/13)
• Huawei, China’s largest phone maker, sued ZTE at the Regional Court of Düsseldorf, seeking an injunction for the alleged infringement of an SEP relating to the implementation of the LTE standard
• ZTE, a telecom company also based in China, claimed the demands for an injunction were an abuse of Huawei’s dominant market position, citing it is prohibited under European directive (Article 102, TFEU)
• ZTE claimed that, because it was willing to negotiate a license agreement to use the patent, no injunction could be issued against it
• In addition to submissions by Huawei and ZTE, the Netherlands, Finland and the European Commission submitted their views and concerns as to how the interests of patent owners and standard users should be balanced
• Final opinion of the AG is expected November 20th, and final judgment expected in early 2015
• Will affect future SEPs and licensing
Liability Issues
• Who is liable when the machine gets it wrong?• Is there a valid and enforceable contract, between
machines?• Automated contracts• Provincial consumer protection laws for Internet (text based) or
remote contracts may apply, e.g. requirements for disclosure of terms, writing and delivery, content of agreement, express opportunity to accept or decline, cancellation rights, amendment, renewal and extension.
• Was there negligence? Product liability issues?• Limitations on liability – certain types of liability cannot
be contracted out of• What if machine orders/binds you to something that you
cannot afford?• What if machine gets hacked, or has a data breach?
It wasn’t me! It
was my car!
You hit me!
More regulation to come
• The Canadian OPC is currently conducting various research projects related to the IoT, including a study on intelligent vehicle technology that will look at the impact on privacy of the use of telematics by automobile manufacturers and insurers
• US Federal Trade Commission held a workshop in November 2013 dealing with the IoT and is still trying to figure out the best way of regulating it
• The European Commission has undertaken a number of research projects related to the IoT
• CASL technology provisions dealing with the installation of computer programs, come into force January 15, 2015
Lisa K. Abe- Oldenburg, B.Comm., J.D.
Tel.: 416-777-7475
www.bennettjones.com
• This presentation contains statements of generalprinciples and not legal opinions and should notbe acted upon without first consulting a lawyerwho will provide analysis and advice on a specificmatter.