ITP Techblog

The "Internet of Things" is growing at an exponential pace as more and more devices are connected to networks. The market has been estimated to be worth US$11 trillion per annum by 2025. While there are plenty of opportunities for New Zealand business, there are a number of legal issues that will need to be carefully thought through - by both providers and users of the "things". 

The key issues are likely to be privacy and security. Connected devices are designed to watch and to talk (to each other, to the device provider and also perhaps to a human user) and their value will often largely derive from the information they collect and share. While the collection of information by these devices may make the user's life easier or better, there are potential drawbacks. First, users will have to be alert to how the information could be used and disclosed to avoid the information being used for purposes the user isn't comfortable with (eg information about what's in your fridge being provided to your health insurer). Secondly, a security breach could cause a user significant problems (eg criminals accessing your credit card details through your fridge/toaster/bed or your wearable technology that tells them nobody is home).

What the device provider is allowed to do with information collected can and should be addressed in the terms and conditions/privacy policies applying to the device. In basic terms, information collected should be used only for the purpose for which it was collected. This may seem obvious but in practice may be complex, particularly when (1) many individuals interact with the same device (eg a fridge), (2) data from multiple devices is aggregated, and (3) there are issues of consent to be worked through - who reads all the fine print on their smart phone, let alone when they plug in a new fridge? Exclusive market control of the information collected by these observant devices may also give rise to competition law issues.

Security issues could also be addressed by regulation (including sanctions for security-related lapses) and/or by contractual requirements on providers (built into their terms) requiring them to maintain security to particular standards. But there is currently no significant specific regulation of the market. Furthermore, if you don't replace your fridge for 5 to 10 years, will the fridge software be kept up to date and secure from intrusions? It may well be difficult to apply updates and patches which may mean that users have to upgrade or replace devices or appliances more regularly than they might otherwise do to ensure that they stay secure. Will a TV manufacturer have to replace your TV if there is a security hack that can't be fixed remotely?

A good start might be common industry technical standards that limit the information collected and to whom it is passed and that provide for the minimum security standards consumers can expect from certain types of connected devices. Some commentators have also suggested the use of data custodians - independent parties appointed to supervise the storage and management of data, and to control its access, release and use. 

Finally, users and providers will both need to think carefully about what happens if the connected devices are broken or simply don't work as intended. If a device provides false information, it may still be relied on and very rarely questioned. Or a user may assume the connected device is looking after something and may not realise the device is broken until it's too late to avoid loss. It's not hard to think of scenarios where significant loss could arise - e.g. health devices that don't indicate a problem which requires a doctor's intervention or sensors used in agricultural processes that report faulty data leading to significant harm to crops. These sorts of liability issues are of course not new but the scenarios in which they might emerge will be. Most commercial customers will be used to thinking carefully about how loss might arise from use of a product and who should bear that loss. Consumers, on the other hand, may not be so accustomed to making these assessments - at least not when they are buying a home appliance.

Amy Ryburn is a partner in Buddle Findlay's ICT practice. She really loves her job. When Amy's not at work, she can generally be found hanging out with her husband and trying to keep up with her three small children.