Time to decide on Internet of Things liability
This piece was written by Privacy International Mozilla Open Web Fellow Eireann Leverett.
We are at a very important decision point in internet history. Will we accept insecure and unsafe Internet of Things (IoT) devices that erode our privacy and open our home networks to intrusion from hackers? Or will we hold vendors accountable for their security and privacy decisions in the products they sell us?
Let’s step back for a moment, and remind ourselves that the world we inherited before the internet didn’t become safe by accident.
A brief history of product liability and consumer protection
The safety we take for granted today is hard won. Cars didn’t use to have airbags, or seat belts. Bakeries sometimes blew up due to combustion of particulate flour. Children choked on toys or electrocuted themselves in the early days of home electronics.
We owe that world we live to the often unsung heroes of safety like Dame Caroline Haslett, Ralph Nader, and Prof Harold Thimbleby. Dame Haslett, became one of the first female electrical engineers in Britain, and worked tirelessly to improve home electronics safety. Ralph Nader changed the face of crash testing forever with the book Unsafe at Any Speed. Prof. Thimbleby continues to this day working to make medical devices and computer human interaction between medical professionals and computers less prone to error. It took decades of focused treatment to make the world we live in and the products we use more save.
While we owe these past achievements to a number of regulatory mechanisms — from certification to insurance — perhaps the most important enduring change has been made through product liability.
If your dishwasher floods your house or catches fire and burns down your kitchen, the vendor is liable for their product. Each person who can demonstrate harm from the defective product, can receive compensation.
Product liability and software
This is in stark contrast to software products, where all liability is usually believed to be absolved by the End User Licence Agreement (EULA).
Article 12 of European Commission’s Product Liability Directive clearly states:
The liability of the producer arising from this Directive may not, in relation to the injured person, be limited or excluded by a provision limiting his liability or exempting him from liability.
By injured person, we also mean damage to property such as the flooding/fire caused by our hypothetical (but also metaphorical) dishwasher. So, if traditional liability cannot be excluded by a EULA, then why is software granted such freedom from liability in our society today?
The fact that consumer products are regulated through liability while software is not is puzzling. This issue becomes especially pressing in the emerging context of the Internet of Things. Does adding a sprinkle of internet and a dash of firmware into a dishwasher mean that that the manufacturer should be exempt from liability if their product catches fire or floods a room due? Should they still be liable for enabling hacking of these devices through poor security or privacy practices?
Clearly, traditional liability of products should remain intact, even if the device is managed by the internet of things. The EU is looking into exactly this, and it will have broad impacts on the security and privacy of devices.
The case of hacked devices
IoT liability is not merely about safety, but also about consumer privacy. IoT devices regularly stream data and metadata to the internet for processing. This process is called telemetry and is necessary to keep IoT devices working. Typically this telemetry streams from a device to the vendor for various reasons (data collection, processing, device improvement, and sometimes even security or privacy). Users usually don’t have access to this data, and do not know what their devices reveal about themselves or their family.
The specific issue we wish to highlight, is that the vendor can use this data for any purpose they wish, but an average consumer is hard pressed to access such data for any of their own forensic purposes and investigations. In a continuing hypothetical, the victim of a hacked dishwasher flooding a house would have trouble asking the vendor to provide the log files to demonstrate their own vulnerability. Similar legal and consumer access problems apply to robotics and automated vehicles.
The way forward
Without liability we risk unsafe devices that betray us with data flowing from our homes to strangers for their business use. If the device works as expected, then companies have nothing to hide. However, if they are found to be unsafe or privacy invasive, we have a stick with which to enforce our right to privacy in a meaningful way.
There are a host of Data Exploitation issues there that need further discussion and we hope to continue highlighting them in future blog posts.