The Internet of Things (IoT) is a concept that all devices can be connected to the internet and in turn connected to each other.
The devices work to interact with each other and share information. Imagine a car that can ‘talk’ to your heater to heat the house when you are on your way home, a refrigerator that can automatically order more butter when it senses that you are running low and a NutriBullet that conveniently sells itself on eBay because it has not been used enough to justify having it. It is important to note that approximately 3.9 billion connected “things” were being utilised in 2014. By 2020 this is expected to grow to 25 billion with an average growth of 35% per year.1 While the technology holds great promise, there are significant concerns that the industry and legal profession alike will need to address. That is, because a person or company’s network is no longer confined to people that it interacts with but also potentially devices that they rely upon (sometimes daily, such as your coffee machine, photocopier or sprinkler) the information that can be obtained from these devices is immense. Accordingly, the risk of unsecured information and elevated level of data sharing that can occur within an IoT sphere needs to be recognised and managed. This article touches upon some of the privacy concerns, cyber risks and potential ramifications that will need to be evaluated as society embraces the IoT as a more convenient way of doing things.
Emerging risk – Privacy
Privacy laws in Australia seek to promote awareness of how personal information is used and collected. In a traditional business to consumer relationship, this is not difficult. However, when you consider the huge volumes of information that is collected and shared between devices ‘talking’ to one another via the internet, this task becomes more complex. For example, entities in Australia that meet certain requirements must disclose how personal information is used and disclosed by the entity. ‘Personal Information’ is defined as information or data that can reasonably identify someone.2 While a location device in isolation may not be able to generate personal information, over time and combined with other data collected by ‘talking’ to other devices, the device may be used to identify the user and reveal such personal details as their residence, workplace, health, sexual orientation and other personal and sensitive information. From a practical perspective, how does one notify a user of the way that personal information is collected when we do not even know what aggregated data may reveal? Australian Privacy Principle 5.1 simply states that an entity must “take such steps (if any) as are reasonable in the circumstances” to provide notice to users of how their personal information is collected and used. Currently, Australia’s privacy regime does not contemplate increments in data which are together capable of constituting personal or sensitive information.3 Besides the failure to deal with increments of data, another issue is that once personal or sensitive information is collected, it can be used for malicious, or at least, non-legitimate purposes. In fact, opponents of the recent telecommunication legislation4 which brought in mandatory data retention laws argued that the only sure way of stopping the data from falling into the wrong hands is to not collect it in the first place.5
It appears that Australia’s current privacy regime is not prepared for the IoT. For example, consider the extent to which collection and use of data can be used to justify some ‘legitimate business purpose’. What happens if an insurance company wants to calculate insurance premium based on data collected from a vehicle? There is undoubtedly the potential for insurers to access information and determine if a customer is at higher risk of an accident due to longer hours of driving, certain routes taken or risky driving practices. Is this a legitimate business purpose or an invasive probe into one’s privacy? Uber has recently posted a new privacy policy on its website banning employees from accessing riders’ trip data except “for a legitimate set of business purposes“.6 It is clear that IoT raises some difficult questions in relation to our contemporary view of privacy and our current privacy regime is inadequate to deal with its rise.
Emerging risk – Cyber security
IoT creates significant potential for damage as a result of external interference through the internet. For example, a hacker could hijack a business’ security system to digitally manipulate the temperature of a staff kitchen appliance to ignite a fire. The rise of the IoT means that previously isolated devices will now be exposed to potentially serious external cyber threats. For instance, what happens if a hacker delivers a deadly dose of medicine to a patient by assuming control of a medical dispenser? What about a hacker being able to override a self driving car and perhaps locking the doors and driving it off a cliff? In 2015, Chrysler took this threat seriously and recalled 1.4 million cars after hackers demonstrated that they could remotely control their systems while in operation.7 The IoT means that each connected device becomes a possible entry point for a wrongdoer with a malicious purpose. This threat was recently acknowledged by the Kremlin who purchased old fashioned typewriters for Russia’s most sensitive government memos as they could not guarantee the security of information stored on electronic devices.8
Way forward
In light of cyber and privacy issues regarding IoT, it is important that both business and the statutory regimes catch up. While data may be collected for a legitimate business purposes, the issue with privacy, much like defamation, is that once it has been done it cannot be undone. To mitigate these risks, it is important that data collected through IoT is subject to appropriate levels of security such as user verification, encryption and other admission controls. Additionally, manufacturers should consider privacy protections and security issues from the design stage of any new IoT device and not later down the track.
The legal industry will need to be aware that when advising clients on their corporate governance practices, security of data and cybersecurity must be a key discussion point. As seen in the U.S. case of Federal Trade Commission v Wyndham Worldwide Corporation9, there is a potential for the development of tort liability for damages caused by inadequate or negligent cybersecurity measures. Directors may find that their duties extend to a requirement to put themselves in an informed position regarding their cyber security and the continual monitoring of cyber security risks and policies. The Australian Privacy regime currently requires that reasonable steps are taken to protect personal information from misuse or unauthorised access.10 However, whether this is enough will depend on how industry combats cyber security through appropriate industry standards or whether a more interventionist approach is required to see directors and companies personally liable for such breaches. Whatever the outcome, it is obvious that privacy and cyber security must quickly become (if is not already) a key concern in any organisation’s risk management strategy.
This article was written by Tony Morgan, Partner and Rose Watts, Solicitor.
1Gartner, Forecast: Internet of Things, endpoints and associated services, worldwide, 20 October 2014, ww.gartner.com.
2Section 6 Privacy Act 1988 (Cth).
3Renner-Hahn, B., ‘The Internet of Things and Australian Privacy Law’, Privacy Law Bulletin, July 2016, p 165.
4Telecommunications (Interception and Access) Amendment (Data Retention) Act 2015 (Cth).
5Swinson, M., ‘The rise of the machines – the “internet of things‘, Australian Media, Technology and Communications Law Bulleting, Vol. 2 No. 4, July 2015.
6Colt, S., ‘Uber: We won’t look at rider data except for ‘Legitimate Business Purposes’, Business Insider Australia, 11:21 am Nov 19 2014.
7‘Fiat Chrysler recalls 1.4 million US vehicles to prevent hacking after researchers remotely ‘killed’ cars’. ABC News, 5:13am, 25 July 2015.
8‘Kremlin security agency to buy typewrites ‘to avoid leaks‘, BBC News, 12 July 2013.
9FTC v Wyndham Worldwide Corporation 799 F.3d 236 (3rd Circuit 2015).
10Australian Privacy Principle 11.1, Schedule 1, Privacy Act 1988 (Cth).