The Internet of Things and the Wired Lifedownload.pli.edu/WebContent/pm/184790/pdf/3-30-17... ·...
Transcript of The Internet of Things and the Wired Lifedownload.pli.edu/WebContent/pm/184790/pdf/3-30-17... ·...
Perkins Coie LLP
The Internet of Things and the Wired Life
PLI – March 30, 2017
Jim Snell, Perkins Coie LLP
Kandi Parsons, Zwillgen PLLC
1
Perkins Coie LLP | PerkinsCoie.com
Agenda
2
IoT developments and how IoT is changing
conventional practice
Current status of regulation
Current status of litigation
Best Practices
Perkins Coie LLP | PerkinsCoie.com
IoT Devices
3
Perkins Coie LLP | PerkinsCoie.com
IoT
4
Perkins Coie LLP | PerkinsCoie.com
IoT
5
Perkins Coie LLP | PerkinsCoie.com
Gartner on IoT Use
6
Source Gartner (February 2017), http://www.gartner.com/newsroom/id/3598917
In 2020, 20.4 Billion Connected “Things” Will Be In Use
Category 2016 2017 2018 2020
Consumer 3,963.0 5,244.3 7,036.3 12,863.0
Business: Cross-Industry 1,102.1 1,501.0 2,132.6 4,381.4
Business: Vertical-Specific 1,316.6 1,635.4 2,027.7 3,171.0
Grand Total 6,381.8 8,380.6 11,196.6 20,415.4
Table 1: Internet of Things Units Installed Based by Category
Perkins Coie LLP | PerkinsCoie.com
TrustE Business Impacts
7
Perkins Coie LLP | PerkinsCoie.com
Is 2017 The Year IoT Jumped The Shark?
8
Actual headlines
“Agency Connects Tostitos
Chips Bags To Flag Super Bowl
Drinkers”
“Men can now test their sperm
count using a smartphone app”
“University attacked by its own
vending machines, smart light
bulbs & 5,000 IoT devices”
“Wifi pillows and smart
hairbrushes make CES
a botnet dream”
Perkins Coie LLP | PerkinsCoie.com
Actual headlines
“When Your Neighbor’s Drone
Pays an Unwelcome Visit” –
N.Y. Times
“Don't look now but the LED
light fixtures are spying on you
...” - Computerworld
“Self-Driving Cars Have a
Privacy Problem” - The Atlantic
“Data from connected [] teddy
bears leaked and ransomed,
exposing kids' voice messages”
– Troyhunt.com
2017 The Year of IoT as a Legal Issue
9
Perkins Coie LLP | PerkinsCoie.com
IoT – Are IoT Legal Issues Different Than Traditional Legal Issues?
10
International compliance
Working with counsel
Say what going to do and do it
Government access
Interoperability
Flattened manufacturing
Industrial IoT issues
Biometrics
Perkins Coie LLP | PerkinsCoie.com
IoT Global Regulatory Interest
11
Global Privacy Enforcers Conduct “Sweep” of IoT
Devices
59% 68% 72% 38% of devices failed
to adequately
explain how data
collected, used
and disclosed
failed to properly
explain how
information
stored
failed to explain
how customers
could delete their
data off device
failed to include
easy way to
contact company
with privacy
concerns
Perkins Coie LLP | PerkinsCoie.com
FTC Activity
12
• Ramirez: Ubiquitous data collection, unexpected uses, security risks
• There is no one-size-fits-all approach
• Focus on (1) security, (2) data minimization, and (3) notice and choice
• Security best practices
(1) Security By Design
(2) Personnel Policies
(3) Service Providers
(4) Defense-in-Depth
(5) Access Controls
(6) Monitoring
• IoT specific legislation premature, but general privacy legislation is
needed
Perkins Coie LLP | PerkinsCoie.com
FTC Enforcement
13
• In re TRENDnet (2013) FTC alleged that TRENDnet misrepresented
cameras were secure
• Alleged login credentials were unencrypted and hackers tapped into feeds
without login credentials and posted hacked feeds on Internet
• Consent decree: 20 years requires TRENDnet to implement comprehensive
security program, notify and support customers, submit reports to FTC on
compliance with decree
• In re ASUSTek (2016): FTC alleged ASUSTek sold routers
misrepresented ability to protect computers from unauthorized
access, hacking, virus attacks
• All alleged misrepresentation of security protocols and unfair security practices
– did not implement security well and did not respond to breaches quickly
enough
• Consent decree: 20 years requires ASUSTek to Implement “a comprehensive
security program” that addresses the security risks of ASUS’s devices and
protects the privacy, security, and integrity of user data
Perkins Coie LLP | PerkinsCoie.com
FTC v. Aura Labs, Inc., 8:16-CV-2147 (C.D.
Cal. Dec. 2, 2016).
14
Factual Allegations
• Aura Labs marketed the Instant Blood Pressure app – supposedly determined BP with
mathematical algorithms and readings that were taken from placing a fingertip on a
smartphone’s camera
• App instructed users to remove outer clothing, place finger over camera, and put phone
against the left side of their chest
• App claimed that it measured BP as accurate as traditional BP cuffs and served as a
replacement
• Aura’s CEO left a 5-star review for the app
Claims
• Violation of FTC Act Section 5, which prohibits unfair or deceptive acts or practices
• Based on Aura Labs’ misrepresentation of ability to (1) replace traditional BP cuffs; (2) measure
BP as accurately as traditional cuffs
Status
• Consent decree: cease representations about the comparative efficacy of app
• Cease use of its deceptive endorsements
Perkins Coie LLP | PerkinsCoie.com
FTC v. D-Link (N.D. Cal. Jan. 5, 2017)
15
Factual Allegations
• The FTC filed suit against D-Link, a manufacturer of computer networking equipment and connected
devices, alleging that the company made deceptive claims about the security of its products and
engaged in unfair practices that put consumers’ privacy at risk.
• D-Link allegedly headlined its routers as EASY TO SECURE and ADVANCED NETWORK
SECURITY.
• But its routers were allegedly susceptible to easily preventable flaws like
• Hard-coded login credentials in its camera software (username: “guest”; password: “guest”)
• “Command injection” software flaw that enables hackers to control routers
• Made a private key code used to sign into software available on a public website for 6 months
• Left user’s login credentials on D-Link’s app in clear, readable text
Perkins Coie LLP | PerkinsCoie.com
FTC v. VIZIO, Inc., (D.N.J. Feb. 6, 2017)
16
Factual Allegations
• TVs captured second-by-second information about video displayed on the TV, regardless of source
(cable, DVD, OTA, streaming, etc.)
• Appended such data with specific demographic information, such as sex, age, income, marital
status, household size, education level,
• Information was sold to third parties for purposes including targeted advertising
• Tracking was built into a “Smart Interactivity” feature but not disclosed
Status:
• Stipulated order requiring VIZIO to (1) prominently disclose and obtain affirmative express consent;
(2) prohibit misrepresentations about privacy, security, or confidentiality of information collected; (3)
delete data collected before March 1, 2016; (4) implement comprehensive data privacy program with
biennial assessments.
• $2.2 million payment to FTC and New Jersey Division of Consumer Affairs
Perkins Coie LLP | PerkinsCoie.com
FTC “IoT Home Inspector Challenge”
17
FTC challenged the public to create a tool to protect consumers from
security vulnerabilities in the software of home IoT devices
Reward is $25,000 for the best solution, and $3,000 for honorable
mentions.
Ideas can include physical devices, app or cloud-based services, a user
interface
Submission period: March 1, 2017 – May 22, 2017. Judges are a panel
including professors and researchers.
Challenge is part of the FTC’s America COMPETES Act and the first in
the series to address IoT.
Perkins Coie LLP | PerkinsCoie.com
Selected IoT Legislation
18
Federal
• IoT devices governed primarily by general and sector
specific laws (e.g., COPPA, HIPAA)
State
• IoT specific laws (event recorders, drones, smart TVs) and
devices governed primarily by general and sector specific
laws (e.g., COPPA, HIPAA) and additional sector specific
law (Illinois Biometric Information Privacy Act)
International
• GDPR
Perkins Coie LLP | PerkinsCoie.com
IoT Litigation
19
• As of last year, relatively little “IoT” litigation
• “Digital devices and media, ‘[w]ith all they contain and
all they may reveal, ... hold for many Americans “the
privacies of life.”’” State of Minnesota v. McMurray,
2015 WL 1085000 *10 (S. Ct. Minn. March 11, 2015
(citing) Riley v. California, 34 S.Ct. 2473, 2494-95
(2014))
• “This trend will only accelerate as we enter the
‘internet of things’ in which hundreds of billions of
objects will become digital devices.” Id.
Perkins Coie LLP | PerkinsCoie.com
Cahen, et al. v. Toyota, Ford, GM, 15-1104 (N.D. Cal. 2015)
20
Factual Allegations
• GM, Toyota, and Ford manufactured cars with electronic safety control units
• Commands were transmitted unencrypted and unauthenticated
• Cars had wireless Bluetooth technology that can serve as hacker entry points
• Plaintiffs did not allege that cars had actually been hacked, only that such hacking was an “imminent
eventuality”
• Cars also collect owner data (geographic location, driving history, vehicle performance), and share
data with unsecured transmissions
Claims
• Unfair Competition and False Advertising Laws
• Breach of contract
• Invasion of privacy
Result: Dismissed for lack of injury. Appeal before 9th Circuit.
• No injury because Plaintiffs did not allege that any hacking actually occurred
• Similar to product liability cases where potential defects exist and unproven risk of future harm (e.g.,
car brakes could require more pressure to apply in low temperatures, but no proof that this actually
occurred or that plaintiffs actually intended to drive in cold)
Perkins Coie LLP | PerkinsCoie.com
Ross v. St. Jude Medical, Inc. et al., 2:16-cv-
06465-DMG-E (C.D. Cal. Aug. 26, 2016).
21
Factual Allegations
• St. Jude Medical and its subsidiary manufactures pacemakers that can be adjusted with portable
telemetry devices ideally located in a patient’s home
• Pacemakers utilize radiofrequency (RF) wireless technology
• St. Jude brochure allegedly claimed that patient data was uploaded to a “safe and secure web-
based data management system that is protected with industry-standard safety protocols”
• Equity research firm issued report contending pacemakers lacked certain safeties like particular
encryption software, authentication, etc.
• Research firm could also cause pacemaker to pace rapidly and drain battery down to two weeks
Plaintiff
• Did not himself experience these attacks, and claimed that he stopped using portable telemetry
devices
Claims
• Filed for breach of warranty based on security claims and other torts
Status
• Plaintiff voluntarily dismissed complaint, without prejudice, before Defendant filed an answer
Perkins Coie LLP | PerkinsCoie.com
Satchell v. Sonic Notify, Inc. et al., 4:16-cv-
04961-JSW (N.D. Cal. Aug. 29, 2016)
22
Factual Allegations
• Golden State Warriors partnered with app developer to make “beacon” app, and “Beacon” allegedly
determined location of phone by recording sound from nearby stadium towers, which each emitted a unique
sound
• TOS stated that app “uses the device’s microphone(s)”
Plaintiff
• Plaintiff alleged that app turns on microphone and continually listens and records any audio within range
• Plaintiff alleged that unauthorized recording led to wear and tear on phone, and diminished use and
enjoyment of phone
Claims
• Plaintiff claimed violations of Electronic Communications Privacy Act (the wiretap provisions)
Status
• Defendants moved to dismiss for lack of standing, and on Iqbal/Twombly. The Court held that Plaintiff
alleged enough facts for Article III standing by pleading that Defendant effectively converted the cell phone
into a telephone “bug.”
• However, the Court granted the motion to dismiss, with leave to amend, because Plaintiff did not allege
enough facts on how the sound recordings were “intercepted” by Defendants after they were recorded.
Perkins Coie LLP | PerkinsCoie.com
N.P. v. Standard Innovation, 16-CV-08655
(N.D. Il. Sept. 2, 2016)
23
Factual Allegations
• Defendant sells adult device with app that allows remote control over
device settings and features
• SI allegedly collected data regarding use - date and time of use and
device settings – without providing notice of collection or transmission
of personal data
Claims
• Violation of Wiretap Act, Illinois Eavesdropping Act, and state law torts
Status
• The parties entered into mediation and reached a settlement; terms
are unknown.
Perkins Coie LLP | PerkinsCoie.com
Key Takeaways
24
Common Privacy Failures:
Unexpected data collection or use without meaningful notice and
choice
Sharing with third parties like ad networks and data brokers
Unnecessary data collection and retention
Collecting, using, sharing, or securing data contrary to representations
Providing privacy choices that do not work as stated
Misrepresenting tracking practices or ability to opt out of tracking
Changing privacy practices with respect to previously collected
information without opt-in consent
Perkins Coie LLP | PerkinsCoie.com
Key Takeaways
25
Spotting privacy issues before they become privacy
problems
Product development
Internal product testing
M&A
Incident management
Vendor management
Cloud providers
Perkins Coie LLP | PerkinsCoie.com
Thank you!
26