The Internet of Things and the Wired Lifedownload.pli.edu/WebContent/pm/184790/pdf/3-30-17... ·...

Perkins Coie LLP

The Internet of Things and the Wired Life

PLI – March 30, 2017

Jim Snell, Perkins Coie LLP

Kandi Parsons, Zwillgen PLLC

1

Perkins Coie LLP | PerkinsCoie.com

Agenda

2

IoT developments and how IoT is changing

conventional practice

Current status of regulation

Current status of litigation

Best Practices


IoT Devices

3


IoT

4


IoT

5


Gartner on IoT Use

6

Source Gartner (February 2017), http://www.gartner.com/newsroom/id/3598917

In 2020, 20.4 Billion Connected “Things” Will Be In Use

Category 2016 2017 2018 2020

Consumer 3,963.0 5,244.3 7,036.3 12,863.0

Business: Cross-Industry 1,102.1 1,501.0 2,132.6 4,381.4

Business: Vertical-Specific 1,316.6 1,635.4 2,027.7 3,171.0

Grand Total 6,381.8 8,380.6 11,196.6 20,415.4

Table 1: Internet of Things Units Installed Based by Category

http://www.gartner.com/newsroom/id/3598917


TrustE Business Impacts

7


Is 2017 The Year IoT Jumped The Shark?

8

Actual headlines

“Agency Connects Tostitos

Chips Bags To Flag Super Bowl

Drinkers”

“Men can now test their sperm

count using a smartphone app”

“University attacked by its own

vending machines, smart light

bulbs & 5,000 IoT devices”

“Wifi pillows and smart

hairbrushes make CES

a botnet dream”


Actual headlines

“When Your Neighbor’s Drone

Pays an Unwelcome Visit” –

N.Y. Times

“Don't look now but the LED

light fixtures are spying on you

...” - Computerworld

“Self-Driving Cars Have a

Privacy Problem” - The Atlantic

“Data from connected [] teddy

bears leaked and ransomed,

exposing kids' voice messages”

– Troyhunt.com

2017 The Year of IoT as a Legal Issue

9


IoT – Are IoT Legal Issues Different Than Traditional Legal Issues?

10

International compliance

Working with counsel

Say what going to do and do it

Government access

Interoperability

Flattened manufacturing

Industrial IoT issues

Biometrics


IoT Global Regulatory Interest

11

Global Privacy Enforcers Conduct “Sweep” of IoT

Devices

59% 68% 72% 38% of devices failed

to adequately

explain how data

collected, used

and disclosed

failed to properly

explain how

information

stored

failed to explain

how customers

could delete their

data off device

failed to include

easy way to

contact company

with privacy

concerns


FTC Activity

12

• Ramirez: Ubiquitous data collection, unexpected uses, security risks

• There is no one-size-fits-all approach

• Focus on (1) security, (2) data minimization, and (3) notice and choice

• Security best practices

(1) Security By Design

(2) Personnel Policies

(3) Service Providers

(4) Defense-in-Depth

(5) Access Controls

(6) Monitoring

• IoT specific legislation premature, but general privacy legislation is

needed


FTC Enforcement

13

• In re TRENDnet (2013) FTC alleged that TRENDnet misrepresented

cameras were secure

• Alleged login credentials were unencrypted and hackers tapped into feeds

without login credentials and posted hacked feeds on Internet

• Consent decree: 20 years requires TRENDnet to implement comprehensive

security program, notify and support customers, submit reports to FTC on

compliance with decree

• In re ASUSTek (2016): FTC alleged ASUSTek sold routers

misrepresented ability to protect computers from unauthorized

access, hacking, virus attacks

• All alleged misrepresentation of security protocols and unfair security practices

– did not implement security well and did not respond to breaches quickly

enough

• Consent decree: 20 years requires ASUSTek to Implement “a comprehensive

security program” that addresses the security risks of ASUS’s devices and

protects the privacy, security, and integrity of user data


FTC v. Aura Labs, Inc., 8:16-CV-2147 (C.D.

Cal. Dec. 2, 2016).

14

Factual Allegations

• Aura Labs marketed the Instant Blood Pressure app – supposedly determined BP with

mathematical algorithms and readings that were taken from placing a fingertip on a

smartphone’s camera

• App instructed users to remove outer clothing, place finger over camera, and put phone

against the left side of their chest

• App claimed that it measured BP as accurate as traditional BP cuffs and served as a

replacement

• Aura’s CEO left a 5-star review for the app

Claims

• Violation of FTC Act Section 5, which prohibits unfair or deceptive acts or practices

• Based on Aura Labs’ misrepresentation of ability to (1) replace traditional BP cuffs; (2) measure

BP as accurately as traditional cuffs

Status

• Consent decree: cease representations about the comparative efficacy of app

• Cease use of its deceptive endorsements


FTC v. D-Link (N.D. Cal. Jan. 5, 2017)

15

Factual Allegations

• The FTC filed suit against D-Link, a manufacturer of computer networking equipment and connected

devices, alleging that the company made deceptive claims about the security of its products and

engaged in unfair practices that put consumers’ privacy at risk.

• D-Link allegedly headlined its routers as EASY TO SECURE and ADVANCED NETWORK

SECURITY.

• But its routers were allegedly susceptible to easily preventable flaws like

• Hard-coded login credentials in its camera software (username: “guest”; password: “guest”)

• “Command injection” software flaw that enables hackers to control routers

• Made a private key code used to sign into software available on a public website for 6 months

• Left user’s login credentials on D-Link’s app in clear, readable text


FTC v. VIZIO, Inc., (D.N.J. Feb. 6, 2017)

16

Factual Allegations

• TVs captured second-by-second information about video displayed on the TV, regardless of source

(cable, DVD, OTA, streaming, etc.)

• Appended such data with specific demographic information, such as sex, age, income, marital

status, household size, education level,

• Information was sold to third parties for purposes including targeted advertising

• Tracking was built into a “Smart Interactivity” feature but not disclosed

Status:

• Stipulated order requiring VIZIO to (1) prominently disclose and obtain affirmative express consent;

(2) prohibit misrepresentations about privacy, security, or confidentiality of information collected; (3)

delete data collected before March 1, 2016; (4) implement comprehensive data privacy program with

biennial assessments.

• $2.2 million payment to FTC and New Jersey Division of Consumer Affairs


FTC “IoT Home Inspector Challenge”

17

FTC challenged the public to create a tool to protect consumers from

security vulnerabilities in the software of home IoT devices

Reward is $25,000 for the best solution, and $3,000 for honorable

mentions.

Ideas can include physical devices, app or cloud-based services, a user

interface

Submission period: March 1, 2017 – May 22, 2017. Judges are a panel

including professors and researchers.

Challenge is part of the FTC’s America COMPETES Act and the first in

the series to address IoT.


Selected IoT Legislation

18

Federal

• IoT devices governed primarily by general and sector

specific laws (e.g., COPPA, HIPAA)

State

• IoT specific laws (event recorders, drones, smart TVs) and

devices governed primarily by general and sector specific

laws (e.g., COPPA, HIPAA) and additional sector specific

law (Illinois Biometric Information Privacy Act)

International

• GDPR


IoT Litigation

19

• As of last year, relatively little “IoT” litigation

• “Digital devices and media, ‘[w]ith all they contain and

all they may reveal, ... hold for many Americans “the

privacies of life.”’” State of Minnesota v. McMurray,

2015 WL 1085000 *10 (S. Ct. Minn. March 11, 2015

(citing) Riley v. California, 34 S.Ct. 2473, 2494-95

(2014))

• “This trend will only accelerate as we enter the

‘internet of things’ in which hundreds of billions of

objects will become digital devices.” Id.


Cahen, et al. v. Toyota, Ford, GM, 15-1104 (N.D. Cal. 2015)

20

Factual Allegations

• GM, Toyota, and Ford manufactured cars with electronic safety control units

• Commands were transmitted unencrypted and unauthenticated

• Cars had wireless Bluetooth technology that can serve as hacker entry points

• Plaintiffs did not allege that cars had actually been hacked, only that such hacking was an “imminent

eventuality”

• Cars also collect owner data (geographic location, driving history, vehicle performance), and share

data with unsecured transmissions

Claims

• Unfair Competition and False Advertising Laws

• Breach of contract

• Invasion of privacy

Result: Dismissed for lack of injury. Appeal before 9th Circuit.

• No injury because Plaintiffs did not allege that any hacking actually occurred

• Similar to product liability cases where potential defects exist and unproven risk of future harm (e.g.,

car brakes could require more pressure to apply in low temperatures, but no proof that this actually

occurred or that plaintiffs actually intended to drive in cold)


Ross v. St. Jude Medical, Inc. et al., 2:16-cv-

06465-DMG-E (C.D. Cal. Aug. 26, 2016).

21

Factual Allegations

• St. Jude Medical and its subsidiary manufactures pacemakers that can be adjusted with portable

telemetry devices ideally located in a patient’s home

• Pacemakers utilize radiofrequency (RF) wireless technology

• St. Jude brochure allegedly claimed that patient data was uploaded to a “safe and secure web-

based data management system that is protected with industry-standard safety protocols”

• Equity research firm issued report contending pacemakers lacked certain safeties like particular

encryption software, authentication, etc.

• Research firm could also cause pacemaker to pace rapidly and drain battery down to two weeks

Plaintiff

• Did not himself experience these attacks, and claimed that he stopped using portable telemetry

devices

Claims

• Filed for breach of warranty based on security claims and other torts

Status

• Plaintiff voluntarily dismissed complaint, without prejudice, before Defendant filed an answer


Satchell v. Sonic Notify, Inc. et al., 4:16-cv-

04961-JSW (N.D. Cal. Aug. 29, 2016)

22

Factual Allegations

• Golden State Warriors partnered with app developer to make “beacon” app, and “Beacon” allegedly

determined location of phone by recording sound from nearby stadium towers, which each emitted a unique

sound

• TOS stated that app “uses the device’s microphone(s)”

Plaintiff

• Plaintiff alleged that app turns on microphone and continually listens and records any audio within range

• Plaintiff alleged that unauthorized recording led to wear and tear on phone, and diminished use and

enjoyment of phone

Claims

• Plaintiff claimed violations of Electronic Communications Privacy Act (the wiretap provisions)

Status

• Defendants moved to dismiss for lack of standing, and on Iqbal/Twombly. The Court held that Plaintiff

alleged enough facts for Article III standing by pleading that Defendant effectively converted the cell phone

into a telephone “bug.”

• However, the Court granted the motion to dismiss, with leave to amend, because Plaintiff did not allege

enough facts on how the sound recordings were “intercepted” by Defendants after they were recorded.


N.P. v. Standard Innovation, 16-CV-08655

(N.D. Il. Sept. 2, 2016)

23

Factual Allegations

• Defendant sells adult device with app that allows remote control over

device settings and features

• SI allegedly collected data regarding use - date and time of use and

device settings – without providing notice of collection or transmission

of personal data

Claims

• Violation of Wiretap Act, Illinois Eavesdropping Act, and state law torts

Status

• The parties entered into mediation and reached a settlement; terms

are unknown.


Key Takeaways

24

Common Privacy Failures:

Unexpected data collection or use without meaningful notice and

choice

Sharing with third parties like ad networks and data brokers

Unnecessary data collection and retention

Collecting, using, sharing, or securing data contrary to representations

Providing privacy choices that do not work as stated

Misrepresenting tracking practices or ability to opt out of tracking

Changing privacy practices with respect to previously collected

information without opt-in consent


Key Takeaways

25

Spotting privacy issues before they become privacy

problems

Product development

Internal product testing

M&A

Incident management

Vendor management

Cloud providers


Thank you!

26

The Internet of Things and the Wired Lifedownload.pli.edu/WebContent/pm/184790/pdf/3-30-17... ·...

Documents

Transcript of The Internet of Things and the Wired Lifedownload.pli.edu/WebContent/pm/184790/pdf/3-30-17... ·...