We have all heard about smart homes and the nirvana they may create. But we hear little about the risks, exposure and liability smart homes may pose. These risks stem from the fact that the standards governing smart home devices and the Internet of Things (IoT) simply don’t yet exist. And to the extent any do, they are not necessarily consistent and the law is not well developed. Nor has it addressed many of the issues raised by the new technologies. So we have a bunch of new devices that are popular, that carry some risks with few standards or laws governing them. Sound like a recipe for litigation?
What Are Smart Homes?
When we talk about smart homes we are really talking about the IoT. The IoT is composed of small and inexpensive but everyday devices like thermostats that collect and share data via wireless connections or Bluetooth with people or with other devices. These connections can automate certain things. So a sensor in the garage door you open when you come home might tell another sensor in your house to turn on the lights and thermostat sensor to change the temperature in the house. (Here’s a link to video from Apple demonstrating a smart home).
When we talk about a smart home, we are really talking about a home equipped with a network of connected products that can control, automate and optimize functions such as lights, electrical outlets, thermostats, windows, fans, locks, doorbells, appliances, vacuum cleaners, lawnmowers, curtains, pet feeders among others. Not to mention related devices and apps like Amazon’s Alexa, Apple’s Siri, and google voice. The list is growing everyday.
There are three reasons this is happening now: smaller devices, reduced costs, and market opportunity. Right now, there are some 6.4 to 13 billion IoT devices in use depending on whose guessing. Last year, IoT devices generated some $19 trillion in profits; by 2020 its estimated to be 50 trillion.
And there will be more and more of these in homes. Even today 2/3 of consumers say they want a connected home. Its estimated that within 3 years some 43% of homeowners will actually have numerous connected devices in their homes
And we also have more data being generated by these devices and the potential for greater analytics of that data to tell more things. And with cloud computing there is much more opportunity to aggregate and massage this data.
So, developers want to develop, makers want to sell and companies want to collect, manipulate and even sell all this data. They are all driven to get to market first and capture customers, not security and safety. And therein lies part of the problem.
Risks and Questions
Despite the popularity of IoT devices and smart homes, there are risks associated with these devices that will ultimately lead to exposure and litigation. Some are presented by the hardware, some are presented by the software that runs the hardware, and some are presented by the massive amounts of data generated and collected. Here are some sobering statistics about the IoT in general courtesy of a recent study called The Internet of Hackable Things from researchers at the Technical University of Denmark, Denmark; Orebro University, Sweden; and Innopolis University, Russian Federation (the information was compiled from industry and academic research reports):
- 90% of devices collected at least some information via the device
- 80% of devices, and their cloud and mobile components, required no password or the passwords that were required were not complex enough
- 70% of devices and their cloud and mobile components enabled an attacker to identify valid user accounts through enumeration
- 70% of devices used unencrypted network services
- 6 out of 10 devices that provided user interfaces were vulnerable to a range of weaknesses, such as persistent XSS1 and weak credentials
So what’s driving these risks?
First, there are no real consensus standards governing design, manufacture or performance of these devices. UL and other bodies are just beginning to look at these issues.
Second, to the extent there are laws and regulations, they are being enacted by all sorts of different agencies, leaving a hodge-podge and no clear regulatory or legal direction.
Third, very few cases outline the liability associated with IoT devices and smart homes and how judges and juries may treat liability questions.
Fourth, some of the device are poorly designed and made. The useful life of the device is not communicated and may not even be known by the manufacturer. And there is also little independent product assessment.
Fifth, some devices are being designed and made without considering the risks of the devices being exploited or in common parlance hacked. So, for example, you get baby monitors being hijacked and strangers talking to babies thru the monitors. You get TVs being hacked and held ransom.
Finally, often there is no commitment by the developer to patch and update the software. Think about how often you must update the software of your laptops, tablets and smart phones. These updates provide security from vulnerabilities and problems that are discovered. (As an aside, if you don’t promptly download these upgrades, please do so. They really do protect you). With some devices, we don’t know how and how often updates are planned and under what circumstances.
We may not know how long the company plans to support a product with software security upgrades. We don’t know what a consumer has to do to get upgrades or how to receive them.
Another risk stems from the fact that data from all these devices may be collected and stored someplace else with unknown quality and security controls. So you not only have more data being collected and kept than homeowners ever dreamed- data owned not by the homeowner but by someone else–but you know little about who has it and what they might do with it. And some of this data could be of pretty sensitive stuff. And informed consent as to what can be done with the data is a big issue. We are all used to seeing and agreeing to consent forms for applications (the way these are done begs whether the consent is truly informed) but how do you provide and get consent for devices that may not have a screen.
How do you provide and get consent for devices that may not have a screen?
And finally, as with any unregulated and untested device, there could be lots of potential failure modes that exist for a long time with results ranging from mere annoyance to catastrophic.
What are potential claims and exposure?
Clearly, there could be claims for data breach or privacy violations. While at this point there is a split in jurisdictions whether this loss is something a plaintiff can recover, the trend is for courts to say that privacy has monetary value and you can sue when its lost.
And the FTC has jurisdiction to investigate and penalize unfair and deceptive business acts and believes strongly that inadequate cyber security protections and practices is such an act. It has brought enforcement cases against manufacturers of IoT products used in homes, such as cameras and routers, alleging that they were not adequately secure from data breach.
It’s also, brought proceedings against hospitals, doctors office building owners and businesses in general for not having procedures to protect security. The penalties can be significant.
But biggest concern is what happens if there is a failure-either of hardware or the software and there is a loss. What is the exposure if and when this happens. Certainly, if an IoT product is installed incorrectly or fails, the liability for that is like that of any other product—a roof or HVAC system for example.
But what if the failure results from faulty or unpatched software? There is not much law yet. Is software legally like a product? Is it more like a service? We don’t know. And what if failure occurs because the software was not upgraded or patched and the software developer is long gone? We don’t know: software is not like a product like a part in a HVAC system where if something goes bad and the manufacturer is gone there are still other parts providers.
The few cases that have dealt with these situations turned on what representations were made about the product and software and its capabilities
The few cases that have dealt with these situations turned on what representations were made about the product and software and its capabilities; what representations were made about its security and what disclosures or lack of disclosures were made about the potential risks.
So just with lots of other technologies, the is a gap between the law and new issues created by the technology; another one of many such gaps we face.