The internet of things is here, but the rules to run it are not

The first murder through the internet of things will likely take place in 2014, police service Europol warned this month. The crime could be carried out by a pacemaker, an insulin dosage device, a hacked brake pedal or myriad others objects that control life-and-death functions and are now connected to the internet. In control of a malicious hacker, any of these devices could give “killer app” a whole new meaning.

“We’re used to having our computers networked, we’re not used to having everything networked …[But] we all know that any information system is hackable,” Kraig Baker, an attorney and technology expert, said at law firm Davis Wright Tremaine’s Download event in New York last week.

Murder, of course, is a dramatic example of how the internet of things could go awry — though the threat is real enough for former Vice-President Dick Cheney to have removed the WiFi from his pacemaker. And such an incident is just one example of the potential criminal and legal issues related to this new world of networked machines. To get an idea of what’s at stake, here are some examples of how technology is moving far out front of the law when it comes to the internet of things.

Sensors and the trouble with “wear your own device” day

Wearable computers, which let people connect their bodies to the internet, are a hot topic these days. Devices like the Fitbit or Google fitbit rashGlass or Apple’s iWatch, promise to let users collect an unprecedented stream of data about their health and the environment around them.

The presence of these data vacuums strapped to our bodies pose privacy risks, however, and not just to the people wearing them. For employers, the arrival of internet-clad employees presents major new headaches.

As attorney Sean Hoar noted at the law firm event, the era of wearables could make security concerns related to “bring your own device” policies look trivial in comparison. How, for instance, are executives in charge of IT or trade secrets supposed to safeguard information when even the clothes of their employees might act as sensors? And hushing up a secret meeting between two companies will be harden than ever as executives and their staff wear more items — bracelets, watches, garments and so on — that transmit their location.

Such accidental — or deliberate misuse of networked objects — is stoking concerns not just in companies, but government too (Gigaom will be exploring this topic in detail at Structure Connect this week with former White House deputy CTO Nicole Wong among others).

“It’s amazing the things we volunteer and that are being collected from us,” added Baker, who points to data security as one of three broad categories — in addition to product liability and intellectual property — under which we can begin to group legal issues related to the internet of things.

Objects behaving badly: who’s to blame?

Everyday objects connected to cameras and the internet bring unprecedented convenience to our home: think of Nest thermostats, remote pet monitors or iPhone-activated door locks. The flip-side is the unprecedented possibilities for invasion. And when an intrusion arrives, how will the law decide who is to blame?

Photo illustration by George Frey/Getty Images

Photo illustration by George Frey/Getty Images

Consider the man in New Jersey who objected to his neighbor’s drone flying overhead — and blew it away with a shotgun. The man was arrested, but some scholars have made the case that such actions could be justified under new concepts of privacy-based self-defense.

And drones are just the tip of the iceberg. There have already been scary stories of toddlers terrorized by hacked baby monitors (“wake up you little slut!”), while other newly-automated objects such as driverless cars pose hypothetical but very real safety dangers.

The big question is how to allocate liability when our machines start to act up. If one of Google’s automated cars crashes, is it the fault of the driver or Google? In the case of the baby monitor, does legal fault lie only with the hacker, or with the manufacturer too (and should the parents’ failure to password-protect the device change the outcome)?

While courts in the first part of the 20th century thrashed out many basic principles of product liability, those cases turned on topics like lead paint and snails in ginger beer. Those principles may not apply very well when everyday objects act on their own, and as part of a globally-connected network.

For now, the law doesn’t treat services like Apple’s iCloud or Snapchat as defective products — even when they unexpectedly harm people by exposing their private lives to the whole internet. In the future, judges may start asking if the concept of “privacy by design” should become a safety standard, and even require internet companies to adopt the same pre-cautions as auto makers or playground designers.

The bottom line is we’re just beginning to recognize the new legal issues related to the internet of things, and are a long way from writing rules for them.

You can see the full agenda for DWT’s Download, an annual event that brings lawyers together to explore a range of digital-era legal topics, here.