The sex police are out there on the streets
Make sure the pass laws are not broken
Undercover (of the Night), The Rolling Stones
So, now we know that browsing porn in “incognito” mode doesn’t prevent those sites from leaking your dirty data courtesy of the friendly folks at Google and Facebook. 93 per cent of porn sites leak user data to a third party. Of these, Google tracks about 74 per cent of the analyzed porn sites, while Oracle tracks nearly 24 per cent sites and Facebook tracks nearly 10 per cent porn sites. Yet, despite such stats, 30 per cent of all internet traffic still relates to porn sites.
The hacker who perpetrated the enormous Capital One data beach outed herself by oversharing on GitHub. Had she been able to keep her trap shut, we’d probably still not know that she was in our wallets. Did she want to get caught, or was she simply unashamed of having stolen a Queen’s ransom worth of financial data?
Many have lamented that shame (along with irony, truth and proper grammar) is dead. I disagree. I think that shame has been on the outward leg of a boomerang trajectory fueled by technology and is accelerating on the return trip to whack us noobs in the back of our unsuspecting heads.
Technology has allowed us to do all sorts of stuff privately that we used to have to muster the gumption to do in public. Buying Penthouse the old-fashioned way meant you had to brave the drugstore cashier, who could turn out to be a cheerleader at your high school or your Mom’s PTA friend. Buying the Biggie Bag at Wendy’s meant enduring the disapproving stares of vegans buying salads and diet iced tea. Let’s not even talk about ED medication or baldness cures.
All your petty vices and vanity purchases can now be indulged in the sanctity of your bedroom. Or so you thought. There is no free lunch, naked or otherwise, we are coming to find. How will society respond?
Country music advises us to dance like no one is watching and to love like we’ll never get hurt. When we are alone, we can act closer to our baser instincts. This is why privacy is protective of creativity and subversive behaviors, and why in societies without privacy, people’s behavior regresses toward the most socially acceptable responses. As my partner Ted Claypoole wrote in Privacy in the Age of Big Data,
“We all behave differently when we know we are being watched and listened to, and the resulting change in behavior is simply a loss of freedom – the freedom to behave in a private and comfortable fashion; the freedom to allow the less socially -careful branches of our personalities to flower. Loss of privacy reduces the spectrum of choices we can make about the most important aspects of our lives.
By providing a broader range of choices, and by freeing our choices from immediate review and censure from society, privacy enables us to be creative and to make decisions about ourselves that are outside the mainstream. Privacy grants us the room to be as creative and thought-provoking as we want to be. British scholar and law dean Timothy Macklem succinctly argues that the “isolating shield of privacy enables people to develop and exchange ideas, or to foster and share activities, that the presence or even awareness of other people might stifle. For better and for worse, then, privacy is a sponsor and guardian to the creative and the subversive.”
For the past two decades we have let down our guard, exercising our most subversive and embarrassing expressions of id in what we thought was a private space. Now we see that such privacy was likely an illusion, and we feel as if we’ve been somehow gas lighted into showing our noteworthy bad behavior in the disapproving public square.
Exposure of the Ashley Madison affair-seeking population should have taught us this lesson, but it seems that each generation needs to learn in its own way.
The nerds will, inevitably, figure out how to continue to work and play largely unobserved. But what of the rest of us? Will the pincer attack of the advancing surveillance state and the denizens of the Dark Web bring shame back as a countervailing force to govern our behavior? Will the next decade be marked as the New Puritanism?
Dwight Lyman Moody, a predominant 19th century evangelist, author, and publisher, famously said, “Character is what you are in the dark.” Through the night vision goggles of technology, more and more of your neighbors can see who you really are and there are very few of us who can bear that kind of scrutiny. Maybe Mick Jagger had it right all the way back in 1983, when he advised “Curl up baby/Keep it all out of sight.” Undercover of the night indeed.
This week, the Federal Trade Commission (FTC) entered into a proposed settlement with Unrollme Inc. (“Unrollme”), a free personal email management service that offers to assist consumers in managing the flood of subscription emails in their inboxes. The FTC alleged that Unrollme made certain deceptive statements to consumers, who may have had privacy concerns, to persuade them to grant the company access to their email accounts. (In re Unrolllme Inc., File No 172 3139 (FTC proposed settlement announced Aug. 8, 2019).
This settlement touches many relevant issues, including the delicate nature of online providers’ privacy practices relating to consumer data collection, the importance for consumers to comprehend the extent of data collection when signing up for and consenting to a new online service or app, and the need for downstream recipients of anonymized market data to understand how such data is collected and processed. (See also our prior post covering an enforcement action involving user geolocation data collected from a mobile weather app).
A quick glance at headlines announcing the settlement might give the impression that the FTC found Unrollme’s entire business model unlawful or deceptive, but that is not the case. As described below, the settlement involved only a subset of consumers who received allegedly deceptive emails to coax them into granting access to their email accounts. The model of providing free products or services in exchange for permission to collect user information for data-driven advertising or ancillary market research remains widespread, though could face some changes when California’s CCPA consumer choice options become effective or in the event Congress passes a comprehensive data privacy law.
As part of the Unrollme registration process, users grant Unrollme access to selected personal email accounts for decluttering purposes. However, this permission also allows Unrollme to access and scan inboxes for so-called “e-receipts” or emailed receipts from e-commerce transactions. After scanning users’ e-receipt data (which might include billing and shipping addresses and information about the purchased products or services), Unrollme’s parent company, Slice Technologies, Inc., would anonymize the data and package it into market research reports that are sold to various companies, retailers and others. According to the FTC complaint, when some consumers declined to grant permission to their email accounts during signup, Unrollme, during the relevant time period, tried to make them reconsider by sending allegedly deceptive statements about its access (e.g, “You need to authorize us to access your emails. Don’t worry, this is just to watch for those pesky newsletters, we’ll never touch your personal stuff”). The FTC claimed that such messages did not tell users that access to their inboxes would also be used to collect e-receipts and to package that data for sale to outside companies, and that thousands of consumers changed their minds and signed up for Unrollme.
As part of the settlement, Unrollme is prohibited from misrepresentations about the extent to which it accesses, collects, uses, stores or shares information in connection with its email management products. Unrollme must also send an email to all current users who enrolled in Unrollme after seeing the allegedly deceptive statements and explain Unrollme’s data collection and usage practices. Unrollme is also required to delete all e-receipt data obtained from recipients who enrolled in Unrollme after seeing the challenged statements (unless Unrollme receives affirmative consent to maintain such data from the affected consumers).
In an effort at increased transparency, Unrollme’s current home page displays several links to detailed explanations of how the service collects and analyzes user data (e.g., “How we use data”).
Interestingly, this is not the first time Unrollme’s practices have been challenged, as the company faced a privacy suit over its data mining practices last year. (See Cooper v. Slice Technologies, Inc., No. 17-7102 (S.D.N.Y. June 6, 2018) (dismissing a privacy suit that claimed that Unrollme did not adequately disclose to consumers the extent of its data mining practices, and finding that consumers consented to a privacy policy that expressly allowed such data collection to build market research products and services).
Well, no one can say that he did not get his day in Court.
Plaintiff Ewing, a serial TCPA litigator who filed yet another case assigned to Judge Battaglia, narrowly escaped dismissal of all his claims, and was permitted leave to amend for a second time. SeeStark v. Stall, Case No. 19-CV-00366-AJB-NLS, 2019 U.S. Dist. LEXIS 132814 (S.D. Cal. Aug. 7, 2019). But in the process, the Judge called attention to the Plaintiff’s unprofessional conduct in an earlier case, ruled that he failed to name a necessary party, and found that he inadequately plead the existence of an agency relationship between the defendant and the necessary party that he had failed to join in the lawsuit.
At the outset, the court dismissed the claim brought by co-plaintiff Stark, as the Complaint contained no allegations that any wrongful telephone calls were placed to that particular individual.
In 2015, Ewing had already been put on notice of the local rules of professionalism and their applicability to him, despite his status as a pro se litigator. Thus, the Court easily granted defendant’s motion to strike Plaintiff’s allegations to the effect that defendant had made a “derogatory remark” simply by pointing out that he was designated as a vexatious litigator.
The two most important pieces of the case for TCPAWorld are the Court’s rulings about Plaintiff’s failure to join a necessary defendant and his insufficient allegations to establish vicarious liability.
Plaintiff had failed to name as a defendant the entity (US Global) that allegedly made the calls to him. The court determined that this company is a necessary party that must be added in order for the court to afford complete relief among the parties. We often see situations where only a caller but not a seller, creditor, employer, franchisor, etc. are named, or vice versa, so it is encouraging to see courts strictly enforce Federal Rule 15 in the TCPA context.
The court further held that the relationship between Defendant and US Global was not such that Defendant could be held liable for violations of the TCPA that were committed by US Global. While Plaintiff made unsubstantiated allegations that an agency relationship existed, the Court treated these as merely legal conclusions and granted dismissal based on insufficient allegations of facts to establish a plausible claim that there is a common-law agency relationship between Defendant and US Global. Simply stated, the bare allegation that Defendant had the ability to control some aspects of the caller’s activity was insufficient to establish control for purposes of TCPA vicarious liability principles.
Plaintiff’s amended pleading is due on August 31—anticipating another round of motion practice, we will track any further developments in this case.
Hyperconnectivity is a real phenomenon and it is changing the concerns of society because of the kinds of interactions that can be brought about by IoT devices, which could be: i) People to people; ii) People to things (objects, machines); iii) Things/machines to things/machines.
It gives rise to different issues for people. According to a European Survey, 72% of EU Internet users worry that too much of their personal data is being shared online and that they have little control over what happens to this information[1]. It gives rise to inevitable ethical issues and its relationship with the techno environment.
The discussion on ethics that follows aims to provide a quick tour on general ethical principles and theories that are available as they may apply to IoT[2]. Law and ethics are overlapping, but ethics goes beyond law. Thus, a comparison of law and ethics is made and their differences are pointed out in the great work of Spyros G Tzafestas, who wrote Ethics and Law in the Internet of Things World. In this article, he considers that the risks and harms in a digital world are very high and complex, especially explaining those tech terms and their impact in our private life. Thus, it is of primary importance to review IoT and understand the limitations of protective legal, regulatory and ethical frameworks, in order to provide sound recommendations for maximizing good and minimizing harm[3].
Major data security concerns have also been raised with respect to ‘cloud’-supported IoT. Cloud computing (‘the cloud’) essentially consists of the concentration of resources, e.g. hardware and software, into a few physical locations by a cloud service provider (e.g. Amazon Web Service)[4]. We are living in a data-sharing storm and the economic impact of IoT’s cyber risks is increasing with the integration of digital infrastructure in the digital economy[5]. We are surrounded by devices which contain our data, for instance:
Wearable health technologies: wearable devices that continuously monitor the health status of a patient or gather real-world information about the patient such as heart rate, blood pressure, fever;
Wearable textile technologies: clothes that can change their color on demand or based on the biological condition of the wearer or according to the wearer’s emotions;
As a result of the serious impact IoT may have and because it involves a huge number of connected devices, it creates a new social, political, economic, and ethical landscape. Therefore, for a sustainable development of IoT, political and economic decision-making bodies have to develop proper regulations in order to be able to control the fair use of IoT in society.
In this sense, the most developed regions as regards establishing IoT Regulations and an ethical framework are the European Union and the United States both of which have enacted:
Legislation/regulations.
Ethics principles, rules and codes.
Standards/guidelines;
Contractual arrangements;
Regulations for the devices connected;
Regulations for the networks and their security; and
Regulations for the data associated with the devices.
In light of this, the next section will deal with Data Protection Regulations, Consumer Protection Acts, IoT and Cyber Risks Laws, Roadmap for Standardization of Regulations, Risk Maturity, Strategy Design and Impact Assessment related with 2020 scenario, which is: 200 billion sensor devices and market size that, by 2025, will be between $2.7 trillion and $3 trillion a year.
Europe
The Alliance for Internet of Things Innovation (AIOTI) was initiated by the European Commission in order to open a stream of dialogue between European stakeholders within the Internet of Things (IoT) market. The overall goal of this initiative was the creation of a dynamic European IoT ecosystem to unleash the potential of IoT.
In October 2015, the Alliance published 12 reports covering IoT policy and standards issues. It provided detailed recommendations for future collaborations in the Internet of Things Focus Area of the 2016-2017 Horizon 2020 programme[7].
The IoT regulation framework in Europe is a growth sector:
EU Directive-2013/40: this Directive deals with “Cybercrime” (i.e., attacks against information systems). It provides definitions of criminal offences and sets proper sanctions for attacks against information systems[8].
EU NIS Directive 2016/1148: this Network and Information Security (NIS) Directive concerns “Cybersecurity” issues. Its aim is to provide legal measures to assure a common overall level of cybersecurity (network/information security) in the EU, and an enhanced coordination degree among EU Members[9].
EU Directive 2014/53: this Directive “On the harmonization of the laws of the member states relating to the marketing of radio equipment”[10] is concerned with the standardization issue which is important for the joint and harmonized development of technology in the EU.
EU GDPR: European General Data Protection Regulation 2016/679: this regulation concerns privacy, ownership, and data protection and replaces EU DPR-2012. It provides a single set of rules directly applicable in the EU member states.
EU Connected Communities Initiative: this initiative concerns the IoT development infrastructure, and aims to collect information from the market about existing public and private connectivity projects that seek to provide high-speed broadband (more than 30 Mbps).
United States
A quick overview of the general US legislation that protects civil rights (employment, housing, privacy, information, data, etc.) includes:
Fair Housing Act (1968);
Fair Credit Reporting Act (1970);
Electronic Communication Privacy Act (1986), which is applied to service providers that transmit data, the Privacy Act 1974 which is based on the Fair Information Practice Principle (FIPP) Guidelines;
Breach Notification Rule which requires companies utilizing health data to notify consumers that are affected by the occurrence of any data breach; and
IoT Cybersecurity Improvement Act 2019: the Bill seeks “[t]o leverage Federal Government procurement power to encourage increased cybersecurity for Internet of Things devices.” In other words, this bill aims to shore up cybersecurity requirements for IoT devices purchased and used by the federal government, with the aim of affecting cybersecurity on IoT devices more broadly.
SB-327 Information privacy: connected devices: California’s new SB 327 law, which will take effect in January 2020, requires all “connected devices” to have a “reasonable security feature.”
The above legislation is general, and in principle can cover IoT activities, although it was not designed with IoT in mind. Legislation devoted particularly to IoT includes the following:
White House Initiative 2012: the purpose of this initiative is to specify a framework for protecting the privacy of the consumer in a networked work.
This initiative involves a report on a ‘Consumer Bill of Rights” which is based on the so-called “Fair Information Practice Principles” (FIPP). This includes two principles:
Respect for Context Principle: consumers have a right to insist that the collection, use, and disclosure of personal data by Companies is done in ways that are compatible with the context in which consumers provide the data;
Individual Control Principle: consumers have a right to exert control over the personal data companies collect from them or how they use it.
China
Where we start to see the most advanced picture is in China. In 2017, the Ministry of Industry and Information Technology (MIIT), China’s telecom regulator and industrial policy maker, issued the Circular on Comprehensively Advancing the Construction and Development of Mobile Internet of Things (NB-IoT) (MIIT Circular [2017] No. 351, the “Circular”), with the following approach in the opening provisions:
Building a wide-coverage, large-connect, low-power mobile Internet of Things (NB-IoT) infrastructure and developing applications based on NB-IoT technology will help promote the construction of network powers and manufacturing powers, and promote “mass entrepreneurship, innovation” and “Internet +” development. In order to further strengthen the IoT application infrastructure, promote the deployment of NB-IoT networks and expand industry applications, and accelerate the innovation and development of NB-IoT[11]
Nowadays China already has a huge packet of regulation on technological matters:
2015 State Council – China Computer Information System Security Protection Regulation (first in 1994);
2007 MPS – Management Method for Information Security Protection for Classified Levels;
2001 NPC Standing Committee – Resolution about Protection of Internet Security;
2012 NPC Standing Committee – Resolution about Enhance Network Information Protection;
July 2015: National Security Law – ‘secure and controllable’ systems and data security in critical infrastructure and key areas;
2014 MIIT – Guidance on Enhance Telecom and Internet Security;
2013 MIIT – Regulation about Telecom and Internet Personal Information Protection
2014 China Banking Regulatory Commission – Guidance for Applying Secure and Controllable Information;
Technology to Enhance Banking Industry Cybersecurity and Informatization Development
Further, as if this were not enough, the Chinese government is being proactive and has several important laws and regulations in the Pipeline, as it can be seen from the list below:
CAC: Administrative Measures on Internet Information Services;
CAC Rules on Security Protection for Critical Information Infrastructure;
Cybersecurity Law;
Cyber Sovereignty;
Security of Product and Service;
Security of Network Operation (Classified Levels Protection, Critical Infrastructure);
Data Security (Category, Personal Information);
Information Security.
Finally, China established, in 2016, the National Information Security Standardization Technical Committee and its current work is developing a Standardization – TC260 (IT Security) on Technical requirement for Industrial network protocol and general reference model and requirements for Machine-to-Machine (M2M) security.
Latin America
The Latin American countries have different levels of development and this sets up a huge asymmetry between the domestic legal frameworks. The following is a quick regulation overview on Latin American countries:
Brazil has the “National IoT Plan” (Decree N. 9.854/2019) that aims to ensure the development of public policies for this technology sector and members of Brazilian parliament presented the bill No. 7.656/17 with the purpose of eliminating tax charges on IoT products;
Colombia has a Draft of Law No. 152/2018 on the Modernization of the Information and Communication providing investments incentives to IT Techs (article 3);
Chile has a new Draft Law Boletín N° 12.192-25/2018 on Cyber crimes and regulation on internet devices and hackers attacks;
In 2017, Argentina launched a Public Consultation on IoT regarding regulations that must be updated and how to get more security and improve the technological level of the country[12].
Most Promising Smart Environments
Smart environments are regarded as the space within which IoT devices interact connected through a continuous network. Thus, smart environments aim to satisfy the experience of individuals from every environment, by replacing the hazardous work, physical labor and repetitive tasks with automated agents. Generally speaking, sensors are the basis of these kind of smart devices with many different applications e.g. Smart Parking, Waste Management, Smart Roads and Traffic Congestion, Air Pollution, River Floods, M2M Applications, Vehicle auto-diagnosis, Smart Farming, Energy and Water Uses, Medical and Health Smart applications, etc[13].
Another way of looking at smart environments and assess their relative capacity to produce business opportunities is to identify and examine the most important IoT use cases that are either already being exploited or will be fully exploited by 2020.
For the purposes of this article, the approach was restricted to sectors consisting of the most promising smart environments to be developed up to 2020 in the European Market as displayed in the Chart below:
Vertical IoT Market Size in Europe
The conclusions of the last report of the European Commission are impressive and can help to understand the continuous development of the IoT market and how every market has to comply with the law and they will emerge facing a regulatory avalanche as mentioned in item 2 on the Regulatory Ecosystem.
Final Considerations: IoT as Consumer Product Health and Safety
IoT safety is becoming more important every day. On the one hand, as mentioned above, most concerns for IoT safety are primarily in the areas of cyber-attacks, hacking, data privacy, and similar topics; what is better referred to as security than safety. On the other hand, it can be approached by physical safety hazards which may result from the operation of consumer products in an IoT environment or system. IoT provides a new way to approach business and it is not restricted to one or other market or topic. It is a metatopic ormetamarketshowing different possibilities and applications and will be spread in the near future.
In general, IoT products are electrical or electronic applications with a power source and a battery connected by a charging device. So long as the power source, batteries and charging devices are present we have the usual risks of electrical related hazards (fire, burns, electrical shock, etc.). Nonetheless, IoT makes matters more complicated as smart devices have the function to send commands and control devices in the real world.
IoT applications can switch the main electrical powers of secondary products or can operate complex motor systems and so on. Then they have to be accurate and might provide minimal requirements to care of consumer health and safety. Risk assessment and hazard mitigations will have to adapt to IoT applications reinventing new methods to assure regular standards of IoT usability. Traditional health and safety regulations might be up to date with this new technological reality to be effective at reducing safety hazards for consumer products.
To conclude, this article was intended to summarize two main issues: I) IoT as an increasing and cross topic market which will become a present reality closer to our daily lives; II) IoT will be regulated and become an important concern in consumer product health and safety.
[1] Nóra Ni Loideain. Port in the Data-Sharing Storm: The GDPR and the Internet of Things. King’s College London Dickson Poon School of Law Legal Studies Research Paper Series: Paper No. 2018-27.P2.
[4] Nóra Ni Loideain. Port in the Data-Sharing Storm: The GDPR and the Internet of Things. King’s College London Dickson Poon School of Law Legal Studies Research Paper Series: Paper No. 2018-27.P. 19.
[5] Petar Radanliev, David Charles De Roure and others. Definition of Internet of Things (IoT) Cyber Risk – Discussion on a Transformation Roadmap for Standardization of Regulations, Risk Maturity, Strategy Design and Impact Assessment. Oxford University. MPRA Paper No. 92569, March 2019, P. 1.
If you think there is safety in numbers when it comes to the privacy of your personal information, think again. A recent study in Nature Communications found that, given a large enough dataset, anonymised personal information is only an algorithm away from being re-identified.
Anonymised data refers to data that has been stripped of any identifiable information, such as a name or email address. Under many privacy laws, anonymising data allows organisations and public bodies to use and share information without infringing an individual’s privacy, or having to obtain necessary authorisations or consents to do so.
But what happens when that anonymised data is combined with other data sets?
Researchers behind the Nature Communications study found that using only 15 demographic attributes can re-identify 99.98% of Americans in any incomplete dataset. While fascinating for data analysts, individuals may be alarmed to hear that their anonymised data can be re-identified so easily and potentially then accessed or disclosed by others in a way they have not envisaged.
Re-identification techniques were recently used by the New York Times. In March this year, they pulled together various public data sources, including an anonymised dataset from the Internal Revenue Service, in order to reveal a decade’s worth of Donald Trump’s negatively adjusted income tax returns. His tax returns had been the subject of great public speculation.
What does this mean for business? Depending on the circumstances, it could mean that simply removing personal information such as names and email addresses is not enough to anonymise data and may be in breach of many privacy laws.
To address these risks, companies like Google, Uber and Apple use “differential privacy” techniques, which adds “noise” to datasets so that individuals cannot be re-identified, while still allowing access to the information outcomes they need.
It is a surprise for many businesses using data anonymisation as a quick and cost effective way to de-personalise data that more may be needed to protect individuals’ personal information.
As we head toward 2020, expect significant public debate relating to smartphone applications designed to increase turnout and participation in upcoming elections. The Democratic Party has dipped its toe in the water by announcing in July plans to allow telephone voting in lieu of appearing for neighborhood caucus meetings in the key early primary states of Iowa and Nevada.
Given concerns regarding security and reliability of submitting votes over the internet, jurisdictions around the country have begun to test solutions involving blockchain technology to allow absentee voters to submit voting ballots. Following initial pilot programs in Denver and West Virginia, Utah County, Utah will be the next jurisdiction to utilize a blockchain-based mobile in connection with its upcoming municipal primary and general elections.
The pilot program, which will utilize the mobile voting application “Voatz”, will allow active-duty military, their eligible dependents and overseas voters to cast absentee ballots. Eligible voters will need to apply for an absentee ballot with the county clerk and then download the mobile application. The ballot itself will be unlocked using the smartphone’s biometric data (i.e., a fingerprint or facial recognition) and then will be distributed into the blockchain framework for tabulation.
Technological Revolutions are quiet and astonishing. Step by step new technological applications are pushing existing paradigms and changing the way business is transacted by consumers, companies and in society. In the past, electricity and printing had a revolutionary role in social development, shifting all sectors of life. These days, the Internet of Things (IoT) is pivotal in creating quick, profound and quiet transformations.
According to the Committee on Digital Economy Policy of Directorate for Science, Technology and Innovation of OCED:
The Internet of Things (IoT) could soon be as commonplace as electricity in the everyday lives of people in OECD countries. As such, it will play a fundamental role in economic and social development in ways that would have been challenging to predict as recently as two or three decades ago[1].
In 2008-2009, according to Cisco IBSG – Internet Business Solutions, there were more connected objects, such as smartphones, tablets and computers, than the world’s population. Therefore, this period is considered the year that IoT was born[2]. In 2008, Rob Van Kranemburg published “The Internet of Things”, which addresses a new paradigm in which objects produce information.
Supporting CISCO’s statement, the chart below of Google Trends shows the period of time during which popularity in searches on Google increased. In the last 5 years, IoT has sharply rocketed as a very attractive subject in the general mind of the people on the internet[3]:
Interest Over Time (2004-2019) As Search Item
Digging deeper we can see that IoT popularity is not only relevant to internet users or to some futuristic curiosity on Google, it is a real and concrete “combination of network connectivity, widespread sensor placement, and sophisticated data analysis techniques” which enables“applications to aggregate and act on large amounts of data generated by IoT devices in homes, public spaces, industry and the natural world”[4].
The potential benefits of this kind of connectivity are immense: real-time monitoring and more accurate metrics, the ability to remotely control various actions, interconnectivity and automation, plus the ease of handling a variety of devices that can be centralized on just one smartphone. Nonetheless, this technological avalanche also brings risks and vulnerabilities to users, such as increased vigilance over our habits, exposure of our personal data, hacking vulnerabilities, global or cascading failures, among others.
In the last two years, a set of supporting policy actions have been adopted by the European Commission to accelerate the take-up of IoT and to unleash its potential in Europe for the benefit of European citizens and businesses[5]. These policy actions and statements are not only a guess or shallow forecast, they are a serious result of data and market analysis that came from several studies which found impressive numbers such as 11 billion connected ‘things’ in 2018[6]. This could be as many as 20 billion connections by 2020[7], about 6 billion of which will be in Europe[8]. Of these, 60-65% are consumer devices.
According to the Centre for the Promotion of Imports (CBI) more than 65% of businesses are expected to use IoT products by 2020, compared to 30% in 2017. Europe accounts for more than a third of global Industrial IoT investments by 2020. The market is expected to grow at an impressive average annual rate of 22%. Reaching a value of €287 billion in 2020, Industrial IoT is Europe’s largest IoT market[9].
Seizing the Benefits and Addressing the Challenges
The Centre for the Promotion of Imports (CBI), an Agency of the Netherland’s Ministry of Foreign Affairs and part of the development cooperation effort of the foreign relations of the Netherlands conducted research on the IoT in Europe in January 2019. It concluded:
The European market for Internet of Things (IoT) solutions is growing. Western and Northern Europe are especially promising. Both consumer and business IoT offer opportunities, but specialisation may give you a competitive advantage. The home, health and finance sectors are front runners. National and European initiatives are working to stimulate the roll-out of Industrial IoT solutions and lower barriers. The shortage of skilled specialists continues to drive outsourcing[10].
Apart from an advantageous and “smart” business opportunity, IoT can facilitate innovation in the private sector supporting a wide range of innovative businesses, not only raising the productivity level but increasing the accountability and responsiveness of companies and its employees, improving the client confidence.
Thus, IoT can work to facilitate Private Sector Innovation by so-called industrial Internet, Next Production Revolution (NPR)[11], autonomous machines and big data[12] and automotive industry[13]. On the other hand, innovative Public Sector Delivery with IoT applications could provide smart cities[14], smart governments, smart street lighting[15]and traffic flow optimization[16], innovation in healthcare practice and delivery[17]. IoT technologies are, therefore, expected to play a major role in improving the management of transport, energy use, water services, education, employment, health, crime prevention, by making society more efficient, innovative, safe, sustainable, and inclusive[18].
Regardless of all the benefits, there are many challenges and risks associated with IoT digital security, such as cyber attacks, digital incidents and privacy challenges. Furthermore, bad outcomes can happen causing physical consequences in case of the wrongdoing of autonomous vehicles, health care tools or industrial machines.
The Vision of IoT in 2020
First of all, the 2020 scenario might be approached by a combination of the Cloud and Big Data. Nowadays the hyperconnectivity[19] of society drives IoT to be “The Next Big Thing” in business. According to OECD this next big thing will be related to “a sophisticated industry ecosystem consisting of vendors (providing components), suppliers (creating solutions), service providers, and enterprise users in all sectors of the economy” that will be “measured in billions of Euro in Europe alone, and that will extend across the world too”[20].
Could expectations be too high? Maybe not, because of the following points: I) the centrality of IoT in the upcoming years is corroborated by the sheer number of connections that are expected to be in place by 2020; II) IoT ecosystem will have grown to encompass not only the traditional supply-side actors, but also a rising number of businesses and organizations serving and using IoT; III) hyper-connected society will be an established reality by 2020, as most of the “things” that can be connected, will be by then.
In 2018, the World Economic Forum (WEF) published a study considering initiatives on the future of production. Essentially, it gives an insight into: i) Solution-driven: technology can tackle and solve challenges that have previously been insurmountable; ii) Human-centric: technology can unlock human potential by unleashing creativity, innovation and productivity in new ways; iii) Sustainable: technology can promote sound production processes that minimize negative environmental impact, conserve energy and resources and enable carbon neutrality; iv) Inclusive: employees, companies and countries at different stages of development benefit from Fourth Industrial Revolution technologies and the transformation of production systems[21].
One of its conclusions is that in the coming years, the IoT market is expected to grow across Europe. Most of the front runners are Western European countries, which have traditionally invested more in IT. And together, six countries make up more than 75% of the European IoT market, this makes them especially promising target markets for 2020.
Chart 2. IoT Market Size in Europe
Further, apart from the geographic localization of the opportunities arising, to have a real and concrete overview it is important to be aware of the market size and 2020 forecast by sector. By 2020, industrial IoT is predicted to consist of:
60% cross-industry devices – used in multiple industries, mainly to save costs;
40% vertical-specific devices – used in a specific industry to improve efficiency/accuracy.
Industrial IoT also offers good opportunities, as the average spending per device is much higher in this sector. This makes total spending on consumer and industrial IoT about equal by 2020[22].
Chart 3: IoT Market Size Per Sector
Based on the US Dollar: Euro exchange rates in October 2018, the global average spending on IoT devices is expected to be:
€102 per consumer device;
€114 per cross-industry business device;
€239 per vertical-specific business device.
Finally, electronic sensors are now everywhere – in smartphones, cars, home electronic systems, healthcare devices, fitness monitors and in the workplace. It has been estimated that, by 2020, over 200 billion sensor devices will be inter-connected, creating a market size that, by 2025, will be between $2.7 trillion and $3 trillion a year[23].
At the same time, the market opportunity will bring regulatory challenges. The next section of this report will analyze by specific studies the impact of regulatory requirements on IoT devices and deployment.
[1] OCDE. Committee on Digital Economy Policy of Directorate for Science, Technology and Innovation. The Internet of Things: Seizing the Benefits and Addressing the Challenges. Background Report for Ministerial Panel 2.2. English Version. 24 May 2016. P. 5. Available here.
[2] MANCINI, Monica. Internet das Coisas: História, Conceitos, Aplicações e Desafios. Available here.
[3] Interest over time. Numbers represent search interest relative to the highest point on the chart for the given region and time. A value of 100 is the peak popularity for the term. A value of 50 means that the term is half as popular. A score of 0 means there was not enough data for this term. The information is available here.
[4] Idem, p. 5.
[5] European Commission. Digital Single Market. Policies: Internet of Things. Available here.
[6] Gartner, Inc. Press Release. Gartner Says 8.4 Billion Connected “Things” Will Be in Use in 2017, Up 31 Percent From 2016. February 2017. Available here.
[7] Idem, Leading the IoT. Gartner Insights on How to Lead in a Connected World. 2017. P. 2.
[8] European Commission. Definition of a Research and Innovation Policy Leveraging Cloud Computing and IoT Combination. FINAL REPORT. A study prepared for the European Commission. DG Communications Networks, Content & Technology. Digital Agenda for Europe. Available here.
[9] Netherlands Ministry of Foreign Affairs. Centre for the Promotion of Imports (CBI). January 2019. Available here.
[10] Netherlands Ministry of Foreign Affairs. Centre for the Promotion of Imports (CBI). January 2019. Available here.
[11] (NPR) entails a confluence of technologies ranging from a variety of digital technologies (e.g. 3D printing, the Internet of Things [IoT] and advanced robotics) to new materials (e.g. bio- or nano-based) to new processes (e.g. data-driven production, artificial intelligence [AI] and synthetic biology). The Next Production Revolution. A Report to G20. OECD, 2017. Available here.
[12] Autonomous machines and the use of big data are increasingly present in agriculture. Robots can now sort plants based on optical recognition, harvest lettuce and recognise rotten apples. Idem, Ibidem.
[13] The automotive industry is one of the sectors most affected by interconnectivity and enhanced efficiency in both production and operation of vehicles. Idem, Ibidem.
[14] “Smart city plans explore the ability to process huge masses of data coming from devices such as video cameras, parking sensors and air-quality monitors to help local governments achieve goals in terms of increased public safety, improved environment and better quality of life. In: OCDE. Committee on Digital Economy Policy of Directorate for Science, Technology and Innovation. The Internet of Things: Seizing the Benefits and Addressing the Challenges. Background Report for Ministerial Panel 2.2. English Version. 24 May 2016. P. 16.
[15]“Dublin (Ireland), Oslo (Norway) and Chattanooga, Tennessee in the United States have started to use smart street lighting systems.29 Often triggered by replacing municipal lighting with LED solutions to save on energy costs, smart street lighting can offer combined savings of up to USD 100 per streetlight per year”. Idem, Ibidem.
[16]“The SCOOT system developed by Transport for London uses data on road usage with real-time control of traffic lights in the city to deliver on average a 12% improvement in traffic flow. Other large cities, like Beijing, São Paulo, Toronto or Preston have introduced SCOOT”. Idem, Ibidem.
[17] “Smaller sensors, smartphone assisted readouts, big data analysis and continuous remote monitoring can enable new ways of managing care. Such a digital health feedback system includes wearable and that work together to gather information about medication-taking, activity and rest patterns. Idem. p.15.
[18] UN General Assembly, Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, A/HRC/32/38 (2016), P.12.
[19] A term invented by Canadian social scientists Anabel Quan-Haase and Barry Wellman, it refers to the use of multiple means of communication, such as email, instant messaging, telephone, face-to-face contact and Web 2.0 information services.
[20] OCDE. Committee on Digital Economy Policy of Directorate for Science, Technology and Innovation. The Internet of Things: Seizing the Benefits and Addressing the Challenges. Background Report for Ministerial Panel 2.2. English Version. 24 May 2016. P. 24.
[21] World Economic Forum. Insight Report. Readiness for the Future of Production. Report 2018. Available here.
[22] Netherlands Ministry of Foreign Affairs. Centre for the Promotion of Imports (CBI). January 2019. Available here.
[23] Russo et al. Exploring regulations and scope of the Internet of Things in contemporary companies: a first literature analysis. Journal of Innovation and Entrepreneurship, 2015, P. 5.
These companies engaged in “grading,” a process where they review supposedly anonymized recordings of conversations people had with voice assistant program like Siri. A recent Guardian article revealed that these recordings were being passed on to service providers around the world to evaluate whether the voice assistant program was prompted intentionally, and the appropriateness of their responses to the questions users asked.
These recordings can include a user’s most private interactions and are vulnerable to being exposed. Google acknowledged “misconduct” regarding a leak of Dutch language conversation by one of its language experts contracted to refine its Google Assistant program.
Reports indicate around 1,000 conversations, captured by Google Assistant (available in Google Home smart speakers, Android devices and Chromebooks) being leaked to Belgian news outlet VRT NWS. Google audio snippets are not associated with particular user accounts as part of the review process, but some of those messages revealed sensitive information such as medical conditions and customer addresses.
Google will suspend using humans to review these recordings for at least three months, according to the Associated Press. This is yet another friendly reminder to Google Assistant users that they can turn off storing audio data to their Google account completely, or choose to auto-delete data after every three months or 18 months. Apple is also suspending grading and will review their process to improve their privacy practice.
Despite Google and Apple’s recent announcement, enforcement authorities are still looking to take action. German regulator, the Hamburg Commissioner for Data Protection and Freedom of Information, notified Google of their plan to use Article 66 powers of the General Data Protection Regulation (GDPR) to begin an “urgency procedure.” Since the GDPR’s implementation, we haven’t seen this enforcement action utilized, but its impact is significant as it allows the enforcement authorities to halt data processing when there is “an urgent need to act in order to protect the rights and freedoms of data subjects.”
While Google allows users to opt out of some uses of their recordings; Apple has not provided users that ability other than by disabling Siri entirely. Neither privacy policy explicitly warned users of these recordings but do reserve the right to use the information collected to improve their services. Apple, however, disclosed that they will soon provide a software update to allow Siri users opt-out of participation in grading.
Since we’re talking about Google Assistant and Siri, we have to mention the third member of the voice assistant triumvirate, Amazon’s Alexa. Amazon employs temporary workers to transcribe the voice commands of its Alexa. Users can opt out of “Help[ing] Improve Amazon Services and Develop New Features” and allowing their voice recordings to be evaluated.
If you have never asked yourself whether your website is “accessible,” or think that this issue doesn’t apply to your company, read on to learn why website accessibility litigation is on the rise, what actions lawmakers and the courts are taking to try to stem the tide, how to manage litigation risk, what steps you can take to bring your company’s website into compliance, and how to handle customer feedback on issues of accessibility.
The Growing Risk of Website Accessibility Litigation
In recent years, there has been a nationwide explosion of website accessibility lawsuits as both individual lawsuits and class actions. Plaintiffs have brought these claims in federal court under Title III of the Americans with Disabilities Act (ADA) and, in some cases, under similar state and local laws as well. In 2018, the number of federally-filed website accessibility cases skyrocketed to 2,285, up from 815 in the year prior. In the first half of 2019, these cases have increased 51.7% over the prior year’s comparable six-month period, with total filings for 2019 on pace to break last year’s record by reaching over 3,200.
Why Website Accessibility Litigation is on the Rise
The ADA was enacted in 1990 to prevent discrimination against people with disabilities in locations generally open to the public (known as public accommodations). The ADA specified the duties of businesses and property owners to make their locations accessible for people with disabilities, but it was enacted before conducting business transactions over the internet became commonplace. With the rapid growth of internet use, lawsuits emerged arguing that websites were places of public accommodation under the meaning of the ADA.
These claims have presented serious questions about whether, when, and how website owners must comply with the ADA. There is no legislation that directly sets out the technical requirements for website accessibility. And while the U.S. Department of Justice (DOJ) has stated that “the ADA applies to public accommodations’ websites,” it has not clarified exactly what standards websites must meet to comply with the law. In the absence of clear guidance, courts considering the question have frequently looked to the Web Content Accessibility Guidelines (WCAG), first developed by the World Wide Web Consortium (W3C) in 1999, but most recently updated in 2018.
In 2017, federal district courts in Florida and New York ruled that business websites failing to meet WCAG guidelines can violate Title III of the ADA, opening the door for litigants to bring an onslaught of claims in these courts. As a result, the rate at which these suits have been filed has skyrocketed, especially in New York and Florida, reaching businesses based throughout the U.S. and internationally. With the pace of these suits showing no signs of slowing, it is critical that every business operating a website consider how to manage the growing risk of litigation.
A Future Fix?
Some recent developments suggest that lawmakers or courts may soon stem the tide. Congress may decide to enact precise standards, or the DOJ might give clarification or promulgate new rules. At the state level, lawmakers in New York have announced plans to address website accessibility suits based on an outcry from the business community.
Recent decisions in the Southern District of New York and the Fourth Circuit suggest that companies can successfully move to dismiss accessibility suits after mooting claims by taking swift remedial action or by showing that the plaintiff was neither eligible nor in a location to receive the goods or services provided on the website. In addition, the Eleventh Circuit and the Supreme Court may soon weigh in on whether Title III of the ADA categorically applies to all websites and apps.
How to Manage Litigation Risk for Website Accessibility
Knowing your level of exposure is an important first step. Individual risk is currently based on three factors:
Location: Brick and mortar locations, the delivery of products, or the performance of services in New York or Florida heighten a company’s exposure.
Industry: The present trend shows that retail, food service, hospitality, banking, entertainment industries, and educational institutions are especially at risk.
Currentwebsite structure: Sites with e-commerce functions or purchased from third-party developers not currently in compliance with WCAG standards are popular targets.
Unfortunately, it is often difficult to predict the cost and complexity of bringing a website into WCAG compliance-based simply on viewing it. An audit of the source code is often required. That said, you can start with a review of your site and develop plans and processes for accessibility. The first steps can include:
Assess current compliance: Use free online tools like wave and chrome vox and/or enlist a third-party audit to help you understand your current level of accessibility.
Plan for future compliance: Create an overall plan for achieving accessibility on a timeline that makes business sense.
Take immediate action: Adopt first-step improvements that can be implemented immediately, and create a process for considering accessibility before all future implementations.
Bringing your business into compliance with WCAG web standards does not need to be a standalone project. By integrating accessibility into regular updates, redesigns, and new pages, you can make meaningful improvements as part of your existing process. And if you don’t have a process for ongoing maintenance and updates on your website, consider whether your website is still looking fresh and modern and if it is still an accurate expression of your corporate brand.
Include in-house and third-party development teams as stakeholders in the process. Make accessibility a discussion in all new engagements and set expectations for accessibility going forward for new and existing teams:
Increase accessibility awareness: Make accessibility the topic of the next all-hands meeting with all stakeholders.
Ask third-party developers and vendors: Specifically, discuss your website’s current accessibility and which site options are readily available.
Integrate accessibility in projects: Ensure that agreements for ongoing and future site additions and upgrades incorporate accessibility. Seek representations, ask about compliance levels, and consider seeking warranties and indemnification.
Good customer care is always good business, but making thoughtful use of feedback on your website is a critical step to reducing your risk of an accessibility lawsuit. Everyone on the customer care team should be trained on the risk posed by non-compliance, and they should be empowered to carefully consider and respond to website feedback. The development team should also ensure that the site, whatever its level of WCAG compliance:
Encourages feedback: Provide a way for users to give feedback on and receive assistance with accessibility.
Supports engagement with feedback: Document, consider, and carefully respond to user feedback.
Reflects expert input: When receiving feedback, notices, complaints, or threatened litigation, consult with legal counsel and website accessibility experts as early as possible to ensure that your next steps limit potential liability.
Website accessibility is a fast-moving area of law that is primed for reform. With an increasing number of conflicting decisions and the possibility of new legislation or Supreme Court guidance, we will be closely monitoring this topic in the coming years.
The Dex Media case has traveled a long and tortuous path. Its journey began with the service of a complaint in 2001 which was dismissed without prejudice in 2003, and the filing of a new complaint in 2012. The petition for inter partes review was filed in May 2013, and a final written decision of the Board issued in October 2014 finding that the asserted claims are invalid. From there, the case visited the Federal Circuit twice, the Supreme Court once and is now on its way back for a second time. On appeal, the dispute has focused on whether the petition for inter partes review was time barred by § 315(b), and whether the Federal Circuit has jurisdiction to hear the appeal of that issue.
Facts of the Case
In 2001, Inforocket.com, Inc., an exclusive licensee to the patent-in-suit, filed a district court action against Keen, Inc. The complaint asserting infringement was served on September 14, 2001. While the case was pending, Keen acquired Inforocket as its wholly owned subsidiary and stipulated to a voluntary dismissal of the district court action without prejudice in 2003. Keen later changed its name to Ingenio. Click-to-Call subsequently acquired the patent-in-suit, and on May 29, 2012, filed patent infringement lawsuits against multiple parties, one of which was Ingenio.
On May 28, 2012, just under one year after being served with the complaint in the Click-to-Call action, Ingenio and two other defendants filed a petition for inter partes review (IPR) of the patent-in-suit. In its preliminary response, Click-to-Call contended, among other things, that § 315(b) statutorily barred institution of the IPR proceedings, noting that Ingenio’s predecessor-in-interest was served with a complaint alleging infringement of the patent-in-suit in 2001. Section 315(b) states, “An inter partes review may not be instituted if the petition requesting the proceeding is filed more than 1 year after the date on which the petitioner, real part in interest, or privy of the petitioner is served with a complaint alleging infringement of the patent.”
The Board instituted the proceeding, and based on Federal Circuit precedent found that dismissal of an infringement suit without prejudice nullifies the effect of the service of the original complaint against Keen. Therefore, service of the 2001 complaint did not bar the petition. Click-to-Call again argued that the petition was time-barred in its patent owner response; and in its final written decision, the Board reaffirmed its earlier conclusion on that point and found that the challenged claims were invalid.
In the case being reviewed by the Supreme Court, the Federal Circuit first had to decide whether it had jurisdiction to hear an appeal of the § 315(b) time bar in light of § 314(d), which states, “No Appeal. – The determination by the Director whether to institute an inter partes review under this section shall be final and unappealable.” The Federal Circuit, relying upon its en banc ruling in Wi-Fi One, LLC v. Broadcom Corp., 878 F.3d 1364 (Fed. Cir. 2018), held that time-bar determinations under § 315(b) are appealable.
In Wi-Fi One, the Federal Circuit based its finding on the rationale that the time-bar determination “is not akin to either the non-initiation or preliminary-only merits determinations for which unreviewability is common in the law,” and the fact that the time bar “sets limits on the Director’s statutory authority to institute.” Id. at 1373-74. Having decided the question of appealability, the Click-to-Call court then held en banc that the time-bar decision applies to bar institution of an IPR when a petitioner was served with a complaint for patent infringement more than one year before filing its petition, but the action was voluntarily dismissed without prejudice.
Predictions for the Supreme Court
Often, even without the presence of a circuit court split, the Supreme Court takes cases on appeal from the Federal Circuit to reign in and overrule the Appellate Court. In fact, the Supreme Court has reversed 70 percent of the Federal Circuit cases it has heard since 2007. There are two important factors to suggest that the Supreme Court will for a second time reverse the Federal Circuit in this case.
First, in a prior appeal of this case to the Federal Circuit in 2015, the Federal Circuit dismissed the appeal for lack of jurisdiction based on its prior precedent in Achates Reference Publishing, Inc. v. Apple Inc., which was subsequently overruled by Wi-Fi One. Click-to-Call petitioned the Supreme Court for review, and in June 2016, the Supreme Court granted cert, and vacated and remanded the case to the Federal Circuit to consider in light of the Supreme Court’s ruling in Cuozzo Speed Technologies, LLC v. Lee. This suggests that, at the time, the Supreme Court thought there was a clear path for the Federal Circuit to hold that § 315(b) rulings are appealable, as the Federal Circuit did in both Wi-Fi One and its ruling that is currently under review. Since then, the composition of the Supreme Court has changed, with Justice Kennedy’s retirement and the confirmation of Justices Gorsuch and Kavanaugh. It seems now that at least four of the justices of the newly constituted Court may believe that the Federal Circuit’s decision is not consistent with § 314(d).
This contention also is supported by the fact that the Supreme Court declined to review both of the questions presented by the petition for cert. Dex Media, Inc., the successor-in-interest to Ingenio, also requested that the Supreme Court decide whether § 315(b) bars institution of an inter partes review when the previously served patent infringement complaint, filed more than one year before the IPR petition, had been dismissed without prejudice. The Supreme Court declined to hear that issue. One might suppose that if the Supreme Court believes the time-bar question is appealable, the Court also would want to rule on whether a dismissal without prejudice negates the effect of service of the complaint under the time bar statute. It is entirely possible that the Court declined to make that determination because the question will be moot once the Court determines there is no appellate jurisdiction over the time-bar issue.
Implications of the Ruling
If the Supreme Court affirms the Federal Circuit’s ruling and finds that § 315(b) questions are appealable, the Federal Circuit’s jurisprudence regarding when the one-year period begins will remain binding, at least until the Supreme Court decides to hear that issue anew. This means that entities looking to file IPR petitions must be alert to the fact that a predecessor-in-interest may have been served with a complaint triggering the one-year time limit as well as whether to file a petition with other entities who (directly or through a predecessor-in-interest) may have been served with complaints that could bar the entire petition.
In contrast, what will happen if the Supreme Court reverses the Federal Circuit’s ruling and Orders dismissal of the appeal on the grounds that § 314(d) prohibits appeal of the time bar issue? Prior to the Federal Circuit’s ruling, the Board had consistently found, as they did in this case, that dismissal of a complaint without prejudice constituted a nullity in terms of the time-bar statute. If the Federal Circuit’s opinion in this case is overruled, its opinion would not be precedential and the Board could either interpret the statute as they had previously or alter the interpretation in view of the Federal Circuit’s opinion, though they would be under no obligation to do so. It also is possible that this becomes one of the many issues that are panel-dependent, forcing petitioners who were served with complaints that have been dismissed without prejudice to “roll the dice” on the issue.
PTAB practitioners should be watching the outcome of this case closely and consider all of the implications of the ruling before filing a petition for inter partes review. As the facts of this case highlight, they also should perform a thorough due diligence review of all “real parties in interest” related to the contemplated petitioner.
