Category: Internet

Practical Tips and Tools for Maintaining ADA-Compliant Websites

Title III of the American with Disabilities Act (ADA), enacted in 1990, prohibits discrimination against disabled individuals in “places of public accommodation”—defined broadly to include private entities that offer commercial services to the public. 42 U.S.C. § 12181(7). Under the ADA, disabled individuals are entitled to the full and equal enjoyment of the goods, services, facilities, privileges, and accommodations offered by a place of public accommodation. Id. § 12182(a). To comply with the law, places of public accommodation must take steps to “ensure that no individual with a disability is excluded, denied services, segregated or otherwise treated differently than other individuals.” Id. § 12182(b)(2)(A)(iii).

In the years immediately following the enactment of the ADA, the majority of lawsuits alleging violations of Title III arose as a result of barriers that prevented disabled individuals from accessing brick-and-mortar businesses (i.e., a lack of wheelchair ramps or accessible parking spaces). However, the use of the Internet to transact business has become virtually ubiquitous since the ADA’s passage almost 30 years ago. As a result, lawsuits under Title III have proliferated in recent years against private businesses whose web sites are inaccessible to individuals with disabilities. Indeed, the plaintiffs’ bar has formed something of a cottage industry in recent years, with numerous firms devoted to issuing pre-litigation demands to a large number of small to mid-sized businesses, alleging that the businesses’ web sites are not ADA-accessible. The primary purpose of this often-effective strategy is to swiftly obtain a large volume of monetary settlements without incurring the costs of initiating litigation.

Yet despite this upsurge in web site accessibility lawsuits—actual and threatened—courts have not yet reached a consensus on whether the ADA even applies to web sites. As discussed above, Title III of the ADA applies to “places of public accommodation.” A public accommodation is a private entity that offers commercial services to the public. 42 U.S.C. § 12181(7). The First, Second, and Seventh Circuit Courts of Appeals have held that web sites can be a “place of public accommodation” without any connection to a brick-and-mortar store.1 However, the Third, Sixth, Ninth, and Eleventh Circuit Courts of Appeals have suggested that Title III applies only if there is a “nexus” between the goods or services offered to the public and a brick-and-mortar location.2 In other words, in the latter group of Circuits, a business that operates solely through the Internet and has no customer-facing physical location may be under no obligation to make its web site accessible to users with disabilities.

To make matters even less certain, neither Congress nor the Supreme Court has established a uniform set of standards for maintaining an accessible web site. The Department of Justice (DOJ) has, for years, signaled its intent to publish specific guidance regarding uniform standards for web site accessibility under the ADA. However, to date, the DOJ has not published such guidance and, given the agency’s present priorities, it is unlikely that it will issue such guidance in the near future. Accordingly, courts around the country have been called on to address whether specific web sites provide sufficient access to disabled users. In determining the standards for ADA compliance, several courts have cited to the Web Content Accessibility Guidelines (WCAG) 2.1, Level AA (or its predecessor, WCAG 2.0), a series of web accessibility guidelines published by World Wide Web Consortium, a nonprofit organization formed to develop uniform international standards across the Internet. While not law, the WCAG simply contain recommended guidelines for businesses regarding how their web sites can be developed to be accessible to users with disabilities. In the absence of legal requirements, however, businesses lack clarity on what, exactly, is required to comply with the ADA.

Nevertheless, given the proliferation of lawsuits in this area, businesses that sell goods or services through their web sites or have locations across multiple jurisdictions should take concrete steps to audit their web sites and address any existing accessibility barriers.

Several online tools exist which allow users to conduct free, instantaneous audits of any URL, such as those offered at https://tenon.io/ and https://wave.webaim.org/. However, companies should be aware that the reports generated by such tools can be under-inclusive in that they may not address every accessibility benchmark in WCAG 2.1. The reports also can be over-inclusive and identify potential accessibility issues that would not prevent disabled users from fully accessing and using a site. Accordingly, companies seeking to determine their potential exposure under Title III should engage experienced third-party auditors to conduct individualized assessments of their web sites. Effective audits typically involve an individual tester attempting to use assistive technology, such as screen readers, to view and interact with the target site. Businesses also should regularly re-audit their web sites, as web accessibility allegations often arise in connection with web sites which may have been built originally to be ADA-compliant, but have fallen out of compliance due to content additions or updates.

Companies building new web sites, updating existing sites, or creating remediation plans should consider working with web developers familiar and able to comply with the WCAG 2.1 criteria. While no federal court has held that compliance with WCAG 2.1 is mandatory under Title III, several have recognized the guidelines as establishing a sufficient level of accessibility for disabled users.Businesses engaging new web developers to design or revamp their sites should ask specific questions regarding the developers’ understanding of and ability to comply with WCAG 2.1 in the site’s development, and should memorialize any agreements regarding specific accessibility benchmarks with the web developer in writing.

See Carparts Distrib. Ctr., Inc. v. Auto. Wholesaler’s Ass’n of New England, Inc., 37 F.3d 12, 19 (1st Cir. 1994) (“By including ‘travel service’ among the list of services considered ‘public accommodations,’ Congress clearly contemplated that ‘service establishments’ include providers of services which do not require a person to physically enter an actual physical structure.”); Andrews v. Blick Art Materials, LLC, 268 F. Supp. 3d 381, 393 (E.D.N.Y. 2017); Doe v. Mut. of Omaha Ins. Co., 179 F.3d 557, 559 (7th Cir. 1999).

See Peoples v. Discover Fin. Servs., Inc., 387 F. App’x 179, 183 (3d Cir. 2010) (“Our court is among those that have taken the position that the term is limited to physical accommodations”) (citation omitted); Parker v. Metro. Life Ins. Co., 121 F.3d 1006, 1010-11 (6th Cir. 1997); Weyer v. Twentieth Century Fox Film Corp., 198 F.3d 1104, 1114 (9th Cir. 2000); Haynes v. Dunkin’ Donuts LLC, 741 F. App’x 752, 754 (11th Cir. 2018) (“It appears that the website is a service that facilitates the use of Dunkin’ Donuts’ shops, which are places of public accommodation.”).

See, e.g. Robles v. Domino’s Pizza, LLC, 913 F.3d 898, 907 (9th Cir. 2019) (holding that failure to comply with WCAG is not a per se violation of the ADA, but that trial courts “can order compliance with WCAG 2.0 as an equitable remedy if, after discovery, the website and app fail to satisfy the ADA.”).

© 2019 Vedder Price
This article was written by Margaret G. Inomata and Harrison Thorne of Vedder Price.
For more web-related legal issues, see the National Law Review Communications, Media & Internet law page.

Will Technology Return Shame to Our Society?

The sex police are out there on the streets
Make sure the pass laws are not broken

Undercover (of the Night)The Rolling Stones

So, now we know that browsing porn in “incognito” mode doesn’t prevent those sites from leaking your dirty data courtesy of the friendly folks at Google and Facebook.  93 per cent of porn sites leak user data to a third party. Of these, Google tracks about 74 per cent of the analyzed porn sites, while Oracle tracks nearly 24 per cent sites and Facebook tracks nearly 10 per cent porn sites.  Yet, despite such stats, 30 per cent of all internet traffic still relates to porn sites.

The hacker who perpetrated the enormous Capital One data beach outed herself by oversharing on GitHub.  Had she been able to keep her trap shut, we’d probably still not know that she was in our wallets.  Did she want to get caught, or was she simply unashamed of having stolen a Queen’s ransom worth of financial data?

Many have lamented that shame (along with irony, truth and proper grammar) is dead.  I disagree.  I think that shame has been on the outward leg of a boomerang trajectory fueled by technology and is accelerating on the return trip to whack us noobs in the back of our unsuspecting heads.

Technology has allowed us to do all sorts of stuff privately that we used to have to muster the gumption to do in public.  Buying Penthouse the old-fashioned way meant you had to brave the drugstore cashier, who could turn out to be a cheerleader at your high school or your Mom’s PTA friend.  Buying the Biggie Bag at Wendy’s meant enduring the disapproving stares of vegans buying salads and diet iced tea.  Let’s not even talk about ED medication or baldness cures.

All your petty vices and vanity purchases can now be indulged in the sanctity of your bedroom.  Or so you thought.  There is no free lunch, naked or otherwise, we are coming to find.  How will society respond?

Country music advises us to dance like no one is watching and to love like we’ll never get hurt. When we are alone, we can act closer to our baser instincts.  This is why privacy is protective of creativity and subversive behaviors, and why in societies without privacy, people’s behavior regresses toward the most socially acceptable responses.  As my partner Ted Claypoole wrote in Privacy in the Age of Big Data,

“We all behave differently when we know we are being watched and listened to, and the resulting change in behavior is simply a loss of freedom – the freedom to behave in a private and comfortable fashion; the freedom to allow the less socially -careful branches of our personalities to flower. Loss of privacy reduces the spectrum of choices we can make about the most important aspects of our lives.

By providing a broader range of choices, and by freeing our choices from immediate review and censure from society, privacy enables us to be creative and to make decisions about ourselves that are outside the mainstream. Privacy grants us the room to be as creative and thought-provoking as we want to be. British scholar and law dean Timothy Macklem succinctly argues that the “isolating shield of privacy enables people to develop and exchange ideas, or to foster and share activities, that the presence or even awareness of other people might stifle. For better and for worse, then, privacy is a sponsor and guardian to the creative and the subversive.”

For the past two decades we have let down our guard, exercising our most subversive and embarrassing expressions of id in what we thought was a private space. Now we see that such privacy was likely an illusion, and we feel as if we’ve been somehow gas lighted into showing our noteworthy bad behavior in the disapproving public square.

Exposure of the Ashley Madison affair-seeking population should have taught us this lesson, but it seems that each generation needs to learn in its own way.

The nerds will, inevitably, figure out how to continue to work and play largely unobserved.  But what of the rest of us?  Will the pincer attack of the advancing surveillance state and the denizens of the Dark Web bring shame back as a countervailing force to govern our behavior?  Will the next decade be marked as the New Puritanism?

Dwight Lyman Moody, a predominant 19th century evangelist, author, and publisher, famously said, “Character is what you are in the dark.”  Through the night vision goggles of technology, more and more of your neighbors can see who you really are and there are very few of us who can bear that kind of scrutiny.  Maybe Mick Jagger had it right all the way back in 1983, when he advised “Curl up baby/Keep it all out of sight.”  Undercover of the night indeed.

Copyright © 2019 Womble Bond Dickinson (US) LLP All Rights Reserved.

DOJ Gets Involved in Antitrust Case Against Symantec and Others Over Malware Testing Standards

The U.S. Department of Justice Antitrust Division has inserted itself into a case that questions whether the Anti-Malware Testing Standards Organization, Inc. (AMTSO) and some of its members are creating standards in a manner that violates antitrust laws.

AMTSO says it is exempt from such per se claims by the Standards Development Organization Act of 2004 (SDOA). Symantec Corp., an AMTSO member, says the more flexible “rule of reason” applies – that it must be proven that standards actually undermine competition, which the recommended guidelines do not.

Malware BugNSS Labs, Inc., is an Austin, Texas-based cybersecurity testing company which offers services including “data center intrusion prevention” and “threat detection analytics.”

In addition to Symantec, AMTSO members include widely recognized names like McAfee and Microsoft, as well as names known well in cybersecurity circles: CarbonBlack, CrowdStrike, FireEye, ICSA, and TrendMicro. NSS Labs also is a member, but says it is among a small number of testing service providers. The organization is dominated by product vendors who easily outvote the service providers like NSS, AV-Comparatives, AV-Test and SKD LABS, NSS maintains, claims disputed by the organization.

On Sept. 19, 2018, NSS Labs filed suit in U.S. District Court for the Northern District of California against AMTSO, CrowdStrike (since voluntarily dismissed), Symantec, and ESET, alleging the product companies used their power in AMTSO to control the design of the malware testing standards, “actively conspiring to prevent independent testing that uncovers product deficiencies to prevent consumers from finding out about them.” The industry standard requires a group boycott that restrains trade, NSS Labs argues, hurting service providers (NSS Labs v. CrowdStrike, et al., No. 5:18-cv-05711-BLF, N.D. Calif.).

The case is before U.S. District Judge Beth Labson Freeman in Palo Alto, who has presided over a number of high-profile matters.

AMTSO moved to dismiss NSS Labs’ suit, citing its exemption from per se antitrust claims because of its status as a standards development organization (SDO). Further, it argues that the group is open to anyone and, while there are three times more vendors than testing service providers in the organization, that reflects the market itself.

On June 26, the DOJ Antitrust Division asked the court not to dismiss the case because further evidence is needed to determine whether the exemption under the SDOAA is justified.

AMTSO countered that the primary reason the case should be dismissed has “nothing to do” with the SDOAA. NSS failed to allege that AMTSO participated in any boycott, the organization says. All the group has done is “adopt a voluntary standard and foster debate about its merits, which is not illegal at all, let alone per se illegal,” the group says, adding that the Antitrust Division is asking the court to “eviscerate the SDOAA.”

Symantec first responded to the suit with a public attack on NSS Labs itself, criticizing its methodology and lack of transparency in its testing procedures, as well as the company’s technical capability and it’s “pay to play” model in conducting public tests. NSS Labs’ leadership team includes a former principal engineer in the Office of the Chief Security Architect at Cisco, a former Hewlett-Packard professional who established and managed competitive intelligence network programs, and an information systems management professional who formerly held senior management positions at Deloitte, IBM and Aon Hewitt.

On July 8, Symantec responded to the Antitrust Division’s statement of interest. It argued that the SDOAA does not provide an exemption from antitrust laws. Instead, it offers “a legislative determination that the rule of reason – not the per se rule” to standard setting activities. “That simply means the plaintiff must prove actual harm to competition, rather than relying on an inflexible rule of law,” Symantec says.

The company wrote that the government may have a point, albeit a moot one. “Symantec does not believe so, but perhaps the Division is right that there is a factual question about whether AMTSO’s membership lacks the balance the statute requires for the exclusion from per se analysis to apply,” Symantec says. Either way, the company argues, it doesn’t matter to the motions for dismissal because the per se rule does not apply.

Judge Freeman has set deadlines for disclosures, discovery, expert designations, and Daubert motions, with a trial date of Feb. 7, 2022.

Commentary

The antitrust analysis of standards setting is one of the sharpest of two-edged swords: When it works properly, it reflects a technology-driven process of reaching an industry consensus that often brings commercialization and interoperability of new technologies to market. When it is undermined, however, it reflects concerted action among competitors that agree to exclude disfavored technologies in a way that looks very much like a group boycott, a per se violation of Section 1 of the Sherman Act.

Accordingly, the Standards Development Organization Advancement Act of 2004 (SDOAA) recognizes that, when they are functioning properly, exempting bone fide standards development organizations (SDOs) from liability for per se antitrust violations can promote the pro-competitive standard setting process. But, when do SDOs “function properly”? The answer is entirely procedural, and is embodied in the statutory definition of SDO: an organization that “incorporate[s] the attributes of openness, balance of interests, due process, an appeals process, and consensus … “

The essential claim in the complaint by NSS Labs, therefore, is that the rules and procedures followed by AMTSO do not provide sufficient procedural safeguards to ensure that the organization arrives at a pro-competitive industry consensus rather than a group boycott for the benefit of one or a few industry players dressed in the garb of standard setting.

This is a factual inquiry that cannot be countered by a legal defense that simply declares the defendant is an SDO and, therefore, immune to suit under the statute. Whether the AMTSO is an SDO under the law or not depends on how it conducts itself, the make-up of its members, and its fidelity to the procedural principles embodied in the statute. The plaintiff’s claim is that AMTSO has not followed the procedural principles required to qualify as an SDO under the Act. This is a purely factual issue and, as such, cannot be resolved on a motion to dismiss.

The DOJ should be commended for urging the court to proceed to discovery to adduce the necessary facts to distinguish between legitimate standard setting and an unlawful group boycott and it should continue to be vigilant in the face of SDOs and would-be SODs that might be tempted to use the wrong side of the standard setting sword to commit anticompetitive acts instead of the right side to produce welfare-enhancing industry consensus.

This is particularly true in vital industries like cybersecurity. Government agencies, businesses, and consumers are constantly and increasingly at risk from ever-evolving cyber threats. It is therefore imperative that the cybersecurity market remains competitive to ensure development of the most effective security products.

© MoginRubin LLP
This article was written by Jonathan Rubin and Timothy Z. LaComb of MoginRubin & edited by Tom Hagy for MoginRubin.
For more DOJ Antitrust activities, see the National Law Review Antitrust & Trade Regulation page.

Internet of Things: The Global Regulatory Ecosystem and the Most Promising Smart Environments Part II

Regulatory Ecosystem

Hyperconnectivity is a real phenomenon and it is changing the concerns of society because of the kinds of interactions that can be brought about by IoT devices, which could be: i) People to people; ii) People to things (objects, machines); iii) Things/machines to things/machines.

It gives rise to different issues for people. According to a European Survey, 72% of EU Internet users worry that too much of their personal data is being shared online and that they have little control over what happens to this information[1]. It gives rise to inevitable ethical issues and its relationship with the techno environment.

The discussion on ethics that follows aims to provide a quick tour on general ethical principles and theories that are available as they may apply to IoT[2]. Law and ethics are overlapping, but ethics goes beyond law. Thus, a comparison of law and ethics is made and their differences are pointed out in the great work of Spyros G Tzafestas, who wrote Ethics and Law in the Internet of Things World. In this article, he considers that the risks and  harms in a digital world are very high and complex, especially explaining those tech terms and their impact in our private life. Thus, it is of primary importance to review IoT and understand the limitations of protective legal, regulatory and ethical frameworks, in order to provide sound recommendations for maximizing good and minimizing harm[3].

Major data security concerns have also been raised with respect to ‘cloud’-supported IoT. Cloud computing (‘the cloud’) essentially consists of the concentration of resources, e.g. hardware and software, into a few physical locations by a cloud service provider (e.g. Amazon Web Service)[4]. We are living in a data-sharing storm and the economic impact of IoT’s cyber risks is increasing with the integration of digital infrastructure in the digital economy[5]. We are surrounded by devices which contain our data, for instance:

  • Wearable health technologies: wearable devices that continuously monitor the health status of a patient or gather real-world information about the patient such as heart rate, blood pressure, fever;
  • Wearable textile technologies: clothes that can change their color on demand or based on the biological condition of the wearer or according to the wearer’s emotions;
  • Wearable consumer electronics: wristbands, headbands, rings, smart glasses, smart watches, etc[6].

As a result of the serious impact IoT may have and because it involves a huge number of connected devices, it creates a new social, political, economic, and ethical landscape. Therefore, for a sustainable development of IoT, political and economic decision-making bodies have to develop proper regulations in order to be able to control the fair use of IoT in society.

In this sense, the most developed regions as regards establishing IoT Regulations and an ethical framework are the European Union and the United States both of which have enacted:

  • Legislation/regulations.
  • Ethics principles, rules and codes.
  • Standards/guidelines;
  • Contractual arrangements;
  • Regulations for the devices connected;
  • Regulations for the networks and their security; and
  • Regulations for the data associated with the devices.

In light of this, the next section will deal with Data Protection Regulations, Consumer Protection Acts, IoT and Cyber Risks Laws, Roadmap for Standardization of Regulations, Risk Maturity, Strategy Design and Impact Assessment related with 2020 scenario, which is: 200 billion sensor devices and market size that, by 2025, will be between $2.7 trillion and $3 trillion a year.

Europe

The Alliance for Internet of Things Innovation (AIOTI) was initiated by the European Commission in order to open a stream of dialogue between European stakeholders within the Internet of Things (IoT) market. The overall goal of this initiative was the creation of a dynamic European IoT ecosystem to unleash the potential of IoT.

In October 2015, the Alliance published 12 reports covering IoT policy and standards issues. It provided detailed recommendations for future collaborations in the Internet of Things Focus Area of the 2016-2017 Horizon 2020 programme[7].

The IoT regulation framework in Europe is a growth sector:

  • EU Directive-2013/40: this Directive deals with “Cybercrime” (i.e., attacks against information systems). It provides definitions of criminal offences and sets proper sanctions for attacks against information systems[8].
  • EU NIS Directive 2016/1148: this Network and Information Security (NIS) Directive concerns “Cybersecurity” issues. Its aim is to provide legal measures to assure a common overall level of cybersecurity (network/information security) in the EU, and an enhanced coordination degree among EU Members[9].
  • EU Directive 2014/53: this Directive “On the harmonization of the laws of the member states relating to the marketing of radio equipment”[10] is concerned with the standardization issue which is important for the joint and harmonized development of technology in the EU.
  • EU GDPR: European General Data Protection Regulation 2016/679: this regulation concerns privacy, ownership, and data protection and replaces EU DPR-2012. It provides a single set of rules directly applicable in the EU member states.
  • EU Connected Communities Initiative: this initiative concerns the IoT development infrastructure, and aims to collect information from the market about existing public and private connectivity projects that seek to provide high-speed broadband (more than 30 Mbps).

United States

A quick overview of the general US legislation that protects civil rights (employment, housing, privacy, information, data, etc.) includes:

  • Fair Housing Act (1968);
  • Fair Credit Reporting Act (1970);
  • Electronic Communication Privacy Act (1986), which is applied to service providers that transmit data, the Privacy Act 1974 which is based on the Fair Information Practice Principle (FIPP) Guidelines;
  • Breach Notification Rule which requires companies utilizing health data to notify consumers that are affected by the occurrence of any data breach; and
  • IoT Cybersecurity Improvement Act 2019: the Bill seeks “[t]o leverage Federal Government procurement power to encourage increased cybersecurity for Internet of Things devices.” In other words, this bill aims to shore up cybersecurity requirements for IoT devices purchased and used by the federal government, with the aim of affecting cybersecurity on IoT devices more broadly.
  • SB-327 Information privacy: connected devices: California’s new SB 327 law, which will take effect in January 2020, requires all “connected devices” to have a “reasonable security feature.”

The above legislation is general, and in principle can cover IoT activities, although it was not designed with IoT in mind. Legislation devoted particularly to IoT includes the following:

  • White House Initiative 2012: the purpose of this initiative is to specify a framework for protecting the privacy of the consumer in a networked work.

This initiative involves a report on a ‘Consumer Bill of Rights” which is based on the so-called “Fair Information Practice Principles” (FIPP). This includes two principles:

  1. Respect for Context Principle: consumers have a right to insist that the collection, use, and disclosure of personal data by Companies is done in ways that are compatible with the context in which consumers provide the data;
  2. Individual Control Principle: consumers have a right to exert control over the personal data companies collect from them or how they use it.

China

Where we start to see the most advanced picture is in China. In 2017, the Ministry of Industry and Information Technology (MIIT), China’s telecom regulator and industrial policy maker, issued the Circular on Comprehensively Advancing the Construction and Development of Mobile Internet of Things (NB-IoT) (MIIT Circular [2017] No. 351, the “Circular”), with the following approach in the opening provisions:

Building a wide-coverage, large-connect, low-power mobile Internet of Things (NB-IoT) infrastructure and developing applications based on NB-IoT technology will help promote the construction of network powers and manufacturing powers, and promote “mass entrepreneurship, innovation” and “Internet +” development. In order to further strengthen the IoT application infrastructure, promote the deployment of NB-IoT networks and expand industry applications, and accelerate the innovation and development of NB-IoT[11]

Nowadays China already has a huge packet of regulation on technological matters:

  • 2015 State Council – China Computer Information System Security Protection Regulation (first in 1994);
  • 2007 MPS – Management Method for Information Security Protection for Classified Levels;
  • 2001 NPC Standing Committee – Resolution about Protection of Internet Security;
  • 2012 NPC Standing Committee – Resolution about Enhance Network Information Protection;
  • July 2015: National Security Law – ‘secure and controllable’ systems and data security in critical infrastructure and key areas;
  • 2014 MIIT – Guidance on Enhance Telecom and Internet Security;
  • 2013 MIIT – Regulation about Telecom and Internet Personal Information Protection
  • 2014 China Banking Regulatory Commission – Guidance for Applying Secure and Controllable Information;
  • Technology to Enhance Banking Industry Cybersecurity and Informatization Development

Further, as if this were not enough, the Chinese government is being proactive and has several important laws and regulations in the Pipeline, as it can be seen from the list below:

  • CAC: Administrative Measures on Internet Information Services;
  • CAC Rules on Security Protection for Critical Information Infrastructure;
  • Cybersecurity Law;
  • Cyber Sovereignty;
  • Security of Product and Service;
  • Security of Network Operation (Classified Levels Protection, Critical Infrastructure);
  • Data Security (Category, Personal Information);
  • Information Security.

Finally, China established, in 2016, the National Information Security Standardization Technical Committee and its current work is developing a Standardization – TC260 (IT Security) on Technical requirement for Industrial network protocol and general reference model and requirements for Machine-to-Machine (M2M) security.

Latin America

The Latin American countries have different levels of development and this sets up a huge asymmetry between the domestic legal frameworks. The following is a quick regulation overview on Latin American countries:

  • Brazil has the “National IoT Plan” (Decree N. 9.854/2019) that aims to ensure the development of public policies for this technology sector and members of Brazilian parliament presented the bill No. 7.656/17 with the purpose of eliminating tax charges on IoT products;
  • Colombia has a Draft of Law No. 152/2018 on the Modernization of the Information and Communication providing investments incentives to IT Techs (article 3);
  • Chile has a new Draft Law Boletín N° 12.192-25/2018 on Cyber crimes and regulation on internet devices and hackers attacks;
  • In 2017, Argentina launched a Public Consultation on IoT regarding regulations that must be updated and how to get more security and improve the technological level of the country[12].

Most Promising Smart Environments

Smart environments are regarded as the space within which IoT devices interact connected through a continuous network. Thus, smart environments aim to satisfy the experience of individuals from every environment, by replacing the hazardous work, physical labor and repetitive tasks with automated agents. Generally speaking, sensors are the basis of these kind of smart devices with many different applications e.g. Smart Parking, Waste Management, Smart Roads and Traffic Congestion, Air Pollution, River Floods, M2M Applications, Vehicle auto-diagnosis, Smart Farming, Energy and Water Uses, Medical and Health Smart applications, etc[13].

Another way of looking at smart environments and assess their relative capacity to produce business opportunities is to identify and examine the most important IoT use cases that are either already being exploited or will be fully exploited by 2020.

For the purposes of this article, the approach was restricted to sectors consisting of the most promising smart environments to be developed up to 2020 in the European Market as displayed in the Chart below:

Vertical IOT Market Size in Europe
Vertical IoT Market Size in Europe

 

The conclusions of the last report of the European Commission are impressive and can help to understand the continuous development of the IoT market and how every market has to comply with the law and they will emerge facing a regulatory avalanche as mentioned in item 2 on the Regulatory Ecosystem.

Final Considerations: IoT as Consumer Product Health and Safety

IoT safety is becoming more important every day. On the one hand, as mentioned above, most concerns for IoT safety are primarily in the areas of cyber-attacks, hacking, data privacy, and similar topics; what is better referred to as security than safety. On the other hand, it can be approached by physical safety hazards which may result from the operation of consumer products in an IoT environment or system. IoT provides a new way to approach business and it is not restricted to one or other market or topic. It is a metatopic or metamarket showing different possibilities and applications and will be spread in the near future.

In general, IoT products are electrical or electronic applications with a power source and a battery connected by a charging device. So long as the power source, batteries and charging devices are present we have the usual risks of electrical related hazards (fire, burns, electrical shock, etc.). Nonetheless, IoT makes matters more complicated as smart devices have the function to send commands and control devices in the real world.

IoT applications can switch the main electrical powers of secondary products or can operate complex motor systems and so on. Then they have to be accurate and might provide minimal requirements to care of consumer health and safety. Risk assessment and hazard mitigations will have to adapt to IoT applications reinventing new methods to assure regular standards of IoT usability. Traditional health and safety regulations might be up to date with this new technological reality to be effective at reducing safety hazards for consumer products.

To conclude, this article was intended to summarize two main issues: I) IoT as an increasing and cross topic market which will become a present reality closer to our daily lives; II) IoT will be regulated and become an important concern in consumer product health and safety.

See the first Installment of the IoT:  Seizing the Benefits and Addressing the Challenges and the Vision of IoT in 2020.

[1] Nóra Ni Loideain. Port in the Data-Sharing Storm: The GDPR and the Internet of Things. King’s College London Dickson Poon School of Law Legal Studies Research Paper Series: Paper No. 2018-27.P2.

[2] Spyros G Tzafestas. Ethics and Law in the Internet of Things World. Smart Cities 2018, 1(1), 98-120. P. 102.

[3] Spyros G Tzafestas. Ethics and Law in the Internet of Things World. Smart Cities 2018, 1(1), 98-120. P. 99;

[4] Nóra Ni Loideain. Port in the Data-Sharing Storm: The GDPR and the Internet of Things. King’s College London Dickson Poon School of Law Legal Studies Research Paper Series: Paper No. 2018-27.P. 19.

[5] Petar Radanliev, David Charles De Roure and others. Definition of Internet of Things (IoT) Cyber Risk – Discussion on a Transformation Roadmap for Standardization of Regulations, Risk Maturity, Strategy Design and Impact Assessment. Oxford University. MPRA Paper No. 92569, March 2019, P. 1.

[6] pSyros G Tzafestas. Ethics and Law in the Internet of Things World. Smart Cities 2018, 1(1), 98-120. P. 101; https://doi.org/10.3390/smartcities1010006

[7] More information available here.

[8] EUR-Lex Document 32013L0040. Directive 2013/40/EU of the European Parliament and the Council of 12 August 2013. Available here.

[9] NIS Directive. The Directive on Security of Network and Information Systems.

[10] EUR-Lex Document 32014L0053. Directive 2014/53/EU of the European Parliament and the Council of 16 April 2014.

[11] Notice of the General Office of the Ministry of Industry and Information Technology on Promoting the Development of Mobile Internet of Things. Department of Industry communication letter [2017] No. 351.

[12] Available here.

[13] More examples

Copyright © 2019 Compliance and Risks Ltd.
This article was written by João Pedro Paro from Compliance & Risks.

Internet of Things: Regulatory Ecosystem and Consumer Product Health and Safety – Part I

IoT: International Framework

Technological Revolutions are quiet and astonishing. Step by step new technological applications are pushing existing paradigms and changing the way business is transacted by consumers, companies and in society. In the past, electricity and printing had a revolutionary role in social development, shifting all sectors of life. These days, the Internet of Things (IoT) is pivotal in creating quick, profound and quiet transformations.

According to the Committee on Digital Economy Policy of Directorate for Science, Technology and Innovation of OCED:

The Internet of Things (IoT) could soon be as commonplace as electricity in the everyday lives of people in OECD countries. As such, it will play a fundamental role in economic and social development in ways that would have been challenging to predict as recently as two or three decades ago[1].

In 2008-2009, according to Cisco IBSG – Internet Business Solutions, there were more connected objects, such as smartphones, tablets and computers, than the world’s population. Therefore, this period is considered the year that IoT was born[2]. In 2008, Rob Van Kranemburg published “The Internet of Things”, which addresses a new paradigm in which objects produce information.

Supporting CISCO’s statement, the chart below of Google Trends shows the period of time during which popularity in searches on Google increased. In the last 5 years, IoT has sharply rocketed as a very attractive subject in the general mind of the people on the internet[3]:

Compliance Risks Chart 1
Interest Over Time (2004-2019) As Search Item

 

Digging deeper we can see that IoT popularity is not only relevant to internet users or to some futuristic curiosity on Google, it is a real and concrete “combination of network connectivity, widespread sensor placement, and sophisticated data analysis techniques” which enables“applications to aggregate and act on large amounts of data generated by IoT devices in homes, public spaces, industry and the natural world”[4].

The potential benefits of this kind of connectivity are immense: real-time monitoring and more accurate metrics, the ability to remotely control various actions, interconnectivity and automation, plus the ease of handling a variety of devices that can be centralized on just one smartphone. Nonetheless, this technological avalanche also brings risks and vulnerabilities to users, such as increased vigilance over our habits, exposure of our personal data, hacking vulnerabilities, global or cascading failures, among others.

In the last two years, a set of supporting policy actions have been adopted by the European Commission to accelerate the take-up of IoT and to unleash its potential in Europe for the benefit of European citizens and businesses[5]. These policy actions and statements are not only a guess or shallow forecast, they are a serious result of data and market analysis that came from several studies which found impressive numbers such as 11 billion connected ‘things’ in 2018[6]. This could be as many as 20 billion connections by 2020[7], about 6 billion of which will be in Europe[8]. Of these, 60-65% are consumer devices.

According to the Centre for the Promotion of Imports (CBI) more than 65% of businesses are expected to use IoT products by 2020, compared to 30% in 2017. Europe accounts for more than a third of global Industrial IoT investments by 2020. The market is expected to grow at an impressive average annual rate of 22%. Reaching a value of €287 billion in 2020, Industrial IoT is Europe’s largest IoT market[9].

Seizing the Benefits and Addressing the Challenges

The Centre for the Promotion of Imports (CBI), an Agency of the Netherland’s Ministry of Foreign Affairs and part of the development cooperation effort of the foreign relations of the Netherlands conducted research on the IoT in Europe in January 2019. It concluded:

The European market for Internet of Things (IoT) solutions is growing. Western and Northern Europe are especially promising. Both consumer and business IoT offer opportunities, but specialisation may give you a competitive advantage. The home, health and finance sectors are front runners. National and European initiatives are working to stimulate the roll-out of Industrial IoT solutions and lower barriers. The shortage of skilled specialists continues to drive outsourcing[10].

Apart from an advantageous and “smart” business opportunity, IoT can facilitate innovation in the private sector supporting a wide range of innovative businesses, not only raising the productivity level but increasing the accountability and responsiveness of companies and its employees, improving the client confidence.

Thus, IoT can work to facilitate Private Sector Innovation by so-called industrial Internet, Next Production Revolution (NPR)[11], autonomous machines and big data[12] and automotive industry[13]. On the other hand, innovative Public Sector Delivery with IoT applications could provide smart cities[14], smart governments, smart street lighting[15]and traffic flow optimization[16], innovation in healthcare practice and delivery[17]. IoT technologies are, therefore, expected to play a major role in improving the management of transport, energy use, water services, education, employment, health, crime prevention, by making society more efficient, innovative, safe, sustainable, and inclusive[18].

Regardless of all the benefits, there are many challenges and risks associated with IoT digital security, such as cyber attacks, digital incidents and privacy challenges. Furthermore, bad outcomes can happen causing physical consequences in case of the wrongdoing of autonomous vehicles, health care tools or industrial machines.

The Vision of IoT in 2020

First of all, the 2020 scenario might be approached by a combination of the Cloud and Big Data. Nowadays the hyperconnectivity[19] of society drives IoT to be “The Next Big Thing” in business. According to OECD this next big thing will be related to “a sophisticated industry ecosystem consisting of vendors (providing components), suppliers (creating solutions), service providers, and enterprise users in all sectors of the economy” that will be “measured in billions of Euro in Europe alone, and that will extend across the world too”[20].

Could expectations be too high? Maybe not, because of the following points: I) the centrality of IoT in the upcoming years is corroborated by the sheer number of connections that are expected to be in place by 2020; II) IoT ecosystem will have grown to encompass not only the traditional supply-side actors, but also a rising number of businesses and organizations serving and using  IoT; III) hyper-connected society will be an established reality by 2020, as most of the “things” that can be connected, will be by then.

In 2018, the World Economic Forum (WEF) published a study considering initiatives on the future of production. Essentially, it gives an insight into: i) Solution-driven: technology can tackle and solve challenges that have previously been insurmountable; ii) Human-centric: technology can unlock human potential by unleashing creativity, innovation and productivity in new ways; iii) Sustainable: technology can promote sound production processes that minimize negative environmental impact, conserve energy and resources and enable carbon neutrality; iv) Inclusive: employees, companies and countries at different stages of development benefit from Fourth Industrial Revolution technologies and the transformation of production systems[21].

One of its conclusions is that in the coming years, the IoT market is expected to grow across Europe. Most of the front runners are Western European countries, which have traditionally invested more in IT. And together, six countries make up more than 75% of the European IoT market, this makes them especially promising target markets for 2020.

Market Size in Europe
Chart 2. IoT Market Size in Europe

 

Further, apart from the geographic localization of the opportunities arising, to have a real and concrete overview it is important to be aware of the market size and 2020 forecast by sector. By 2020, industrial IoT is predicted to consist of:

  • 60% cross-industry devices – used in multiple industries, mainly to save costs;
  • 40% vertical-specific devices – used in a specific industry to improve efficiency/accuracy.
  • Industrial IoT also offers good opportunities, as the average spending per device is much higher in this sector. This makes total spending on consumer and industrial IoT about equal by 2020[22].
Compliance and Risks Chart 3
Chart 3: IoT Market Size Per Sector

 

Based on the US Dollar: Euro exchange rates in October 2018, the global average spending on IoT devices is expected to be:

  • €102 per consumer device;
  • €114 per cross-industry business device;
  • €239 per vertical-specific business device.

Finally, electronic sensors are now everywhere – in smartphones, cars, home electronic systems, healthcare devices, fitness monitors and in the workplace. It has been estimated that, by 2020, over 200 billion sensor devices will be inter-connected, creating a market size that, by 2025, will be between $2.7 trillion and $3 trillion a year[23].

At the same time, the market opportunity will bring regulatory challenges. The next section of this report will analyze by specific studies the impact of regulatory requirements on IoT devices and deployment.

Read more: Internet of Things: The Global Regulatory Ecosystem and the Most Promising Smart Environments Part II

[1]  OCDE. Committee on Digital Economy Policy of Directorate for Science, Technology and Innovation. The Internet of Things: Seizing the Benefits and Addressing the Challenges. Background Report for Ministerial Panel 2.2. English Version. 24 May 2016. P. 5. Available here.

[2] MANCINI, Monica. Internet das Coisas: História, Conceitos, Aplicações e Desafios. Available here.

[3] Interest over time. Numbers represent search interest relative to the highest point on the chart for the given region and time. A value of 100 is the peak popularity for the term. A value of 50 means that the term is half as popular. A score of 0 means there was not enough data for this term. The information is available here.

[4] Idem, p. 5.

[5] European Commission. Digital Single Market. Policies: Internet of Things. Available here.

[6] Gartner, Inc. Press Release. Gartner Says 8.4 Billion Connected “Things” Will Be in Use in 2017, Up 31 Percent From 2016. February 2017. Available here.

[7] Idem, Leading the IoT. Gartner Insights on How to Lead in a Connected World. 2017. P. 2.

[8] European Commission. Definition of a Research and Innovation Policy Leveraging Cloud Computing and IoT Combination. FINAL REPORT. A study prepared for the European Commission. DG Communications Networks, Content & Technology. Digital Agenda for Europe. Available here.

[9] Netherlands Ministry of Foreign Affairs. Centre for the Promotion of Imports (CBI). January 2019. Available here.

[10] Netherlands Ministry of Foreign Affairs. Centre for the Promotion of Imports (CBI). January 2019. Available here.

[11] (NPR) entails a confluence of technologies ranging from a variety of digital technologies (e.g. 3D printing, the Internet of Things [IoT] and advanced robotics) to new materials (e.g. bio- or nano-based) to new processes (e.g. data-driven production, artificial intelligence [AI] and synthetic biology). The Next Production Revolution. A Report to G20. OECD, 2017. Available here.

[12] Autonomous machines and the use of big data are increasingly present in agriculture. Robots can now sort plants based on optical recognition, harvest lettuce and recognise rotten apples. Idem, Ibidem.

[13] The automotive industry is one of the sectors most affected by interconnectivity and enhanced efficiency in both production and operation of vehicles. Idem, Ibidem.

[14] “Smart city plans explore the ability to process huge masses of data coming from devices such as video cameras, parking sensors and air-quality monitors to help local governments achieve goals in terms of increased public safety, improved environment and better quality of life. In: OCDE. Committee on Digital Economy Policy of Directorate for Science, Technology and Innovation. The Internet of Things: Seizing the Benefits and Addressing the Challenges. Background Report for Ministerial Panel 2.2. English Version. 24 May 2016. P. 16.

[15]“Dublin (Ireland), Oslo (Norway) and Chattanooga, Tennessee in the United States have started to use smart street lighting systems.29 Often triggered by replacing municipal lighting with LED solutions to save on energy costs, smart street lighting can offer combined savings of up to USD 100 per streetlight per year”. Idem, Ibidem.

[16]“The SCOOT system developed by Transport for London uses data on road usage with real-time control of traffic lights in the city to deliver on average a 12% improvement in traffic flow. Other large cities, like Beijing, São Paulo, Toronto or Preston have introduced SCOOT”. Idem, Ibidem.

[17] “Smaller sensors, smartphone assisted readouts, big data analysis and continuous remote monitoring can enable new ways of managing care. Such a digital health feedback system includes wearable and that work together to gather information about medication-taking, activity and rest patterns. Idem. p.15.

[18] UN General Assembly, Report of the Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression, A/HRC/32/38 (2016), P.12.

[19] A term invented by Canadian social scientists Anabel Quan-Haase and Barry Wellman, it refers to the use of multiple means of communication, such as email, instant messaging, telephone, face-to-face contact and Web 2.0 information services.

[20] OCDE. Committee on Digital Economy Policy of Directorate for Science, Technology and Innovation. The Internet of Things: Seizing the Benefits and Addressing the Challenges. Background Report for Ministerial Panel 2.2. English Version. 24 May 2016. P. 24.

[21] World Economic Forum. Insight Report. Readiness for the Future of Production. Report 2018. Available here.

[22] Netherlands Ministry of Foreign Affairs. Centre for the Promotion of Imports (CBI). January 2019. Available here.

[23] Russo et al. Exploring regulations and scope of the Internet of Things in contemporary companies: a first literature analysis. Journal of Innovation and Entrepreneurship, 2015, P. 5.

Copyright © 2019 Compliance and Risks Ltd.
This article was written by João Pedro Paro of Compliance & Risks.
For more on the Internet of Things, please see the National Law Review Communications, Media & Internet law page.

Control Freaks and Bond Villains

The hippy ethos that birthed early management of the internet is beginning to look quaint. Even as a military project, the core internet concept was a decentralized network of unlimited nodes that could reroute itself around danger and destruction. No one could control it because no one could truly manage it. And that was the primary feature, not a bug.

Well, not anymore.

I suppose it shouldn’t surprise us that the forces insisting on dominating their societies are generally opposed to an open internet where all information can be free. Dictators gonna dictate.

Beginning July 17, 2019, the government of Kazakhstan began intercepting all HTTPS internet traffic inside its borders. Local Kazakh ISPs must force their users to install a government-issued certificate into all devices to allow local government agents to decrypt users’ HTTPS traffic, examine its content, re-encrypt with a government certificate and send it on to its intended destination. This is the electronic equivalent of opening every envelope, photocopying the material inside, stuffing that material in a government envelope and (sometimes) sending it to the expected recipient. Except with web sites.

According to ZDNet, the Kazakh government, unsurprisingly, said the measure was “aimed at enhancing the protection of citizens, government bodies and private companies from hacker attacks, Internet fraudsters and other types of cyber threats.” As Robin Hood could have told you, the Sheriff’s actions taken to protect travelers and control brigands can easily result in government control of all traffic and information, especially when that was the plan all along. Security Boulevard reports that “Since Wednesday, all internet users in Kazakhstan have been redirected to a page instructing users to download and install the new certificate.

This is not the first time that Kazakhstan has attempted to force its citizens to install root certificate, and in 2015 the Kazakhs even applied with Mozilla to have Kazakh root certificate included in Firefox (Mozilla politely declined).

Despite creative technical solutions, we all know that Kazakhstan is not alone in restricting the internet access of its citizens. For one (gargantuan) example, China’s population of 800 million has deeply restricted internet access, and, according to the Washington Post, the Chinese citizenry can’t access Google, Facebook, YouTube or the New York Times, among many, many, many others. The Great Firewall of China, which involves legislation, government monitoring action, technology limitations and cooperation from internet and telecommunications companies. China recently clamped down on WhatsApp and VPNs, which had returned a modicum of control and privacy to the people. And China has taken these efforts two steps beyond nearly anyone else in the world by building a culture of investigation and shame, where its citizens could find their pictures on local billboard for boorish traffic or internet behavior, or in jail for questioning the ruling party on the internet. All this is well documented.

23 countries in Asia and 7 in Africa restrict torrents, pornography, political media and social media. The only two European nations that have the same restrictions are Turkey and Belarus. Politicians in the U.S. and Europe had hoped that the internet would serve as a force for freedom, knowledge and unlimited communications. Countries like Russia, Cuba and Nigeria also see the internet’s potential, but they prefer to throttle the net to choke off this potential threat to their one-party rule governments.

For these countries, there is no such thing as private. They think of privacy in context – you may keep thoughts or actions private from companies, but not the government. On the micro level, it reminds me of family dynamics –When your teenagers talk about privacy, they mean keeping information private from the adults in their lives, not friends, strangers, or even companies. Controlling governments sing the song of privacy, as long as information is not kept from them, it can be hidden from others.

The promise of Internet freedom is slipping further away from more people each year as dictators and real life versions of movie villains figure out how to use the technology for surveillance of everyday people and how to limit access to “dangerous” ideas of liberty. ICANN, the internet control organization set up by the U.S. two decades ago, has proven itself bloated and ineffective to protect the interests of private internet users.  In fact, it would be surprising if the current leaders of ICANN even felt that such protections were within its purview.

The internet is truly a global phenomenon, but it is managed at local levels, leaving certain populations vulnerable to spying and manipulation by their own governments. Those running the system seem to have resigned themselves to allowing national governments to greatly restrict the human rights of their own citizens.

A tool can be used in many different ways.  A hammer can help build a beautiful home or can be the implement of torture and murder. The internet can be a tool for freedom of thought and expression, where everyone has a publishing and communication platform.  Or it can be a tool for repression. We have come to accept more of the latter than I believed possible.

Post Script —

Also, after a harrowing last 2-5 years where freedom to speak on the internet (and social media) has exploded into horrible real-life consequences, large and small, even the most libertarian and laissez faire of First World residents is slapping the screen to find some way to moderate the flow of ignorance, evil, insanity, inanity and stupidity. This is the other side of the story and fodder for a different post.

And it is also probably time to run an updated discussion of ICANN and its role in internet management.  We heard a great deal about internet leadership in 2016, but not so much lately. Stay Tuned.

Copyright © 2019 Womble Bond Dickinson (US) LLP All Rights Reserved.
For more global & domestic internet developments, see the National Law Review Communications, Medis & Intenet law page.

The Tor Browser Afforded CDA Immunity for Dark Web Transactions

The District of Utah ruled in late May that Section 230 of the Communications Decency Act, 47 U.S.C. §230 (“CDA”) shields The Tor Project, Inc. (“Tor”), the organization responsible for maintaining the Tor Browser, from claims for strict product liability, negligence, abnormally dangerous activity, and civil conspiracy.

The claims were asserted against Tor following an incident where a minor died after taking illegal narcotics purchased from a site on the “dark web” on the Tor Network. (Seaver v. Estate of Cazes, No. 18-00712 (D. Utah May 20, 2019)). The parents of the child sued, among others, Tor as the service provider through which the teenager was able to order the drug on the dark web. Tor argued that the claims against it should be barred by CDA immunity and the district court agreed.

The Onion Router, or “Tor” Network, was originally created by the U.S. Naval Research Laboratory for secure communications and is now freely available for anyone to download from the Tor website.  The Tor Network allows users to access the internet anonymously and allows some websites to operate only within the Tor network. Thus, the Tor Network attempts to provide anonymity protections both to operators of a hidden service and to visitors of a hidden service. The Tor browser masks a user’s true IP address by bouncing user communications around a distributed network of relay computers, called “nodes,” which are run by volunteers around the world. Many people and organizations use the Tor Network for legal purposes, such as for anonymous browsing by privacy-minded users, journalists, human rights organizations and dissidents living under repressive regimes. However, the Tor Network is also used as a forum and online bazaar for illicit activities and hidden services (known as the “dark web”). The defendant Tor Project is a Massachusetts non-profit organization responsible for maintaining the software underlying the Tor browser.

To qualify for immunity under the CDA, a defendant must show that 1) it is an “interactive computer service”; 2) its actions as a “publisher or speaker” form the basis for liability; and 3) “another information content provider” provided the information that forms the basis for liability. The first factor is generally not an issue in disputes where CDA immunity is invoked, as websites or social media platforms typically fit the definition of an “interactive computer service.” The court found that Tor qualified as an “interactive computer service” because it enables computer access by multiple users to computer servers via its Tor Browser.  The remaining factors were straightforward for the court to analyze, as the plaintiff sought to hold Tor liable as the publisher of third-party information (e.g., the listing for the illicit drug).

The outcome was not surprising, given that courts have previously dismissed tort claims against platforms or websites where illicit goods were purchased (such as the recent Armslist case decided by the Wisconsin Supreme Court where claims against a classified advertising website were deemed barred by the CDA).

The questions surrounding the court’s ability to even hear the case also posed interesting jurisdictional questions, as the details of the Tor network are shrouded in anonymity and there are no accurate figures as to how many users or nodes exist within the Utah forum.  The court determined that, under plaintiff’s rough estimation, there were around 3,000-4,000 Utah residents who used Tor daily and perhaps, became part of the service (“Plaintiff has set forth substantial evidence to support the assumption that many of these transactions and relays are occurring in Utah on a daily basis”). In a breezy analysis, the court found that plaintiff had provided sufficient evidence to set forth a prima facie showing that Tor maintains continuous and systematic contacts in the state of Utah so as to satisfy the general jurisdiction standard.

This case is a reminder of the breadth of the CDA, as well as a reminder that many of its applications result in painful and somewhat controversial outcomes.

© 2019 Proskauer Rose LLP.

Article by Stephanie J. Kapinos of Proskauer Rose LLP.

More more on Web & Internet issues see the National Law Review page on Communications, Media & Internet.

 

Forget About Fake News, How About Fake People? California Starts Regulating Bots as of July 1, 2019

California SB 1001, Cal. Bus. & Prof. Code § 17940, et seq., takes effect July 1, 2019. The law regulates the online use of “bots” – computer programs that interact with a human being and give the appearance of being an actual person – by requiring disclosure when bots are being used.

The law applies in limited cases of online communications to (a) sell commercial goods or services, or (b) influence a vote in an election. Specifically, the law prohibits using a bot in those circumstances, “with the intent to mislead the other person about its artificial identity for the purpose of knowingly deceiving the person about the content of the communication in order to incentivize a purchase or sale of goods or services in a commercial transaction or to influence a vote in an election.” Disclosure of the existence of the bot avoids liability.

As more and more companies use bots, artificial intelligence, and voice recognition technology to provide customer service in online transactions, businesses will need to consider carefully how and when to disclose that their helpful (and often anthropomorphized) digital “assistants” are not really human beings.  In a true customer-service situation where the bot is fielding questions about warranty service, product returns, etc., there may be no duty. But a line could be crossed if any upsell is included, such as “Are you interested to learn about our latest line of products?”

Fortunately, the law doesn’t expressly create a private cause of action against violators. However, it remains to be seen if lawsuits nevertheless get brought under general laws prohibiting unfair or deceptive trade practices alleging failure to disclose the existence of a bot.

Also, an exemption applies for online “platforms,” defined as: “any public-facing Internet Web site, Web application, or digital application, including a social network or publication, that has 10,000,000 or more unique monthly United States visitors or users for a majority of months during the preceding 12 months.”  Accordingly, operators of very large online sites or services are exempt.

For marketers who use bots in customer communications – and who are not large enough to take advantage of the “platform” exemption – the time is now to review those practices and decide whether disclosures may be appropriate.

©2019 Greenberg Traurig, LLP. All rights reserved.
Article by Ed Chansky and Ian C. Ballon of Greenberg Traurig, LLP
For more on Internet & Communications see the National Law Review page on Communications, Media & Internet

IOT (Internet of Things) Legislation Makes an Appearance in the U.S. Senate

For those who are not familiar with the acronym, IoT or ‘Internet of things’ refers to the interconnection of network devices and everyday objects for increased control and ease of use.

The US Government has been steadily increasing the amount of IoT devices used in day-to-day business. In response to mounting concerns surrounding this, a bipartisan group in the Senate revealed a piece of legislation that will govern the use of IoT devices in the government context.

As we have blogged previously, the implementation of IoT brings with it an array of potential security issues and vulnerabilities. If hackers are able to access one device, there’s the possibility for them to manipulate others connected on the same network. This could result in national security risks, citizen information breaches or high-scale ransom attacks.

Under the bill, the National Institute of Standards and Technology (NIST) will give recommendations to the federal government, including minimum security requirements and how the government should approach potential cybersecurity issues. These policies and recommendations would be revisited every five years to keep them fresh and responsive to ever-changing cyber threats.

The potential that such standards would provide more industry wide guidance is to be encouraged, as several years into the growth of IoT there remains huge variability in security. The internet of things is generally less of a focus than most people’s computers, but the impact and ability to propagate is arguably greater.

Ella Richards and Cameron Abbott of K&L Gates contributed to this post.

Copyright 2019 K&L Gates.

Fiat Chrysler Car Hacking Case Put In Neutral

Plaintiff lawyers’ continued search for damage theories to assert in claims arising from a data breach – or fear of a breach – received a potential setback this week when Chief Judge Michael Reagan of the United States District Court for the Southern District of Illinois permitted Fiat Chrysler and Harmon International to seek an interlocutory appeal of the court’s earlier ruling in Flynn v. Fiat Chrysler US that class plaintiffs had standing to bring their “car hacking” claims in federal court.  The ruling comes just one month before the scheduled start of trial. Fiat Chrysler and Harmon moved for an appeal after the Ninth Circuit ruled in a similar case, Cahen v. Toyota Motor Corp, that plaintiffs did not have standing to pursue diminution in value damages against Toyota based on a fear that the vehicles were susceptible to hacking.

 Both Flynn and Cahen were filed in 2015, following a series of well-publicized demonstrations by white hat hackers that certain Toyota and Fiat Chrysler cars could be hacked and remotely controlled by a third party, in potentially malicious ways. Plaintiffs in both lawsuits asserted that the cybersecurity vulnerabilities that gave rise to the potential for hacking constituted a design defect that reduced the value of their cars.

 The Ninth Circuit in Cahen previously rejected this diminution of value theory, agreeing with the District Court that “plaintiffs have not, for example, alleged a demonstrable effect on the market for their specific vehicles based on documented recalls or declining Kelley Bluebook values . . . nor have they alleged a risk so immediate that they were forced to replace or discontinue using their vehicles, thus incurring out-of-pocket damages.” In rejecting Fiat Chrysler’s motion to dismiss in the Flynn case, Judge Reagan reached a different conclusion, finding that plaintiffs had standing to seek diminution of value damages.  Key to the court’s decision was the fact that the cybersecurity defects in Chrysler cars that had been widely reported (originally in a Wired magazine article)  led to a nationwide recall. The recall itself gave rise to additional reports of car hacking involving Chrysler cars, which the plaintiffs argued provided a foundation for a jury to conclude that the market value of Fiat Chryslers had been reduced. Additionally, plaintiffs alleged that the recall had not fixed the cybersecurity vulnerabilities, which the court found could give rise to a conclusion that the market for Chryslers had been altered.

 In certifying the case for appeal, Judge Reagan explained that the initial finding of standing was debatable and noted that a ruling by the Seventh Circuit in favor of Fiat Chrysler would obviate the need for trial. The case remains stayed while the Seventh Circuit considers whether to agree to review the court’s standing ruling.

 A ruling by the Seventh Circuit rejecting the District Court’s standing analysis in Flynn would potentially close what had been a new front in data breach litigation. Flynn had been one of only a few data security cases in the country to proceed past the motion to dismiss stage on a diminution in value theory of damages. What made Flynn particularly remarkable is that there had not been an actual reported breach that resulted in physical or other damages.

 On the other hand, a ruling in favor of plaintiffs could have widespread ramifications and, in theory, could give rise to design defect claims against manufacturers of other connected products — such as refrigerators, medical devices, and smart televisions — based on data security vulnerabilities that increase the risk of hacking.

The Internet of Things is growing rapidly. According to Gartner, there are over 5 billion devices connected to the internet, and by 2020, there will be 25 billion, with revenues expected to exceed $300 billion. To be sure, there are important differences between the automobile market and the market for other consumer products that may limit the viability of overpayment damages claims for data security vulnerabilities outside of automobiles. Still, the potential that these IoT manufacturers could be subject to products liability claims stemming from cybersecurity vulnerabilities is an issue to watch carefully.

Copyright © by Ballard Spahr LLP
Philip N. Yannella of Ballard Spahr LLP