IoT Security – Should consumers bear any responsibility?

A recent article in CSO (Australia edition) advised data security executives that “Users’ poor home IoT security could become your next headache”.

This raises and interesting question. Where should we draw the line between a consumer’s responsibility  to become technologically literate, including protect the security of the their home network and devices, and the developer’s and manufacturer’s responsibility for the security of those devices throughout their life-cycle? The question will eventually have to be answered — and probably in court. Manufacturers facing a class action for security defects in an IoT device will undoubtedly raise a defence of contributory negligence.

In this post, I’ll focus on some observations about what we know about consumer behaviour in addressing defects in products they use. On Thursday, I’ll offer some thoughts on Canadian consumer protection laws and how that might affect suppliers and manufacturers attempting to limit liability for IoT security defects.

The evidence suggests that consumers are aware that there are security risks with their IoT devices. CISCO reported in December 2017 that consumers have a low level of trust in the security of their data flowing through IoT devices. What is less clear is whether consumers believe that they have a significant role to play in ensuring that those devices are secure.

The “plug-and-play” consumer culture does not help instill a sense of responsibility in consumers for managing and maintaining electronic devices. Consumers tend to re-use passwords, leave default passwords on routers, fail to update firmware on devices ranging from routers to smart TVs, and fail to deploy updates. Consumers may gamble that their poor password, virus protection, and software update practices won’t lead to or contribute to the loss of the data. However, the issue in IoT is not only an issue of privacy. It is an issue of the availability and integrity of the data, which could lead to consequences that affect the safe operation of those devices.

Consumers are also poor at quantifying risks and responding to those risks. How bad could it get? Consider automobiles. According to Carfax, one in five vehicles in the United States had open recalls – that is, unfixed issues that in many cases could result in serious safety risks. Researchers continue to try to figure out ways to nudge consumers to respond appropriately to the risks.

Research by the U.S. National Highway Traffic Safety Administration (NHTSA) presented to Congress in 2017 suggests that there are potentially a number of issues at play that affect how consumers respond to risks.

For example, of completion for open recalls decreased with the age of the vehicle. Consumers may simply not invest in much in the maintenance of older vehicles and this may affect the amount of information they receive about open recalls and whether they take the time to have them fixed. Vehicle owners may be more likely to visit a dealership during a new vehicle warranty period. It is more likely they will learn about the open recalls and will be nudged into having them fixed (or appear irresponsible). Older vehicles may not be serviced unless there is a serious problem.

The NHTSA research also showed that the type of component involved affected recall completion rates. It may be that consumers need a better framework for understanding the risk in some cases. Is it possible that a consumer may apply a lower discount to the chances of harm coming from a defective fuel system that could cause a spontaneous fire because they have a limited role in the likelihood of the event? By contrast, might a consumer apply a greater discount to the risk of a defective air bag or seat, if the harm would only apply in the case of a motor vehicle accident.  The risk of a motor vehicle accident may already seem rare to the consumer. The consumer may also overestimate their abilities as a defensive driver to prevent the accident. 

Whatever the psychological reasons, the statistics do not bode well for consumers taking responsibility for IoT devices, particularly when we consider the myriad types of IoT devices such as wall plugs, lightbulbs and other devices that individually or cumulatively could cause significant security or safety issues. It may be that these devices could be configured to receive remote updates; however, there will still be numerous use-cases where the update itself (if not managed by the consumer) could result in a security or safety issue, particularly if the device must shut down. So some consumer prompt will be required.

So, while a manufacturer may have a legitimate defence of contributory negligence if consumers do not take reasonable care in the operation of their IoT devices and the security of their network, the actual standard of care of consumers should not give public policy wonks any comfort. We will need another solution than the hard edge of tort law.

Read more!

You can find the NHTSA report here.

De-Identification, Intermediary Liability & Gender Stereotypes – Friday Files

This week’s resources for weekend reading!

  • De-identification Guidelines. ICYMI the Ontario Information and Privacy Commissioner has developed a resource page for de-identification, which includes the IPC’s June 2016 De-identification Guidelines for Structured Data. The International Conference of Data Protection & Privacy Commissioners have shortlisted the Guidelines for the Global Privacy and Data Protection Awards 2017 in the Research Category. Read the De-identification Guidelines here.
  • Intermediary Liability and Online Marketing. Do social media platforms that display advertising have any potential liability for deceptive advertising? In the United States, section 230 of the Communications Decency Act provides that the a website or other Internet publisher will not be deemed to be the publisher of content that is provided by another information content provider. This is a key part of Google’s claim that the Canadian Supreme Court went to far in its world wide injunction (discussed in my blog post here). In Canada, the conventional wisdom has been that platforms are unlikely to be liable if it is clear from placement and context that the advertisement is a third-party advertisement and the platform has not had any involvement in the content of the advertisement or knowledge that it is deceptive. However, if there is actual knowledge (e.g. by being put on notice), the situation could change. If you are interested in these questions, Lavery, de Billy has an interesting discussion of this topic that you can locate here.
  • Gender Stereotypes. The UK Advertising Standards Authority has issued a report Depictions, Perceptions and Harm calling for stronger regulation of advertising containing stereotypical gender roles or characteristics. The report is based on qualitative research on the harms created by gender stereotyping. You can find the report here. Advertising Standards Canada has had guidelines on Gender Portrayal in one form or another since 1981. The current Guidelines contain six basic principles: (1) women and men should have equal representation in roles of authority; (2) women and men should be portrayed as decision-makers for purchases; (3) there should not be inappropriate use or exploitation of sexuality; (4) no sexual violence or domination; (5) women and men should be portrayed “in the full spectrum of diversity” and equally competent in activities; and (5) advertising should avoid language that misrepresents or offends or excludes men or women.

Prosecuting Deceptive Privacy Practices, FTC Weights in on Security, Cybersecurity and Event Planning

Here are this week’s suggestions for summertime weekend reading resources!

  • Using Consumer Protection Statutes to Protect Privacy: Most Canadian provincial consumer protection statutes prohibit false, misleading or deceptive representations (see e.g. s. 14 -17) of the Ontario Consumer Protection Act). If the product or services involve the collection and use of personal information, these provisions could theoretically apply to representations about the company’s personal information handling practices.  A deceptive practice could be prosecuted as a provincial offence. Fines for companies could be up to $250,000. Individual remedies are limited to rescission or damages (including exemplary damages). In the United States, several states have now expressly included misstatements regarding privacy practices in their consumer protection laws, signalling that State Attorney Generals are serious about prosecuting deceptive privacy practices as a consumer protection issue. Baker Hostettler has an interesting comparison of three state laws that you can access here.
  • FTC Provides Guidance on Security: The FTC has been criticized for failing to provide fair warning of what it expects companies to do to protect and secure consumer data. Clearly, the FTC has listened to businesses and is publishing a series of blog posts to describe lessens learned in its investigations and enforcement actions. Read the July 21 post “Stick with Security” here. Upcoming posts can be found here.
  • Cybersecurity, Conferences, Event Planning: Cybersecurity should be on the list of considerations for corporate event planning. I’ve written a short article for my upcoming presentation at IncentiveWorks 2017 conference in August. You can read it here.

Where did I agree to that? The problem of incorporation by reference

There are many reasons for incorporating provisions by reference in consumer contracts. For example, terms of service may make reference to rules for the acceptable use of the services. A purchase agreement may reference a separate document explaining refunds or shipping terms.

Incorporation by reference is not a good strategy when dealing with clauses excluding liability — unless they are backed up by specifically bringing these clauses to the attention of the consumer.

A recent case illustrates the point.  It involved some lost golf clubs. The golfer signed a membership application that stated: “I, the above member(s), agree to abide by the policy, rules and regulations” of the club. He was given a handbook. The membership handbook contained a provision that said the club was not responsible for golf clubs stored at the premises. Members needed to have their own insurance.

Was the handbook the policy, rules and regulations referred to in the agreement? Probably, but the court said the club hadn’t been clear. The court said that the club didn’t bring this to the member’s attention. The club couldn’t rely on it to exclude liability.

The outcome might have been different if the club had included the provision in the agreement, said that the handbook contained these kinds of terms, or had posted signage.

Interested in the case? You can find it here.