Lance Bellers - Fotolia


Courting the Internet of Things: Legal issues to weigh

Attorney Mark Foley explores two Internet of Things legal issues -- data ownership and intellectual-property rights.

When smart meters first started measuring energy consumption in households 10 years ago, one way electric companies were able to read the new meters was to run a van fitted with a Wi-Fi transmitter up and down a street, collecting data from the houses they powered.

Three North American utilities did just that. But the contractor they hired to do the data gathering was selling the information to an analytics company -- and that triggered a dispute between the utilities and the contactor. Researchers at the University of Illinois set up a study to look at what was learned from analyzing the data.

"And their answer to that question was, 'We not only can tell you who got out of the waterbed first but how hot she likes her shower,'" said Mark Foley, an attorney with Milwaukee law firm von Briesen & Roper. "They basically knew everything about the ordinary daily lives of these people. They knew how often they opened their refrigerators. They knew who probably had a weight problem, because they were eating late at night. They knew when people were there and when they weren't."

Foley shared the story at the recent Fusion 2016 CEO-CIO Symposium in Madison, Wis., to convey knotty Internet of Things legal issues. As more businesses buy or make products that plug into the network of connected devices such as sensors, surveillance cameras and smart home systems and exchange information, questions about who owns the data, who has access to it and who can do what with it will outnumber answers. That means the risk of legal action, in effect, may loom over every data exchange.

Who owns the data?

One problem is, case law -- or the set of decisions of court-tried cases that can stand as precedent in current suits -- is "way behind" in developing answers to questions this new technology raises, Foley said. As in his example, a lot can be learned by reading things like people's thermostat settings -- they're home when it's 71 degrees; they're not when it's 58 -- but that type of data may not be covered by specific regulations.

What should we -- and I use that with a capital S -- should we be telling our customers about what we're collecting and how we may use it?
Mark Foleyattorney, von Briesen & Roper

Take the most basic question: Who owns the data smart devices produce and send forth over the Internet? Right now it depends on the contractual relationship between the parties.

So if someone is buying, say, a refrigerator that can monitor its contents and send out orders to replenish dwindling supplies of milk, eggs or Pop Tarts, "there ought to be fine print in that purchasing agreement which talks about the data and the right of the manufacturer of the product to use that data and their ability to disseminate it," Foley said.

Some data, like healthcare, finance and student aid information, is regulated, so there are rules limiting what organizations can do with it. For example, Fitbit's wearable activity trackers, which track things like heart rate and the number of steps walked, now align with standards established by the healthcare data privacy law HIPAA when used in corporate wellness programs. That means information like names, dates of birth and even device serial numbers have to be kept secure under the law.

But not every manufacturer of Internet-connected devices that trade data may be as sophisticated as Fitbit is, Foley said, and currently there aren't regulations that cover every device and every scenario.

Organizations putting products that exchange information onto the Internet of Things need to think carefully about what types of data they're capable of collecting -- and how much of it -- and what subsets of that data they need to collect for the products to work, Foley said.

"What should we -- and I use that with a capital S -- should we be telling our customers about what we're collecting and how we may use it?" he said. "And who else is in the data-bits stream that we may have to control contractually to make sure that only the people we are saying are going to have access to the data, only the people who are paying us to have access to the data, actually have access to the data?"

Mark Foley, attorney, von Briesen & Roper, Fusion 2016 CEO-CIO Symposium
Mark Foley, an attorney with Milwaukee law firm von Briesen & Roper, discussed legal issues swirling around the Internet of Things at the recent Fusion 2016 CEO-CIO Symposium in Madison, Wis.

Who owns the code?

Another tract of uncharted territory for organizations that want in on the Internet of Things is intellectual property rights, Foley said. Right now, some of the devices that connect to the Web don't interoperate, or work together. Some of them even interfere with one another. But as standards are established, and more devices are able to pass data around, determining what rights organizations have to use somebody else's stuff will become increasingly important. And it won't be easy, Foley said.

Copyright laws, for instance, grant the maker of a product exclusive rights to use and distribute it. But what if a device manufacturer wants to reverse engineer the code in another producer's device to learn about it so it can better exchange data with it? That's fine, Foley said. A court ruled against Sega in 1992 when the video game maker saw game cartridges for its Sega Genesis console made by another game publisher as a violation of copyright. But to reverse engineer code and then incorporate that code into a product -- that's a copyright violation.

A patent offers stronger protection -- covering the invention or process itself, not just the "expression" a copyright protects. But it's hard to tell what software is patented and what's not, because the U.S Patent and Trademark Office doesn't require applicants to file all of the software code. That means a lot of the code isn't readily available to anyone looking for it.

Then there's licensing law, which is especially important for organizations using open source code. Anything they build using it also needs to be open sourced. Often they'll run into problems with their own employees, Foley said.

"Do you own the code that they just developed for you?" he asked. "Well, if your employment agreements aren't set up right, no, you don't. If they are set up right, yes, you do."

'Taking the high road'

Tim Watson didn't travel far to attend Foley's talk. He's the IT director at Aprilaire, a manufacturer of air-quality products and thermostats in Wisconsin's capital, where the Fusion gathering was held. The company rolled out a Wi-Fi thermostat in February and is working through an abundance of issues, including properly setting up security -- encrypting the names and addresses of registered users -- and consulting its lawyers on Internet of Things legal issues.

Internet of Things technology is new, of course, and "a little scary" to a traditional manufacturer like Aprilaire, but Watson believes the company is looking after its customers' interests, collecting just the data it needs to fulfill its contractual obligations.

"We're taking the high road, and we think we're giving consumers a product that they're interested in, and that's really our motivation," he said.

Smart meters account for just 10% of Aprilaire's thermostat business, but that could change, and Watson said the company may want to develop new features to allow customers to "do different things." But Watson said that won't alter the cautious way which it gathers data.

"We purposely do not collect big data for the purpose of collecting big data," he said. "Personally, I'm kind of proud of that."

Attorney Mark Foley discusses more Internet of Things legal issues, including data privacy and product liability, in the second part of this two-part tip.

Next Steps

More legal considerations of the Internet of Things

Who owns Internet of Things data?

Connected Things 2016 pushes interoperability

Dig Deeper on Internet of Things (IoT) Strategy