This article is written by Vandana Shrivastava, a student of B.A.L.L.B.(Hons.) at the Institute of Law, Nirma University, Ahmedabad. The article discusses the meaning and emergence of IoT in India, provides insight into the status of IoT laws in the US and India with an elaborative account of necessary legal assistance in IoT governance.
Table of Contents
A few decades ago, java phones were trending, and people looked at it in awe. Since then, technology has undergone rapid advancement. Touchscreen mobile phones, powerful cameras, social media, unmanned cars and smart devices at homes, the world has it all. Given the pace and extent of these developments, it is essential to place them in the legal system to avoid ambiguities and complications in the event of any conflict.
Internet-based devices generally depend on artificial intelligence for their outputs. This article gives a brief introduction of the Internet of things (IoT) and its application to explain how and where it functions. The position of IoT in India and abroad is also a topic of discussion since it is directly associated with the title. Further, the increasing concerns about the IoT are discussed with existing and potential laws to govern it.
Internet of Things (IoT)
The Internet of Things (IoT) is the interface among various computing devices, driven by the capabilities of the internet. It is named so because it broadly concerns everyday objects like mechanical or digital machines, animals, or people embedded with unique identifiers (UIDs), that enables transfer and reception of data without manual inputs. Besides facilitating communication, the UID includes identification of things as well. The ‘thing’ in IoT could be any natural or human-made object that could be allotted with an Internet Protocol (IP) address and is capable of transferring data over a network.
The human-machine interface is undergoing a rapid, radical shift with the growing advancement in Artificial Intelligence (AI) and machine learning. AI and IoT are different from each other. To put it simply, AI is the brains and IoT is the act performed by it. Therefore, IoT primarily depends on the AI to function and evolve. The developments allow devices to anticipate and enhance the physical world through their abilities.
Even for a rapid evolution, equilibrium is necessary, or the achievements made so far would be rendered useless. The status of IoT is balanced and has reached the threshold for the prospective technological revolution. Analysts believe that in a few decades, the IoT will become an essential part of human lives, observing the headway it is making.
Real-world application of IoT
Smart home features use internet-controlled devices which monitor and manage the electronic appliances at home. The feature became a tremendous success and is rapidly evolving. Robot cleaners, smart bulbs/lights, temperature control, entertainment and unmanned cars are few of the technologically advanced features which form a part of the IoT. Amazon and Xiaomi are affordable providers of IoT for a home in India. Amazon Alexa is a prime example of a smart home facility. If one has an Alexa supporting smart bulb at home, they could command Alexa to turn on the lamp by saying, “Alexa, turn on the bulb”, and it will happen without touching the switch.
Companies such as Tesla and BMW are leading manufacturers of IoT based cars with staggering features like self-driven cars that optimise operations on their own. Currently, anti-accident features in vehicles are under progress.
Industrial IoT (IIoT)
IIoT refers to computers, machines, and human enabled smart industrial operations using big data analytics for transformational business outcomes. Companies like Alibaba, Huawei, Konux and Tesla are leading IIoT companies in the world. These machines are considerably resourceful than humans in communicating through data which assists companies in pinpointing inefficiencies and rectifying the same.
IoT provides cities with progressive technology which enables mass surveillance, automated transportation, protection of the environment and optimum utilisation of resources. In the foreseeable future, IoT will assist cities in tackling the perpetual problem of pollution, traffic stampedes and scarcity of energy supplies/electricity. In India, the city of Indore has a robot to control traffic, becoming the first city in the country to do so.
In the agricultural sector, IoT senses the percentage of soil moisture, quantity of nutrients and suitability of the soil. It controls the water supply of crops and plants, ensuring sufficient supply and minimum wastage. Consequently, IoT provides suitable and sustainable conditions to conduct agricultural activities.
The healthcare sector uses IoT enabled clinical trial solutions for evaluation of specific outcomes. The wearables assist in efficient and smooth monitoring of pulse, heart, steps walked and other health-related data. IoT devices assist in monitoring patients with chronic illness so that they could be reached out to before it’s late.
Emergence and application
IoT entered India much later than it did in the developed economies. Still, India is rapidly emerging as an IoT hub, and reports suggest that the install rate of connected devices in India is expected to grow faster than other countries. Deloitte released a report stating that IoT units in India would increase x32 to reach 1.9 billion units in 2020. This will not only serve the users but will also contribute to the growth of Indian IoT market. Customers are becoming increasingly tech-savvy. With the availability of multi-feature phones with the internet for affordable rates, consumer IoT applications have become more popular than ever.
Nevertheless, consumer IoT usage is predicted to grow at a slower pace than the industrial IoT due to security and privacy concerns, which calls out to prioritise IoT in the industry over the one for personal use consumers. The Indian IoT ecosystems are highly dependent on stakeholders which include hardware and software vendors, network operators and system integrators. More than 60% of these stakeholders are startups.
Major concerns, existing laws and prospective legal needs
In 2015, the Indian Government released a draft titled ‘Internet of Things Policy’ to encourage the creation and development of IoT based products primarily to cater to Indian needs of IoT. The major areas covered under the draft policy were agriculture, healthcare, water quality and natural disasters. It could be termed as a dream-IoT world for the MeitY. The aspirational draft of the policy was released in 2015. Five years from the release, the draft has not evolved to a legitimate policy, nor have the organs focused on the demanding necessary legal framework for the IoT despite witnessing mass usage of the same. With the pandemic-struck world that is mostly dependent on the internet, AI, IoT and Machine to machine (M2M), there are no specific laws for the latter three. Whilst being locked in the house, there is a considerable increase in the usage of various IoTs, which indicates a more significant amount of data sharing by the users.
Gradually, the world is becoming tech-dependent for everything. There are more than 20 billion IoT devices on the planet. The spendings on IoT technology products were estimated to hit $1.2 trillion in 2022, however, the recent COVID-19 pandemic might render the figures inaccurate. In India, Deloitte, along with the Internet and Mobile Association of India, released a report which suggested that IoT opportunities in India will be worth $12 billion in India by 2020. Here, the momentum of the IoT is worrisome because pacing up with the advancement of the IoT is arduous.
Besides the contribution of the IoT, there’s a dark side to it. It comes with several security vulnerabilities- malware threats, often termed as botnets. Botnets are web-connected devices that run computer programmes called bots. Third parties could make use of botnets to fulfil their malicious goals such as data theft, spamming, privacy breach and spying. With a multitude of IoT devices communicating with each other via the internet, a malware threat is very probable, and a continuous rise in the number of IoT devices adds to the already vulnerable nature of the IoT.
Current law for privacy
In India, the Information Technology Act, 2000 (ITA) and the Reasonable Practices and Procedures and Sensitive Personal Data or Information Rules, 2011 have laid down the provisions for data protection of individuals. Section 43A of the IT Act lays down a compensatory liability for a body possessing personal data of an individual in its computer resource, and due to its negligence, personal data of the individual is released to another party wrongfully. The conduct would be regarded as negligent when the body in question fails to implement and maintain reasonable security practices and procedures.
Section 72 of the IT Act states that if a person who possesses the electronic records and documents of a person discloses the same to someone else ‘without’ the consent of the individual concerned, the disclosure would be imprisoned and will be liable for fines if found guilty. Further, Article 21 of the Indian Constitution confers the citizens of India with the right to privacy. Any interference with a person without their consent would amount to a violation of their fundamental right. After observing the present and forthcoming threat to security and privacy of the IoT users, there is an urgent need for specific legislation to safeguard the interests of users whilst encouraging the use of IoT.
The need to address privacy issues
The provisions of the IT Act cover a broad area. It is associated with the ‘data’ on the internet, not on IoT. This is problematic due to the absence of clarity on the limitations and powers of IoT to protect both the consumers and the IoT companies that provide services. As important as the safeguarding of the IoT users is, the grievances of IoT providers are existent as well and have been largely ignored in India. The Ministry of Electronics and Information Technology (MeitY) in India encourages the use of IoT. So much so, that it discussed the prospective use of IoT in the legal framework of India, but failed to suggest even the most basic guidelines or rules to govern unfavourable situations and issues.
TRENDNet is a US-based company which sells internet-enabled cameras. They could be used to monitor home security or to keep a check on sleeping babies. TRENDNet’s defective software permitted unfettered online viewing of the camera monitorings, and in some cases, audio could also be listened to with the camera’s IP address. Hackers shared live feeds of approximately 700 cameras of consumers showing asleep babies in cribs and people going about their daily lives from the camera view. The US Federal Trade Commission stated that TRENDNet had failed to exercise reasonable and appropriate security while designing and testing the software. Furthermore, it was unable to monitor third-party security threat reports.
The augmentation of the IoT will require stakeholders to fund the novel IoT devices and to modify the existing ones. To execute the same, the service provider or IoT company might need to outsource their data to a third party for accumulating, processing or safeguarding the same to third parties called ‘specialist data brokers’. This escalates the chance of data theft by the third party in pursuance of their malicious goals. There are no laws on IoT liability because it is a new topic.
Prospective laws for liability
The IT Act of India provides guidelines for the protection of sensitive personal data and information of an individual. Again, the said provision could be applied here, but it would be subjected to the interpretation of the Court. It is pertinent to ensure that the IoT providing company takes all necessary steps before sharing the data with third parties. Situations when the IoT providing company fails to exercise reasonable care or when the third-party steals or makes illicit use of the data, determination of the liable party would be very uncertain. Formulation of laws to curb this issue is necessary.
Further, at the IoT providing company’s end, risk allocating rules need to be present. Such regulations would set the limitation of liability for the IoT company if there is a breach of data privacy. In the lines of the Federal Trade Commission guidelines (discussed below), only the necessary information should be procured from the user, and the IoT providing company shall have a liability under the nature of the breach and the information disclosed by it. End-User Licensing Agreements (EULA) could be drafted by the IoT providing company to incorporate relevant clauses to the agreements. EULA would prove out to be useful in the event of any disagreement or allegation by the user.
The steps, as mentioned earlier, are largely based on the IT act and contract law. IoT is not similar to a website on the web. It runs through AI, which has been granted the status of legal personality in some countries. It has abilities of its own. It calls out to understand its behavioural aspect and then formulate laws that deem fit.
Ownership of data
When a multitude of stakeholders and IoTs are involved, the data of the user will come into possession of more than one party. Here, it becomes necessary to ask whether someone would be the owner of the user’s data and if so, who would be the owner? This could be explained through a real-life example.
Google Nest thermostat is a temperature controlling device that records a person’s schedule and programs itself according. It can be controlled via phone. It claims that it is capable of curtailing the heating and cooling bills up to 20 per cent. Google Nest thermostat is working in a tie-up with Mercedes to create cars that interface with Google’s thermostat to determine the person’s location and estimate their time of arrival at home. By the time the person reaches home, the room temperature will be adjusted according to their preferred temperature. The accomplishment of this function would require a multitude of sensors for a generation of data like the preferred route of the user, the halts they make on the way, fueling habits, arrival timings, etc.
Google Nest thermostat is the dream IoT for the majority of the users. However, a problem arises while deciding who would own the user’s data- Google Nest or Mercedes? It would either belong to the owner of the car after the thermostat’s function is executed. Still, the data manufacturers could possess data rights if it was excluded from the sale agreement. Besides this, Google Nest and Mercedes could decide before entering into a contract. But in the absence of an agreement, determining the owner of the data would become a quirky and arduous task.
Prevalent ownership laws
The traditional copyright law explains joint ownership as a creation of two or more authors who intend to merge their contributions. Here, the focus is not on the amount of the aspect of contribution but the element of the same. Despite the unavailability of jurisprudential opinions on the topic, an argument could be made that the mere fact that two bodies allow the interface between their devices and create data reflects their intention to enter into joint ownership. Whether or not the copyright law would apply on IoT is a question left for the Court to interpret.
Need for laws on ownership of data
When a particular service requires combined participation of different IoTs from different service providers, determination of the owner of the data often becomes a point of conflict. In the forthcoming time, the number of such situations is bound to increase, and the country needs to be ready to govern such conditions with predetermined provisions. The areas of focus shall be the rights of the person whose data is stored, the participating IoT service providers and their agreements. There shall be an elaborate approach to assist in the absence of contracts or for breach of the accords. The requisites for joint ownership shall also be determined so that the involved parties could all benefit from the data.
A similar problem could be witnessed with Machine-to-Machine (M2M) data generation and content creation, which includes the data generated by the machine(s). M2M is the automated exchange of data between/among devices, without human interventions. A wire could connect these machines, but they are capable of communicating with wireless modes as well. Worldwide, the governments are recognising the potential utilisation of M2M communication to solve a multitude of issues, especially in metropolitan areas. It differentiates from the IoT as the former concentrates on the interface of the machines and the latter includes M2M and connects ‘things’ with ‘systems’, ‘people’ and similar entities. The problem of ownership of the data rights persists with M2M as well. There is a growing need for the enunciation of title and claims to data rights in agreements between/among M2M service providers. Stringent policies are required to safeguard privacy and to prevent the stealing of consumer data present in the M2M environment.
Product liability and consumer protection
Product liability refers to the liability of a manufacturer, distributor, supplier or a retailer of a product when a product delivered by him causes bodily injury to the user or his property. In IoT, liability would arise if the device causes- body injury, property damage or financial harm to the user of IoT. The user of the IoT could suffer tremendous losses if the device malfunctions, or if the data or software of the IoT is compromised or lost. For instance, if IoT is used in healthcare, and someone misses their critical medication due to a faulty device, their life would be at stake. Similarly, a malfunctioned fire-alarm would not alert the people at risk on time and could cost their lives.
Laws for product liability
In common law, product liability is based on the principles of negligence and absolute or strict liability, as defined under the tort law. In the absence of IoT rules, the Court would use the principles above to determine the responsibility of the IoT service provider. With time, the rule of negligence, in this sphere, was outpowered by the laws of strict liability. This rule is widely applicable due to its reasonably inspecting nature. It creates a burden only when the manufacturer refrains from addressing the potential hazards associated with the product which could not have been foreseen by the consumer.
Besides strict liability and other torts, Consumer Protection Act, 1986 and Legal Metrology Act, 2009 act in protection of the consumers to combat many product-related problems like defective products and deficient services, anti-competitive practices and deceptive marketing, among other things.
Prospective product liability laws
The provisions for product liability are sufficient to be included in IoT cases. But IoT is a new subject which is largely dependent on judicial interpretation in lieu of specific provisions. Questions like what would amount to the commission of the offence of negligence in IoT, or when would someone be liable for strict liability in the IoT are yet to be explained. It is known that a potential known hazard would generate the responsibility. However, what would be such a hazard in the IoT remains hazy. Therefore, there is a need to govern sceptical in the field. Prevalent laws could become the base for the development of specific provisions of product liability.
In addition to above-mentioned provisions, allocation of risk and general responsibilities of the parties must be established, for instance, the party that would be held liable for causing damage to the IoT user or which party will possess the user’s data in a specific project. Indemnity, warranty, data protection and privacy rights concerning IoT shall be defined in detail. These will help in drawing a line between the person who controls the data and the person who processes the data in a complex system.
IoT law in the United States
Winston and Strawn stated that the Federal Trade Commission (FTC) of the US, in its report titled “The Internet of Things: Privacy and Security in a Connected World”, laid down guidelines to keep a check on IoT in 2015. Summarily, the instructions are as under:
- Devices should be made secure at the outset, in the stage of data collection and processing instead of doing the same in the aftermath of the designing process.
- The employees should be enlightened with the significance of data security and should be trained to ensure the maintenance of security to a satisfactory level.
- The data users should have the option of selecting the data they want to share with the IoT. They should be made aware of the use and consequences of sharing their data as well. Furthermore, the IoT company in question should ‘only’ collect such data from the user(s) that is essential to conduct its operations.
- When third-party service providers are hired, it should be ensured that they are capable of maintaining reasonable security.
- A ‘defence-in-depth’ strategy with multi-layered security should be adopted by the IoT companies to combat security risks.
- Connected devices should be monitored throughout their expected life-span, and security patches should remain present to avoid recognised risks.
Besides the guidelines, the report also identified three core IoT security risks. As specified in the report, these risks are:
- Allowing unauthorised access and misuse of users’ information;
- Facilitation of attacks on other systems; and
- Risks to personal safety.
The guidelines only have an advisory value on the companies. The non-binding nature of the FTC guidelines acts as a placebo to cover up for the failure to establish stringent laws to govern the IoT. Criticism aside, the recognition for IoT rules is considerable. These guidelines could act as the source for the formulation of IoT laws in the US and other countries.
The ‘thing’ in IoT applies to multiple entities. As time passes, new bodies become a part of the IoT to make the lives of humans more relaxed and more comfortable. It is the responsibility of nations across the world to bestow the IoT with its much-deserved place in the legal frameworks of the countries. IoT is transforming technology. A part of the IoT could be dealt with by the application of existing laws. However, given its ever-evolving nature, the need for a specific statute is genuine.
AI is the brains of the IoT. A few years ago, two of facebook’s AI developed their language to communicate with each other. The company had to shut the concerned chatbots down. This emphasised on the intelligible capabilities of the AI. In the present world, where IoT is embedded in tube lights, phones, cars, comfort devices and whatnot, keeping control on the IoT is necessary. In the event of any default, determination of the liable party becomes arduous in the absence of specific, stringent laws for the same. This article highlighted the significant issues associated with IoT. However, there are unexplored areas of the IoT that remain unrecognised, but threatening to society. Thus, laws on the same are essential for safeguarding people.
- What is IoT (Internet of Things) and How Does it Work?.
- Identifiers in the Internet of Things (IoT).
- 10 Real World Internet of Things (IoT) Applications – Explained in Videos.
- Smart Home Features.
- FTC Issues Security Guidelines for Internet of Things Technology.
- Legal Issues About Internet Of Things (IoT) – Privacy – India.
- Internet of things and effect on data privacy | Indian legal perspective.
- Ice Miller LLP Internet of Things.
- Internet of Things.
LawSikho has created a telegram group for exchanging legal knowledge, referrals and various opportunities. You can click on this link and join: