Tuesday, August 14, 2018

The Internet of Torts

Rebecca Crootof at Balkinization has two interesting posts:
  • Introducing the Internet of Torts, in which she describes "how IoT devices empower companies at the expense of consumers and how extant law shields industry from liability."
  • Accountability for the Internet of Torts, in which she discusses "how new products liability law and fiduciary duties could be used to rectify this new power imbalance and ensure that IoT companies are held accountable for the harms they foreseeably cause.
Below the fold,some commentary on both.

Introducing starts with this example:
Once upon a time, missing a payment on your leased car would be the first of a multi-step negotiation between you and a car dealership, bounded by contract law and consumer protection rules, mediated and ultimately enforced by the government. ... Today, however, car companies are using starter interrupt devices to remotely “boot” cars just days after a payment is missed. This digital repossession creates an obvious risk of injury when an otherwise operational car doesn’t start: as noted in a New York Times article, there have been reports of parents unable to take children to the emergency room, individuals marooned in dangerous neighborhoods, and cars that were disabled while idling in intersections.
And asks this question:
This is but one of many examples of how the proliferating Internet of Things (IoT) enables companies to engage in practices that foreseeably cause consumer property damage and physical injury. But how is tort law relevant, given that these actions are authorized by terms of service and other contracts?
IANAL, but presumably "consumer property damage and physical injury" should also include economic loss such as can foreseeably be caused, for example, by routers with hard-wired administrative passwords that allow miscreants to compromise consumers' bank accounts:
Classically, an injured individual could bring a tort suit to seek compensation for harm. But in addition to social and practical deterrents, a would-be plaintiff suffering from an IoT-enabled injury faces three significant legal hurdles.
The three hurdles are:
  • The End User License Agreement (EULA) for the device is a contract that may specifically permit actions such as remotely disabling a car. But it likely does not specifically permit vulnerabilities such as hardwired administrative passwords; it probably just contains a general disclaimer of liability.
  • Especially since they had no opportunity to negotiate the terms of the contract, the consumer could argue that it is unconscionable, and thus a tort suit could proceed. But Crootof writes: "Absent a better understanding of how IoT-enabled harms scale, however, judges are unlikely to declare clauses limiting liability unconscionable when evaluating individual cases."
  • Even were the contract declared unconscionable, Crootof writes: "a plaintiff will still need to prove breach of a duty and causation. But there is little clarity about what duties an IoT company owes users". The state of the art is that IoT, and software companies in general, owe their users no duties of any kind. And it is arguable, for example, that the economic loss was caused by the miscreant accessing the bank account, not the company that implemented the means for the access and neither informed the user that it existed nor provided any means to disable it.
Thus, in the current state of the law, consumers are effectively denied any remedy for harms caused by IoT companies' negligence, and IoT companies have incentives to harm consumers through negligence.

Crootof is not completely pessimistic. Tort law is not immutable. Accountability starts by describing the history of tort law's evolution in the face of technological change:
Over and over, in response to technologically-fostered shifts in the political economy, tort law has evolved in response to situations where the logic of individual agreement or apparent non-relation should give way to a social logic of duty and recompense. Two of the more momentous examples are the creation of the modern conception of “negligence” and the development of products liability law. In each of these situations, tort law responded to new, technologically-enabled harms by creating more expansive duties of care and affirming the validity of more attenuated causation analyses.
How does products liability law measure up to the IoT?
When harm is caused as the result of an IoT device’s design defect, manufacturing defect, or inadequate warning, it can be addressed through existing products liability law.
Not so fast. First, there is the disclaimer of liability in the EULA to be overcome. Second, in order to establish the presence of a defect it would be necessary to examine both the software in  the device, prohibited under the DMCA, and the software in the server, prohibited under the CFAA. Third, unless the IoT device is part of a major purchase such as a car or an appliance, the manufacturer is probably a tiny company in Shenzen operating on razor-thin margins assembling the device from components sourced from other tiny companies. Not a viable target for a lawsuit. In practice, manufacturers and vendors have immunity for defects.

Does products liability help with harms due to vulnerabilities?
When such harm is caused by a hacker, we can debate whether the harm should lie where it falls or be considered a kind of design defect or breach of implied warranty.
If the debate assigns harm to the hacker, given the difficulty of attribution in cyberspace, consumers are extremely unlikely to be able to identify the miscreant, who is in any case probably in a different jurisdiction. If the debate assigns harm to the manufacturer, the obstacles above apply. The EULA almost certainly disclaims any implied warranties.

Thus in practice smaller IoT manufacturers are immune from products liability law, and large companies are shielded by the EULA. The case of "digital repossession" is different, because it is intentional, not a defect:
But what about when a company intentionally discontinues service for an IoT device, either in response to a contractual breach or as outright punishment?
Crootof suggests how products liability could be enhanced for "self-help enforcement":
For products liability law to be applicable, we may need to develop a new claim grounded in defective service — a “service defect” claim. A company could be required to provide written notice of the possibility of self-help enforcement in its initial contract, and it could install all manner of warnings to notify the device’s user of missed payments or other contractual violations that trigger the possibility of digital repossession. Alternatively, companies could be required to engage the state to ensure a certain amount of due process before digitally repossessing a device, especially should a company delegate its self-help enforcement decisions to algorithms.
Both of these alternatives would be an improvement. But consumers don't read the EULA, and companies won't like the costs and delays if the "engage the state". I remain skeptical except possibly for cars, which are already a heavily regulated market.

Crootof's alternative approach seems more promising to me:
In situations where IoT companies provide services that consumers rely upon—such as cars, alert systems, or medical devices—it might make more sense to focus on the trust element associated with that service relationship. Doctors, therapists, accountants, and lawyers are all fiduciaries, entities who have a “position of superiority or influence, acquired by virtue of [a] special trust.” Similarly, IoT companies could be recognized as having a distinct fiduciary relationship with IoT device users. ... Like other fiduciaries, IoT companies would have a duty of care; specifically, a duty not to foreseeably cause harm to their consumers when discontinuing service, remotely altering a device, or  engaging in digital repossession. IoT companies would also have a duty of loyalty, which would require them to act in the interests of the IoT device user.
It seems more promising primarily because the most important aspect of it could be the result of case law rather than heavily lobbied-against legislation:
IoT companies could have a duty not to overreach in their contracts. This duty could be extrapolated from Williams v. Walker Thomas Furniture, which implied that companies owe a tort-like duty of good faith to their customers, especially when customers have limited choice in negotiating contractual terms. In the IoT context, this would prohibit the industry from including overly invasive contractual terms, holding IoT devices hostage by conditioning their continued utility on acceptance of new contract terms, or using notice purely as a liability shield.
As also could be the question of attributing the harm:
it will also be necessary to reconceptualize the causation evaluation. Intervening causes of harm are not necessarily unforeseeable. Additionally, different IoT devices can cause different degrees of harm. An inoperative Fitbit will not cause much harm; an inoperative Nest might; an inoperative pacemaker, alert system, or vehicle almost certainly will. Because disabling devices will usually increase the likelihood of harm, rather than directly causing harm, a balancing test that weighs both the foreseeability of harm and its likely gravity would be useful in the IoT context.

No comments: