IE 11 Not Supported

For optimal browsing, we recommend Chrome, Firefox or Safari browsers.

Legal Patchwork Rules Internet of Things and its Users

Because of legal loopholes, consumers often lack any right to control how long their data is kept, who it is shared with and what is collected about them.

(Tribune News Service) -- With smart gadgets already flooding the market and thousands more expected in coming years, the Internet of Things is emerging amid a regulatory wilderness.

The breakneck pace of this technology has far outpaced the legal system's ability to keep up with it, many experts contend. Because of legal loopholes, consumers often lack any right to control how long their data is kept, who it is shared with and what is collected about them, including such personal information as their finances, mental health, political leanings and sexual orientation.

And while ideas differ on what should be done about that, there is widespread agreement that it will be crucial to make sure the intimate details these devices gather on everyone won't be strewed willy-nilly across the Web.

"I grew up reading Huxley and Orwell, and I believe we all need to be sensitive to the possibility this could go very wrong," said Bryan Goff, a lawyer who has studied the legal issues surrounding the Internet of Things. While believing its innovations will provide innumerable benefits, he added, "this is a situation where change is going to happen -- there is no stopping it. Now it's a question of doing what we can to steer that change to the best outcome possible."

Some people are wary of government mandating new rules for smart devices. That includes Roger Atkinson, president of the nonprofit Information Technology and Innovation Foundation, which is partly financed by businesses, including Google and Cisco Systems.

Because he believes gadget makers "have a lot of incentive to have a trusted relationship with the consumer," he favors letting the industry regulate itself, adding that "it's way, way too early" to be passing new laws for the Internet of Things. "Let's let it roll out a tad and keep track if anyone is abusing it."

Indeed, many people already using such devices are perfectly happy with them, such as 81-year-old Bill Dworsky and his wife, Dorothy, 79. Their San Francisco home is outfitted with sensors made by Lively, which notify their son when they open their pill boxes or refrigerator door, for example, to indicate whether they are taking their medications and eating regularly.

"I think it's great we have this," said Dorothy Dworsky, noting that she and her husband are getting forgetful.

Her son, Phil Dworsky, director of strategic alliances at Mountain View software firm Synopsys, added that he feels confident Lively won't misuse the information it gathers on his parents. That's because Lively voluntarily offers a privacy policy that promises to get users' consent before sharing their data with anyone and only after the information has been stripped of personally identifiable details, which he said is "important and reasonable to me."

But consumer advocates contend companies can't always be trusted to act in the public's interest.

Besides favoring limits on how much data the gadgets sweep up and retain, they want users of the devices to control what's collected about them, who else can see it and when it should be deleted. These critics are particularly skeptical of corporate privacy policies, which instead of restricting the use of consumer data are often "written by lawyers to be as permissive as possible," said Ryan Calo, a University of Washington assistant law professor and expert on emerging technologies.

Consider South Korea-based LG Electronics. After it was lambasted for collecting information on the programs its television users watched -- even if the users chose an option to prevent such data collection -- LG last year altered its privacy policy to give customers what it termed "unprecedented control" over their personal details. But that has triggered more complaints that the policy now denies its customers access to some of its smart TV services unless they permit their viewing, voice commands and other information to be shared with advertisers.

LG officials declined to comment on those criticisms. Its privacy policy is vague about which TV services might be denied users who balk at sharing their data, though the company says at least one of those services is the ability to operate the TV via voice commands.

Numerous statutes -- from the Fair Credit Reporting Act to the Children's Online Privacy Protection Act -- govern some consumer data protections. But the information-gathering that will characterize the Internet of Things is largely unregulated, legal experts contend.

While the Fair Credit Reporting Act limits the use of personal information collected to determine eligibility for credit or employment, for example, it doesn't apply to similar information compiled for marketing purposes, according to a study by the U.S. Government Accountability Office. And although the Health Insurance Portability and Accountability Act generally protects individual health records, it doesn't cover many Web-based businesses that amass such data.

"Under most circumstances, information that many people may consider very personal or sensitive legally can be collected, shared and used for marketing purposes," the GAO concluded. "This can include information about an individual's physical and mental health, income and assets, mobile telephone numbers, shopping habits, personal interests, political affiliations and sexual habits and orientation" -- all of which is expected to be collected by the Internet of Things.

The primary regulatory body monitoring smart gadgets is the Federal Trade Commission. Jessica Rich, who heads the FTC's consumer protection bureau, said policing new data-gathering technologies "is my No. 1 priority."

Nonetheless, the FTC concluded in a January report that passing new laws to specifically govern the Internet of Things "would be premature," since the technology is still evolving. And the agency's clout is limited.

In recent years, it has cited and won agreements with about 50 companies to improve their data-handling problems. That included one Internet of Things case involving Torrance-based Trendnet last year, whose Internet-linked video cameras had faulty software that enabled hackers to secretly view the camera's live feeds, including infants sleeping in their cribs, according to the FTC.

But none of those companies were fined by the agency, which has limited authority to issue civil penalties and whose workforce has shrunk from 1,746 full-time positions in 1979 to 1,176 today.

Because of its relative lack of punch, smart-device makers "don't even think about" the FTC, said Justin Brookman of the Center for Democracy and Technology. Moreover, although the agency has asked federal lawmakers to bolster its power to police data-related violations, that prospect remains uncertain in Congress.

As a result, some experts say, regulating the Internet of Things could fall to such states as California.

In 2002, California became the first state to require companies and others hit by data breaches to notify residents if their personal information might have been disclosed. Last year it enacted a law restricting rented electronic devices from gathering personal consumer data after an FTC investigation discovered some rental computers were secretly spying on the computers' users. Besides surreptitiously harvesting the users' credit card information, Social Security numbers, medical records and private emails to doctors, the computers' webcams took pictures inside the users' homes, including images of them "engaged in intimate contact."

Another California law that took effect in 2014 restricts disclosure of information about customer electrical or natural gas usage from smart utilities. Moreover, California is one of a handful of states that require car owners to be told if their vehicle contains an "event data recorder," which maintains a detailed dossier on their driving behavior.

But consumer advocates contend these and other California laws -- like those at the federal level -- only partially address privacy worries surrounding the Internet of Things.

The vehicle data-recorder law, for example, has been faulted for leaving unclear who has the right to control information the gadgets gather.

"As cars are rapidly morphing into computers with wheels, they are also producing data on the shape and condition of the car, how fast the car travels, use of the phone or radio, and even where and how often a car visits a specific location," according to a legislative analysis of the law. "As of today, the only entity that has access to that information is the auto manufacturer, and whatever third party to whom they choose to direct the information."

Yet a bill that would have given consumers more say over those facts died in committee last year after auto manufacturers argued it could hinder vehicle innovation and be difficult to implement.

Critics also have cited numerous weaknesses in California's pioneering "shine the light" law enacted in 2003, which requires companies with 20 or more employees to inform consumers how their personal data is sold for direct marketing purposes or else let them opt out of having it shared.

Studies by UC Berkeley, the American Civil Liberties Union and others have found that companies covered by the law often don't properly notify consumers of their rights and ignore inquiries about their data gathering. Moreover, its provisions are confusingly vague. While requiring companies to disclose when they share personal information with "third parties," for example, it defines those parties so narrowly that many firms have been passing the data along to business partners and others without notifying consumers, the studies concluded.

As a result, privacy advocates say it will be critical to amend these laws or enact new ones to ensure that the Internet of Things won't cause more headaches than help.

Neil Richards, a law professor at Washington University in St. Louis, believes lawmakers eventually will do more to protect the personal data captured by the growing array of smart gadgets. But he cautioned that "the scope of that protection and how long it takes to get there is absolutely up for grabs."

©2015 the San Jose Mercury News (San Jose, Calif.) Distributed by Tribune Content Agency, LLC