In February this year, it came to light that Spiral Toys, a children’s toys manufacturer, had failed to secure the database for its internet-connected teddy bears, leaving 800 000 customer credentials and two million private recordings between parents and children open for any person to access online. Security researchers found that the bears could also be used as spying devices by anyone within 10 metres.
Such occurrences initially seem to be hypothetical spectres conjured by technophobes. But exploitation occurs even with the most mundane and unexpected devices. Only last year, New York’s Department of Consumer Affairs issued a warning regarding internet-connected baby monitors that were accessed by child predators. When exploitation is possible, the unfortunate reality is that it is inevitable.
But those who purchase connected devices for themselves, rather than just vulnerable groups such as children, should also be concerned and aware of developments occurring within this space. For those who value privacy, the prospect of intrusion, voyeurism and access by third parties is enough to generate apprehension and encourage taking active steps towards protection of information integrity. Individuals may not want to receive direct marketing or have their personal habits and tastes known to corporations. Others may be more attentive owing to the prospect of identity theft, fraud and actual financial loss. Consumers must also be aware when purchasing smart devices as these constitute technologies with hybrid functions that may not be covered by consumer regulatory schemes. s
The latter point moves towards the central focus of this article: what regulation exists to protect consumers’ security and privacy? This article will lay out the current regulatory framework for Internet of Things (‘IoT’) devices and discuss the deficiencies in the current laws and policies. As aforementioned, the issue need not be as insidious as preying on innocent children. But there are still ramifications for individual privacy, the integrity of personal property, and data security. After outlining the gaps in the regulatory framework, this essay suggests areas for improvement and what the future holds for the regulation of IoT devices.
The IoT has no universal definition, but it can be understood in broad and simple terms as the network, or interconnection, between devices which have the capability to send and receive data. It is worthy of attention because of the challenge IoT poses to traditional conceptions of connectivity and computing; mobile phones and laptops are understood to be the main creators and carriers of data, whereas commonplace household items, such as fridges and teddy-bears, are not. However, the use of these devices will grow rapidly: Cisco estimates that by 2020, there will be 237 million networked devices in Australia. The transformative potential of these technologies has not been lost on stakeholders, including the commercial world and the Australian government.
Proliferation of IoT devices is accompanied by novel challenges. For the average person, the primary challenges relate to privacy concerns and their consumer rights. At present, there is no IoT-specific legislation or policy in Australia; consumer protections are cobbled together from various sources.
1 Australian Consumer Law
The Australian Consumer Law (‘ACL’), set out in Schedule 2 of the Competition and Consumer Act 2010, is enforced through the Australian Competition and Consumer Commission, consumer protection agencies at the State and Territory level, and the Australian Securities and Investments Commission. The ACL provides statutory guarantees in broad terms, as it applies to all goods valued at less than $40 000, and goods valued over this amount if they are of a kind ordinarily acquired for domestic, household or personal use. There are many protections which would extend to the sale of IoT devices, such as:
- the prohibition on misleading and deceptive conduct;
- the prohibition on unconscionable conduct;
- the prohibition on unfair terms;
- a requirement that goods are of acceptable quality;
- a requirement that the manufacturer will ensure spare parts and facilities for repair are available; and
- a requirement that goods are fit for their disclosed purpose.
The ACL is supplemented through the Privacy Act 1988 for consumer goods that collect personal information. Personal information is ‘any information that allows an individual to be personally identified’.
2 Privacy Act
The Privacy Act is administered and enforced by the Office of the Australian Information Commissioner (‘OAIC’). Within Schedule 1 of the Privacy Act are the 13 Australian Privacy Principles (‘APPs) which concern the management, collection, security of, and access to, personal information. It is not within the scope of this article to detail each of the 13 principles, except to summarise a selection of key provisions which will be useful when considering their application to IoT devices. The APPs do not automatically apply to every organisation or business. Rather, they apply only to ‘APP entities’.
- APP 1: APP entities must manage personal information in an open and transparent way.
- APP 5: APP entities collecting personal information must take reasonable steps to notify the individual of the collection.
- APP 11: APP entities must take reasonable steps to protect personal information from unauthorised access, disclosure, and misuse.
- APP 12: APP entities must give an individual access to their personal information on request.
3 Personal Information
APPs do not apply unless the information can be designated as ‘personal information’. The meaning of this phrase was the subject of the recent decision, Privacy Commissioner v Telstra Corporation Limited. Ben Grubb, a Fairfax journalist, requested access to all the metadata Telstra held about him. Their refusal resulted in a complaint filed with the OAIC and proceeded to the Administrative Appeals Tribunal. The AAT found that the information requested was not ‘about an individual’ and therefore, not ‘personal information’. The Privacy Commissioner launched an appeal against the AAT’s decision to the Federal Court.
In a much criticised decision, the Federal Court dismissed the appeal and upheld the AAT’s decision. The Privacy Commissioner submitted that if there was information from which an individual’s identity could be reasonably ascertained, and that information was held by the organisation, then that information would always be ‘about an individual’. This was not accepted by the Court. According to the Court, personal information required an individual to be a subject-matter of the information, a determination which would need an ‘evaluative conclusion’.
The particulars of these criticisms will be explored in the next section as they illustrate the limitations of Australian privacy law.
The fact that these avenues of recourse exist are a triumph in several respects given that some novel problems posed by technology have no clear legal solution at all. The question remains as to whether this recourse is sufficient for consumers and what improvements can be made to the legal position of a purchaser and user of an IoT device.
1 Consumer Law
Although the ACL is the primary instrument of consumer protection in Australia, it is not sufficient as a regulatory instrument where the issues relate to a hybrid of hardware, software and connected networks. Halliday and Lam state that the ACL only enforces privacy and security compliance indirectly. This can be expected to some extent given that the consumer law applies to a broad range of goods, many of which have no connective functionality. In spite of this, a 2017 review of the ACL found that there was a pressing need to clarify how the law applies to emerging technologies. While the review did not elaborate on nor discuss the IoT in any depth, there are provisions which present an obvious issue.
One such clarification in the ACL is the statutory guarantee that a device will be ‘fit for its disclosed purpose’ and of ‘acceptable quality’. UNSW Lecturer, Kayleen Manwaring, questions whether a device which is easily hacked can be considered of acceptable quality and fit for purpose if the device’s primary use remains uncompromised. How cyber security relates to the statutory guarantees in the ACL is unclear: even if the device is initially designed with security in mind, the question remains as to how long manufacturers must continue providing patches and updates against new vulnerabilities where the devices remain ripe for exploitation. This is in relation to both the above requirements as well as the guarantee that the manufacturer will ensure availability of spare parts and facilities for repair. Consumers cannot be expected to discard their devices once manufacturers cease providing updates out of fear of security vulnerability. This will be less and less feasible as IoT devices proliferate and replace regular household items.
Further challenging are devices which operate on licensed software. Manwaring points out that such licence agreements may contain contractual provisions which prohibit repair or modification, and draws on the example of farmers in the United States who have resorted to illegally using Ukrainian firmware to perform repairs on their tractors. Aside from being anti-competitive, it is possible such agreements could be unfair contractual terms within the meaning of the ACL, as they cause a significant imbalance in the parties’ rights under the contract.
To begin with, the Privacy Act cannot be relied upon in all cases. With some exceptions, the Privacy Act generally does not apply to businesses with a turnover of $3 million or less. These would not constitute APP entities for the purpose of applying the APPs. The result is that privacy considerations are not encouraged for start-ups which fall outside the existing exceptions. However, mandating privacy to be within the contemplation of businesses at the base level would be highly desirable; it would mean that privacy and security are incorporated by design, rather than as an afterthought in the face of penalties.
Halliday and Lam also note the theoretical function of the APPs does not come to fruition in real practical situations. For instance, the APPs impose consent requirements that are impossible to achieve in some scenarios, such as where the data is collected without the knowledge of the data subject, as occurs with public Wi-Fi, an extremely common scenario.
Further, the notion of ‘personal information’ for applying the APPs is contentious. The aforementioned decision in Privacy Commissioner v Telstra attracted much criticism, providing a window into the archaic and awkward status of Australian data privacy law. The case has been frustrating for interested parties for multiple reasons: first and foremost for the reason that the definition of ‘personal information’ changed in 2014 and the Federal Court decision related to the state of the law as of 2013. Johnston suggests that the judgment may not directly apply to the present law given that the new definition of personal information places more emphasis on the notion of ‘identifiability’; she queries whether there is a practical change which flows from this revised phrasing. Moreover, Sibley and Powell note that the judgment offers no useful guidance on how to make the aforementioned ‘evaluative conclusion’.
As a result, it is unclear for Australian consumers and businesses where their privacy rights and obligations lie with regards to metadata; this presents an obvious problem given that the amount of metadata held by organisations is growing exponentially as new technologies emerge.
A comparative approach is also useful to comprehend why the Federal Court’s decision attracted such controversy. Goldenfein looks to the European approach in the European Court of Justice (‘EUCJ’) decision Patrick Breyer v Germany. Breyer sought an injunction to prevent certain websites from storing his internet protocol addresses (‘IP addresses’). The EUCJ held that the dynamic IP address of a visitor constitutes personal data, even though the visitor could only be identified when these IP addresses were linked with other data in the hands of third parties, such as ISPs. Therefore, it is apparent that Europe takes a much more stringent approach to data protection and privacy. In particular, Goldenfein finds it remarkable that Australian courts have chosen to ‘ignore the international discussion on how individuals need to be protected in the telecommunications technology of contemporary society’.
The European approach to privacy, analysed further, brings to light further gaps in Australia’s method. As of May 2018, the European Union’s General Data Protection Regulation (‘GDPR’) will be implemented, with global implications which extend beyond the European Union. While the GDPR shares much in common with the Privacy Act, there are several extensions on individual rights which Australian law has not yet addressed. For instance, the GDPR provides a new ‘right to be forgotten’ which includes circumstances in which the information is no longer necessary for the purpose for which it was collected, even if the individual has not withdrawn their consent. Another extension on individual privacy rights in the GDPR is the right to object at any time to the processing of their own personal data, particularly where the processing occurs for direct marketing. Such an approach clearly indicates who the priority is in European privacy laws: the consumer, and their rights as an individual.
With internet-related problems, the question is not only how can these issue be fixed or mitigated, but who bears the duty. Zittrain concedes that while the Internet has only been able to flourish because of a lack of caution, this trade-off has now become undesirable. We are approaching a critical juncture where problems will certainly manifest for consumers. The IoT necessitates a solution which mirrors the nature of the technology itself: agile and supportive of unforeseen changes. While IoT legislation is premature, there are decisive steps which can be taken, with reference to the multi-stakeholder approach.
Raymond and DeNardis define multi-stakeholderism as ‘two or more classes of actors engaged in a common governance enterprise concerning issues they regard as public in nature, and characterized by authority relations constituted by procedural rules.’ The Organisation for Economic Co-operation and Development (‘OECD’) is one such example of multi-stakeholderism in action, engaging ‘business, civil society, trade unions, and the Internet technical community.’ Stakeholders in respect of the IoT have unique roles to play but should operate in tandem with each other to bring some measure of co-ordination and coherence to Internet governance as well as the management of privacy and security risks vis-à-vis IoT devices. Privacy and consumer law cannot bear the brunt of consumer protection in an area which has flourished under decentralised governance.
The law is ill-equipped to handle problems arising from emerging technologies on its own. To illustrate this, we can look to the Privacy Act. Amendments have tried to make the Privacy Act less toothless, such as the Privacy Amendment (Notifiable Data Breaches) Bill 2016 (Cth). This will come into effect in 2018. From this point onward, certain agencies and organisations will be subject to a mandatory data breach notification regime. Failure to comply in repeated instances, or with respect to a serious breach, will result in monetary penalties of up to $1.8 million for companies and $360 000 for individuals. Similar bills were proposed in 2013 and 2015 but failed to achieve bipartisan support. All protections cannot, therefore, be creatures of statute and subject to the political process.
That is not to say that the law has no role to play. Consumer law is driven by contractual relationships, where the law must always step in to detangle unfair and enforceable provisions from those which are valid. Moreover, financial penalties under statute are powerful proscriptive instruments when they are enforced.
Businesses are natural stakeholders in this area of legal development and agility. Loss of reputation causes financial impact because consumers ‘vote’ with their feet and wallets. Moreover, there is also the potential for litigation and financial penalties. Therefore, businesses need to be involved in the consumer and privacy protection process, through creating industry standards, separate from legislation, which require privacy and security by design. This would require a focus on not only the technology, but its human operators. In BakerHostetler’s 2016 Report, they found human error to be the overwhelming cause data security incidents. Companies need to ensure that they have adequate cyber security awareness and training when even the best pre-prepared incident response plans can still be fallible to human error.
Some onus must also be shifted onto consumers to become active and aware agents in the use and consumption of their devices. Consumers are important stakeholders who drive the demand for innovation and supply of IoT devices. As a collective, consumers must exert their influence onto other stakeholder groups, namely businesses, to indicate that issues regarding consent, security and integrity of their devices are a priority. There needs to be a demand for transparent and accessible information on how data will be collected, accessed, used and stored. But consumers will not magically become aware of these issues overnight, education and tech-literacy should be promoted by the government from an early age.
The IoT is characterised by innovation and opportunity, not only for the commercial world, but for consumers. However, as indicated in this article, there are many risks and underdeveloped areas of the law unknown to consumers, to the extent that they may have no recourse when a problem arises. For the benefit of all parties involved, the IoT must be regulated to ensure a positive experience and risk-free engagement with the best available technology, without compromising individual privacy. This could occur with a multi-stakeholder model of governance. The model would enable decentralised regulation while allowing the IoT to remain agile, innovative and engaged with different sectors of society who prioritise diverse issues. In this way, we can move towards the future of IoT devices which equally favours creativity and ingenuity, and consumer rights and privacy.
 Lorenzo Francheschi-Bicchierai, Internet of Things Teddy Bear Leaked 2 Million Parent and Kids Message Recordings (28 February 2017) Motherboard < https://motherboard.vice.com/en_us/article/pgwean/internet-of-things-teddy-bear-leaked-2-million-parent-and-kids-message-recordings>.
 Lorenzo Francheschi-Bicchierai, How This Internet of Things Stuffed Animal Can be Remotely Turned Into a Spying Device (1 March 2017) Motherboard < https://motherboard.vice.com/en_us/article/qkm48b/how-this-internet-of-things-teddy-bear-can-be-remotely-turned-into-a-spy-device>.
 Department of Consumer Affairs, Consumer Alert: Consumer Affairs Warns Parents to Secure Video Baby Monitors (27 January 2016) New York City Consumer Affairs <http://www1.nyc.gov/site/dca/media/pr012716.page>.
 Karen Rose, Scott Eldridge and Lyman Chapin, The Internet of Things: An Overview (The Internet Society, 2015) 16.
 Cisco, Visual Networking Index Fact Sheet 2020 Forecast Highlights (2016) 5.
 Commonwealth of Australia, Department of the Prime Minister and Cabinet, Australia’s Cyber Security Strategy (2016) 14.
 Competition and Consumer Act 2010 (Cth) sch 2 s 18.
 Ibid sch 2 s 21.
 Ibid sch 2 s 23.
 Ibid sch 2 s 54.
 Ibid sch 2 s 58.
 Ibid sch 2 s 55.
 Nick Abrahams and Jamie Griffin, ‘The End of a Long Road: Mandatory Data Breach Notification Becomes Law’ (2017) 32 Law Society of New South Wales Journal 76, 76.
 Privacy Act 1988 (Cth) sch 1 s 1.
 Ibid sch 1 s 5.
 Ibid sch 1 s 11.
 Ibid sch 1 s 12.
 Privacy Act 1988 (Cth).
  FCAFC 4.
 Telstra Corporation Limited and Privacy Commissioner  AATA 991.
 Privacy Commissioner v Telstra Corporation Limited  FCAFC 4.
 James Halliday and Rebekah Lam, Internet of Things: Some Legal and Regulatory Implications (Baker McKenzie, 2016) 14.
 Commonwealth of Australia, Australian Consumer Law Review: Final Report (2017) 28.
 Kayleen Manwaring, Six Things Every Consumer Should Know About the ‘Internet of Things’ (8 June 2017) The Conversation < https://theconversation.com/six-things-every-consumer-should-know-about-the-internet-of-things-78765>.
 Jason Koebler, Why American Farmers are Hacking Their Tractors with Ukrainian Firmware (22 March 2017) Motherboard < https://motherboard.vice.com/en_us/article/xykkkd/why-american- farmers-are- hacking-their- tractors-with-ukrainian-firmware>.
 Commonwealth of Australia, Unfair Contract Terms: A Guide for Businesses and Legal Practitioners (2016) 11.
 Halliday and Lam above n 26, 10.
  FCAFC 4.
 Anna Johnston, ‘Data, Metadata and Personal Information: a Landmark Ruling From the Federal Court’ (2017) 31 Law Society of New South Wales Journal 82, 83.
 Cain Sibley and Ken Powell, What About Me? The Full Federal Court Says Personal Information Must be “About an Individual” (2 February 2017) Clayton Utz <https://www.claytonutz.com/knowledge/2017/february/what-about-me-the-full-federal-court-says-personal-information-must-be-about-an-individual>.
 Lisa Main, Data Retention: What is Metadata and How Will It Be Defined By New Australian Laws? (17 March 2015) ABC < http://www.abc.net.au/news/2015-03-17/what-is-metadata-how-will-it-be-defined-by-new-australia-laws/6325908>.
 Jake Goldenfein, Australia’s Privacy Laws Gutted in Court Ruling on What is ‘Personal Information’ (19 January 2017) The Conversation <https://theconversation.com/australias-privacy-laws-gutted-in-court-ruling-on-what-is-personal-information-71486>.
 (C-582/14) .
 Goldenfein above n 37.
 Jonathan Zittrain, The Future of the Internet and How to Stop It (Yale University Press, 2008) 9.
 Stefaan Verhulst, Beth Noveck, Jillian Raines and Antony Declercq, ‘Innovations in Global Governance: Towards a Distributed Internet Governance Ecosystem’ (2016) Global Commission on Internet Governance 95, 101.
 Mark Raymond and Laura DeNardis, ‘Multi-stakeholderism: Anatomy of an Inchoate Global Institution’ (2016) Global Commission on Internet Governance 19, 21.
 Internet Society, Internet Governance – Why the Multistakeholder Approach Works (26 April 2016) <https://www.internetsociety.org/resources/doc/2016/internet-governance-why-the-multistakeholder-approach-works/>.
 BakerHostetler, 2016 Data Security Incident Response Report (2016) 6.
 Ibid 12.