This document discusses the Internet of Things (IoT) and provides examples of connected devices. It notes that by 2020, 50 billion devices are estimated to be connected to the Internet. It discusses privacy issues regarding personal data collection and use by IoT devices. Security issues are also examined, such as vulnerabilities of connected devices to hacking. Intellectual property questions are raised about who owns works created by machines. The document concludes by stating that more regulation of IoT is expected.

1. The Internet of Things
Hello?
Is anyone
there?
Yes. This is your car
speaking..
How can I help you?
I need more
Spam!
OK. I'll go
get some.
Toronto Computer Lawyers' Group
October 23, 2014
Lisa Abe-Oldenburg

2. What is the Internet of Things?
• IoT or the Internet of Everything
• Anything that contains a computer processor can act as a self-contained web
server to handle communication and other sophisticated functions
• Imagine a world where everything has sensors, is connected to a wired or
wireless Internet network, and communicating with each other
• Phones, computers, tablets
• Homes and appliances
• Cars and transportation
• Wearables (computers worn on the body)
• Machines (M2M) and manufacturing
• Services, e.g. healthcare, energy, payments
• Plants, livestock and pets?

4. Facts and Figures
• According to CISCO, during 2008, the number of devices connected to
the Internet exceeded the number of people on Earth for the first time
• According to the Chartered Institute for IT, there are around 200
connectable devices per person on the planet today and it is estimated
that by 2020, 50 billion devices will be connected to the Internet
• New IPv6 system, which will replace IPv4, will allow billions of IP
addresses to be assigned – one for every object or device in the world
(approx. 3.4×1038 addresses)
• Google's acquisition of the connected home technology company Nest
for US $2.3 billion, was its second largest ever acquisition (after
Motorola)

5. Examples
• A Dutch company has pioneered wireless sensors in cattle so that
when one is pregnant or ill, it sends a message to the farmer
• Plants are now able to be connected to irrigation systems and decide
when to water themselves
• Cars can drive themselves
• Wearable monitors can track health information and interact with
hospital staff
• Fridges can determine what food its owner needs and order it for them
• Machines on assembly lines can talk to each other and order more
parts or request maintenance as needed
• And yes, pretty soon your carpet will call an ambulance for you when
you fall and pass out on it…

6. FOR THE PURPOSES OF
MAINTAINING YOUR WELLNESS, I,
YOUR CARPET, WILL BE PROVIDING
YOUR PERSONAL HEALTH
INFORMATION TO A DOCTOR. DO
YOU CONSENT?
Privacy Issues
I don't feel
well…
Hey carpet! This guy is
about to kick the
bucket! Call 911 and
notify his doctor!

7. Privacy Issues
• Which laws and jurisdictions apply? PA, PIPEDA, PIPAs, PHIPAs
• IoT creates challenges across provincial and international
borders. Can domestic legislation alone sufficiently
protect personal information in the world of IoT?
• Is the data "personal information"?
• Definition of "personal information" is generally considered to be
any information about an identifiable individual

8. Privacy Issues
• SCC in Dagg v. Canada (Minister of Finance), [1997] 2 S.C.R. 403
said broadly:
"its intent seems to be to capture any information about a specific person,
subject only to specific exceptions"
• Privacy Commissioner in its 2001-2002 Annual Report to
Parliament also stated that:
"the definition ['about an identifiable individual'] is deliberately broad…It
does not matter who generated the information, or how, or who
technically "owns" it…information [is] personal even if there is the
smallest potential for it to be about an identifiable individual"

9. Privacy Issues
• Information that alone does not identify an individual can be
"personal information" if, in combination with other information,
it could be used to identify an individual
• Federal Court determined that such data, which could be combined
with other data to identify someone, is "personal information". See
Gordon v. Canada (Minister of Health), [2008] CarswellNat 522
paragraph/line 34
• IoT becomes complicated as it generates BIG DATA. Data, when
coupled with other available data, could lead to identifying individuals

10. Privacy Issues
• IoT makes compliance with Privacy Principles underlying all modern
privacy regimes complicated:
• Accountability: organizational responsibility for Personal Information (PI)
under its control – Who is in control? Push (chatter) vs. pull data
• Identifying Purposes: at or before the time of collection of PI – Practicality?
Individuals may not be aware of any data processing taking place
• Consent: knowledge and consent of individual required for collection, use or
disclosure of personal information, except where inappropriate – Informed
consent? Sufficiency? Form? Enforceability/binding? Can machines consent
on your behalf? Can they bind you to contracts? Consumer protection laws
and Internet contract requirements
• Limiting Collection: PI collection limited to that which is necessary for the
purposes identified by the organization – Who is collecting? How BIG is the
DATA? Combined data can reveal more information about an individual and
increase identity theft risk

11. Privacy Issues
• Limiting Use, Disclosure and Retention: PI cannot be used or disclosed for other
purposes. Also, PI can be retained only as long as necessary for the fulfillment of the
purpose – how do you control the data and its use or disclosure? Data filters? Handling
machine requests for repurposing data? Data on the Internet exists forever!
• Accuracy: PI shall be as accurate, complete, and up-to-date as necessary for the
purposes for which it is to be used – stored data vs. real time data? Will machines know
what is correct?
• Safeguards: PI shall be protected by security safeguards appropriate to the sensitivity
of the information – Assessing sensitivity in what context? Security issues
• Openness: Organization shall make readily available to individuals information about
privacy policies and practices – To/from machines? Which organization?
• Individual Access: Upon request, can access and amend info and be informed of its
existence, use and disclosure – How does live person get access from machines?
• Challenging Compliance: Individual can challenge compliance with principles to
designated accountable individual at organization – Who is this?

12. Hey Fridge! What
food does George
have in there?
Just pizza.
How many
pizzas does he
eat in a week?
On average….
ten.
We'd better increase
his life insurance
premium!
George's Insurance Company George's fridge

13. Security Issues
• Software = hackable
• Connection = exposed
• Former VP of the US, Dick Cheney, deactivated the Wi-Fi function on his
pacemaker, admitting he was afraid someone might hack it in an attempt to
assassinate him
• In PIPEDA Finding #2011-001, the OPC reported on Google's inadvertent
collection of data from unsecured Wi-Fi networks as camera cars documented
street images for Google's mapping services over the course of several years.
Google had gathered PI in excess of the purpose for which it was collected,
failed to provide adequate disclosure or solicit consent from the data subjects
• Last year, two IT experts in the US showed how easy it is to hack a car, make it
brake, prevent it from braking or even make the driver lose control of the
steering wheel
• Corporate espionage and employee issues

14. Security Issues
• The BBC reported recently that a fridge was discovered to be sending spam
emails after a web attack. It was one of more than 100,000 devices used in a
spam campaign – Objects are vulnerable
• A recent study by HP found 70% of IoT devices used unencrypted network
services and 80% of devices (including their cloud and mobile app
components) failed to require passwords of a sufficient complexity and
length
• Potential for monitoring and tracking homes or wearables equipped with IoT
systems to perform BIG DATA analytics and covert surveillance
• Symantec paper (July 30 2014) found:
• All wearable activity-tracking devices can be tracked or located through wireless protocol
transmissions by simply scanning airwaves for signals – can tell when you are not home
• 20% of apps transmit user data in clear text, e.g. login passwords, d.o.b., address, etc.
• 52% of apps don’t have privacy policies
• Significant number of apps contacted 10 or more different domains
• Shared service sites did not correctly handle user sessions, allowing browsing of personal data
belonging to other users of the site, or uploading of commands to the server for execution

15. Security Issues
• Security of objects as connection points, security of interaction between
objects, and security of the ecosystem itself
• New standards, security audits and authentication may be necessary
• OPC Authentication Guidelines – if an organization does not need to identify
for sure who the individual is then they should not be collecting authenticating
information. "Risk creep" as more objects become interconnected
• Medical device regulation for connected devices
• Recent US Guidelines for cybersecurity in medical devices
• No specific guidance yet in Canada
• Health Canada case-by-case analysis of vulnerabilities of each device with regards to
patient safety and safeguarding of medical information
• European medical devices directives are already undergoing substantial revision, with the
expectation being that two new regulations will come into effect some time in 2015
• Encryption and intrusion detection measures
• Data breach notification responsibilities

16. Intellectual Property Issues
• Things, objects and machines can not only talk to each other, they
can make smart decisions and create literary, artistic, dramatic,
musical works and inventions based on information they receive,
whether from their own sensors, a person or another object or data
source
I need some
wings so I can
fly!
I can create the flying
software, upload it and
design you attachable
wings.
Hey 3D printer,
I need your
help!
Send me your code
and I'll have it done in
a minute!

17. Who owns machine-generated works?
• Who owns the data? Database rights
• As machines become even more intelligent, the machines will be
operating not just as tools or sensors collecting data, but also as
producers of works with little or no human intervention
• Canadian Copyright Act does not protect literary or artistic works
created by non-humans
• Draft Compendium of the U.S. Copyright Office Practices, Third
Edition, August 19, 2014 Chapter 300 states that "the Office will not
register works produced by a machine or mere mechanical process
that operates randomly or automatically without any creative input or
intervention from a human author."
• Assuming all machines will produce a random or predictable result

18. Who owns machine-generated works?
• Artificial intelligence and vast amounts of complex data and
information (real-time variables) being exchanged, do not create
random or predictable results. May be quite novel or original, like
the solution to a complex problem that cannot be solved by the
limitations of the human brain. Should the output be protectable
as a copyright work or patentable as an invention?
• Dilemmas as to Who is the owner or inventor?
• Ownership claims may come from the producers of the underlying
programming, the owners of the machines, the investors in the
technology, the network or machine operators, or the end-user
subjects about whom the data is being collected, or others

19. Who owns machine-generated works?
• UK and New Zealand allow copyright protection for computer-
generated works
• In those countries, the author of a literary, dramatic, musical or
artistic work that is computer-generated is deemed to be the
person who makes the "arrangements necessary " for the creation
of the work
• Copyright reform needed in Canada to remain a competitive
marketplace for IoT and M2M technology
• To protect your machine-generated works in Canada under
Canadian copyright law, you should ensure some creativity is
contributed from a human author and that the other tests for
originality and fixation are met

20. Patent infringement risk
• For IoT to work, it requires standardized technology
• If patents exist in the architecture, third party users may be
infringing
• Standard-Essential Patents (SEPs) are patents that are essential to
implement an industry standard
• Bodies who set standards impose conditions that patent licenses
should be available to third parties on fair, reasonable and non-
discriminatory (FRAND) terms

21. Patent infringement risk
• Court of Justice of the EU is considering Huawei v. ZTE (C-170/13)
• Huawei, China’s largest phone maker, sued ZTE at the Regional Court of
Düsseldorf, seeking an injunction for the alleged infringement of an SEP
relating to the implementation of the LTE standard
• ZTE, a telecom company also based in China, claimed the demands for an
injunction were an abuse of Huawei’s dominant market position, citing it
is prohibited under European directive (Article 102, TFEU)
• ZTE claimed that, because it was willing to negotiate a license agreement
to use the patent, no injunction could be issued against it
• In addition to submissions by Huawei and ZTE, the Netherlands, Finland
and the European Commission submitted their views and concerns as to
how the interests of patent owners and standard users should be balanced
• Final opinion of the AG is expected November 20th, and final judgment
expected in early 2015
• Will affect future SEPs and licensing

22. Liability Issues
• Who is liable when the machine gets it wrong?
• Is there a valid and enforceable contract, between machines?
• Automated contracts
• Provincial consumer protection laws for Internet (text based) or remote
contracts may apply, e.g. requirements for disclosure of terms, writing and
delivery, content of agreement, express opportunity to accept or decline,
cancellation rights, amendment, renewal and extension.
• Was there negligence? Product liability issues?
• Limitations on liability – certain types of liability cannot be
contracted out of
• What if machine orders/binds you to something that you cannot
afford?
• What if machine gets hacked, or has a data breach?
It wasn’t
me! It was
my car!
You hit
me!

23. More regulation to come
• The Canadian OPC is currently conducting various research
projects related to the IoT, including a study on intelligent vehicle
technology that will look at the impact on privacy of the use of
telematics by automobile manufacturers and insurers
• US Federal Trade Commission held a workshop in November 2013
dealing with the IoT and is still trying to figure out the best way of
regulating it
• The European Commission has undertaken a number of research
projects related to the IoT
• CASL technology provisions dealing with the installation of
computer programs, come into force January 15, 2015

24. Lisa K. Abe- Oldenburg, B.Comm., J.D.
Abe-oldenburgL@bennettjones.com
Tel.: 416-777-7475
www.bennettjones.com
• This presentation
contains statements of
general
principles and not legal
opinions and should not
be acted upon without
first consulting a lawyer
who will provide
analysis and advice on a
specific
matter.