Privacy, Technology, Security: the Internet of Things in a Smart Device World

PRIVACY, TECHNOLOGY, SECURITY: THE INTERNET OF THINGS IN A SMART DEVICE WORLD

CLE Credit: 1.0 Sponsor: KBA Health Care Law Section Wednesday, June 12, 2019 2:25 – 3:25 p.m. French Galt House Hotel Louisville, Kentucky

A NOTE CONCERNING THE PROGRAM MATERIALS

The materials included in this Kentucky Bar Association Continuing Legal Education handbook are intended to provide current and accurate information about the subject matter covered. No representation or warranty is made concerning the application of the legal or other principles discussed by the instructors to any specific fact situation, nor is any prediction made concerning how any particular judge or jury will interpret or apply such principles. The proper interpretation or application of the principles discussed is a matter for the considered judgement pf the induvial legal practitioner. The faculty and staff of this Kentucky Bar Association CLE program disclaim liability therefore. Attorneys using these materials, or information otherwise conveyed during the program in dealing with a specific legal matter have a duty to research the original and current sources of authority.

Printed by: Evolution Creative Solutions 7107 Shona Drive Cincinnati, Ohio 45237

Kentucky Bar Association

TABLE OF CONTENTS

The Presenters ...... i

Privacy, Technology, Security: The Internet of Things in a Smart Device World ...... 1

Case Law on the Use of the IoT in Criminal, Civil, and Family Law Contexts ...... 11

A to Z Guide to the Internet of Things ...... 15

THE PRESENTERS

Mark R. Brengelman Mark R. Brengelman, Attorney at Law PLLC 306 West Main Street The McClure Building Suite 503 Frankfort, Kentucky 40601 (502) 696-3992 [email protected]

MARK BRENGELMAN became interested in law when he graduated with both Bachelor’s and Master’s degrees in Philosophy from Emory University in Atlanta. He earned a Juris Doctorate from the University of Kentucky College of Law. Mr. Brengelman became an Assistant Attorney General in Kentucky in the area of administrative and professional law as the assigned counsel and prosecuting attorney to numerous health professions licensure boards. He retired from state government, became certified as a hearing officer, and opened his own law practice, including working as a legislative agent (lobbyist). As a frequent participant in continuing education, Mr. Brengelman has been a presenter for over thirty national and state organizations and private companies as the: Kentucky Bar Association, Kentucky Office of the Attorney General, National Attorneys General Training and Research Institute, State of Maine, Department of Financial and Professional Regulation, and Federation of Associations of Regulatory Boards. He was the founding presenter for “Navigating Ethics and Law for Mental Health Professionals,” a continuing education training approved by five Kentucky mental health licensure boards. He also founded “The Kentucky Code of Ethical Conduct: Ethical Practice, Risk Management, and the Code of Ethical Conduct” as an approved, state-mandated continuing education for social workers offered as a video-on-demand. Mr. Brengelman has now worked for all three branches of state government having worked since June 2018 as the Enforcement Counsel for the Kentucky Legislative Ethics Commission, an independent regulatory body that oversees 138 elected state legislators and nearly 800 registered lobbyists. He focuses on representing health care practitioners before licensure boards and in other professional regulatory matters and representing children as Guardian ad Litem and parents as Court Appointed Counsel in confidential child dependency, neglect, and abuse proceedings in family court.

Tricia A. Shackelford Shackelford Law Office, PLLC 155 East Main Street, Suite 101 Lexington, Kentucky 40507 (859) 286-3632 [email protected]

TRICIA SHACKELFORD ’s practice focuses on all aspects of small business law, employment law and healthcare law. Her clients include a variety of healthcare facilities and employees. Ms. Shackelford graduated, cum laude, from the University of Miami School of Law in 1999 and started her legal career at Steel Hector & Davis, one of South Florida’s leading business and international law firms. After returning to Lexington in 2001, she spent several years practicing with McBrayer, McGinnis, Leslie & Kirkland, in one of the Commonwealth’s premier health law practices. She also practiced with the healthcare team at Woodward, Hobson & Fulton and served as in-house counsel for Crown Medical Management – a full service medical practice management company. Ms. Shackelford served as the Chair of the Health Law Section of the Fayette County Bar Association and currently serves on the Board for the Lexington Medical Society Alliance as its Vice President and the Lexington Singers, the oldest continuously organized choral group in the United States. She previously served on the Friends of the Arts Board (Secretary and Vice President), the Board of Spindletop Hall, the University of Kentucky Faculty and Alumni Club (Secretary and Vice President), and Habitat for Humanity Board. She has published numerous legal articles – including co-authoring a Chapter of the Kentucky Health Law Handbook – and has been a frequent lecturer on a wide range of health law topics. Ms. Shackelford resides in Lexington with her two children, Brennan and Beau. In her spare time, she enjoys spending time with her family, theater and the arts, music and singing, travel, cooking, yoga and fitness.

PRIVACY, TECHNOLOGY, SECURITY: THE INTERNET OF THINGS IN A SMART DEVICE WORLD Tricia A. Shackelford, Esq. and Mark R. Brengelman, Esq.

I. INTRODUCTION

We live among the growing Internet of Things (“IoT”). The IoT is a giant network of connected “things,” devices, appliances, even automobiles – including connecting people and is a growing topic of discussion. The IoT impacts us daily – at work, at play, and at home, with growing legal implications.

Broadband and other high-speed internet is now widely available, the cost of connectivity is decreasing, and more products are being manufactured with Wi-Fi capacities and built-in sensors. The cost of technology is coming down and everyone has a “smart” phone. The era of the IoT is now.

II. WHAT IS THE “INTERNET OF THINGS?”

What is the “Internet of Things?” Simply, it is the ability of devices to connect with each other and to connect to the Internet. Like “smart phones” that do so much more than make telephone calls, the list of “smart” devices is endless – phones, watches, televisions, refrigerators, coffee makers, lamps, doorbells, pacemakers, and cochlear implants can all be configured for connectivity. If a device can power on and off, it can be part of the IoT.

Technology analysists estimate there will be over 26 BILLION devices connected to the IoT by 2020; a staggering number by any accounting. Relationships in the IoT will be person-to-person, person-to-device, and device-to-device.

There are many practical examples of ways the IoT can create value: your smart car can access your calendar and notify your client that you are on your way to a scheduled lunch meeting; your alarm clock could activate your coffee maker when your 6:00 a.m. alarm sounds; your office printer can send an order to the office supply store for more toner when the existing cartridge is low. The permutations are endless. Work is being done on “Smart Cities” that can help reduce waste and improve efficiencies.

IoT allows for virtually endless connectivity so it is easy to see how and why IoT is such a hot topic in 2019. But along with opportunities come challenges. With millions of devices connected together, security of the information that is created and stored by connected devices is a huge concern. The IoT opens individuals and entities world-wide to security threats.

Internet-connected “smarts” are creeping into cars, refrigerators, thermostats, toys and just about everything else in your home. Consumer Electronic Show 2019, the gadget show . . . in Las Vegas, will showcase many of these products, including an oven that coordinates your recipes and a toilet that flushes with a voice

command. With every additional smart device in your home, companies are able to gather more details about your daily life.1

III. DATA SECURITY RISKS

There are also issues related with all the information created and data stored or made available by IoT devices. The most significant challenge is determining whether a self-regulation regime by the manufacturers of these devices will be sufficient to address security concerns or whether comprehensive or sectoral legislation and regulation will be necessary to ensure the public interest in protecting personal privacy and data security will be addressed and that adequate remedies will exist in the event of systemic failures in data protection.

Of particular concern, many IoT devices collect very sensitive data – to include health information and geolocation data. Security issues associated with IoT arise because these devices are connected to the Internet, which makes them vulnerable to cyberattacks that can be utilized to gain access to an entire network.2 To complicate matters, most computer systems defend against cyberattacks via regularly updated software patches, but many IoT devices are not designed to use software patches, which results in leaving these devices vulnerable to attack because security protections cannot be easily updated from time to time.3

Many IoT devices use cloud storage services that store data on remote servers, thereby “splitting” control geographically and practically between the device and the data – the device is controlled by the user located in one location and the data stored on the device is controlled by a third-party storage vendor in another location – even another country. This “split control” leaves both the device and its data open to cyberattacks that compromise their security.4

However, most devices do not send collected data via networks to centralized cloud servers due to the limited power of the device and connectivity and bandwidth issues.5 Instead, most IoT devices utilize “fog computing.” The decentralized architecture of fog computing (the technical aspects of fog computing are beyond the scope of this continuing legal education), where data is stored and secured locally, prevents some (but not all) of the security concerns associated with cloud storage.6

1 Anick Jesdanun, Home Items Are Getting Smarter and Creepier, Like It or Not. The Associated Press, January 7, 2019.

2 See Internet of Things (IoT), Electronic Privacy Info, Ctr., http://www.epic.org/privacy/ internet/iot/.

3 See id.

4 See id.

5 See Rhys Dipshan, “The IoT Ambiguity: Secure Architecture, Vulnerable Data,” LegalTech News (Feb 2. 2018) http://www.law.com/legaltechnews/sites/legaltechnews/2018/02/02/the-iot- ambiguity-secure-architecture-vulnerable-data/.

6 See id.

IV. THE FEDERAL GOVERNMENT WEIGHS IN

In January 2015, the Federal Trade Commission (“FTC”) issued a report detailing the risks and benefits of IoT.7 In that report, the FTC highlights three potential security threats to consumers: (i) unauthorized access and misuse of personal information by intruders and hackers gaining access to such data; (ii) facilitation of attacks on networks and other systems to which the IoT device is connected, and; (iii) threat of harm to physical safety.8

V. DISTRIBUTED DENIAL OF SERVICE AND RANSOMWARE CONCERNS

Since the FTC’s January 2015 Report, IoT devices have often been subject to ransomware attacks and Distributed Denial of Services (“DDoS”) attacks. In a ransomware attack, hackers use a computer virus to infect a computer and encrypt all of its data or block the functioning of the computer.9 If the computer user fails to pay the ransom demanded by the hacker within a period of time, the virus destroys the files.10

In contrast, a DDoS attack works by overwhelming a computer system with repeated internet traffic from multiple sources.11 This ties up and shuts down the computer system much like complete gridlock in rush hour traffic on the roads that brings all movement to a halt. The “cybercriminal” initiates a DDoS attack by exploiting the vulnerabilities of just one device, making it the DDoS “master,” which then identifies other vulnerable devices, networks, and systems.12

DDoS attacks are made possible by the large number of unsecured internet- connected devices, such as home routers and surveillance cameras.13 In a recent event, the DDoS attacks infected thousands of IoT devices with the Marai malware

7 See Fed. Trade Comm’n Staff Report on the Internet of Things: Privacy and Security in a Connected World (2015), https://www.ftc.gov/system/files/documents/reports/federal-trade- commission-staff-report-november-2013-workshop-entitled-internet-things- privacy/150127iotrpt.pdf.

8 See id. (FTC report)

9 See Ian Sherr, “WannaCry Ransomware: Everything You Need to Know,” CNET, https://www.cnet.com/news/wannacry-wannacrypt-uiwix-ransomware-everything-you-need-to- know/.

10 See id.

11See “What is a DDoS Attack?” Digital Attack Map, https://www.digitalattackmap.com/understanding-ddos/; see also Margaret Rouse, “Definition: Disrupted Denial of Service (DDoS) Attack,” TechTarget, https://searchsecurity.techtarget.com/definition/distributed-denial-of-service-attack.

12 See Rouse, supra Note 10.

13 See Stephen Cobb, “10 Things to Know about the October 21 IoT DDoS Attacks,” WeLiveSecurity (October 24, 2016 7:16PM), https://www.welivesecurity.com/2016/10/24/10- things-know-october-21-iot-ddos-attacks/.

in order to find additional unsecured devices.14 The result was the formation of a botnet, a group of hijacked Internet-connected private devices controlled remotely without the owners' knowledge or consent.15

VI. PRIVACY CONCERNS IN THE DATA COLLECTED AND USED BY THE IOT

There are also privacy concerns related to the IoT. IoT devices collect sensitive information, including precise geolocation, financial account information, and health information (such as heart rate and diet information).16 Also affecting privacy is the ability of manufacturers, cybercriminals, and law enforcement personnel to remotely listen in to an individual’s residence, a school, a hospital, and other private areas, amounting to warrantless surveillance or illegal searching in violation of common law, privacy laws, and Fourth Amendment rights.17

Devices such a wearable fitness trackers that connect to the internet collect extremely sensitive health data about a person’s wellness.18 This information can, for example, be used by insurance companies to set an individual’s insurance premiums and deductibles.19

“It’s decentralized surveillance,” said Jeff Chester, executive director for the Center for Digital Democracy, a Washington-based digital privacy advocate. “We’re living in a world where we’re tethered to some online service stealthily gathering our information.”20

VII. PRIVACY CONCERNS IN THE HEALTH CARE DATA COLLECTED AND USED BY THE IOT

Other health care data – such as medical records and results from MRI and digital X-ray machines are also vulnerable as IoT medical devices become increasingly

14 See Id.

15 See Id.; see also “Botnet DDoS Attacks,” Incapsula, https://www.incapsula.com/ddos/botnet- ddos.html.

16 See Fed. Trade Comm’n, supra note 6 at 14.

17 See id. at 17.

18 See Jimmy H. Koo, “Dumb Devices Smarten Up, Widening Data Security Enforcement Net,” Privacy & Security L. Rep. (Bloomberg Law, New York, N.Y.) January 8, 2018 at 1.

19 See Fed. Trade Comm’n, supra note 6 at 15-16.

20 Jesdanun, supra note 1.

common in hospitals and the healthcare industry.21 Healthcare providers were the top target of cyberattacks in 2015. 22

Hospitals and healthcare remain a major target with providers falling prey to new attacks no less than bi-monthly.23

Note that a law enforcement or government official only has to issue a subpoena to access IoT data because it can be viewed as falling under the “non-content” information as defined in the Electronic Communications Privacy Act of 1986.24 This is important because a subpoena does not require judicial approval, unlike a search warrant, making it easier to obtain this kind of information from IoT devices.25

VIII. TECHNOLOGY CAN GET UNDER OUR SKINS – LITERALLY

Technology continues to get closer and closer to our bodies, from the phones in our pockets to the smartwatches on our wrists. Now, for some people, it’s getting under their skin.

In Sweden, a country rich with technological advancement, thousands have had microchips inserted into their hands.

The chips are designed to speed up users’ daily routines and make their lives more convenient – accessing their homes, offices and gyms is as easy as swiping their hands against digital readers.

They also can be used to store emergency contact details, social media profiles or e-tickets for events and rail journeys within Sweden.

Proponents of the tiny chips say they're safe and largely protected from hacking, but one scientist is raising privacy concerns around the kind of personal health data that might be stored on the devices.

Around the size of a grain of rice, the chips typically are inserted into the skin just above each user's thumb, using a syringe similar

21 See Mildred Segura et. al., “The Internet of Medical Things Raises Novel Compliance Challenges,” Med. Device Online (January 3, 2018).

22 See Zlata Rodionova, “Healthcare is not Top Industry for Cyberattacks, Says IBM,” Independent (April 21, 2016), https://www.independent.co.uk/news/business/news/healthcare-is-now-top- industry-for-cyberattacks-says-ibm-a6994526.html.

23 See Maia Hightower, “Industry Voices – Preserving Quality of Care in the Face of Cybersecurity Threats,” FierceHealthcare (December 6, 2017 6:30PM), http://www.fiercehealthcare.com/privacy- security/cybersecurity-medical-devices-internet-things-wannacry-patient-harm-quality.

24 See Dipshan, supra note 4 at 29.

25 See id.

to that used for giving vaccinations. The procedure costs about $180.

So many Swedes are lining up to get the microchips that the country’s main chipping company says it can’t keep up with the number of requests.26

This technology has come to the United States with a host of policy questions involving regulatory issues, intellectual property, contract law, and even bankruptcy.27

IX. THE REGULATION OF IOT

Despite significant security and privacy concerns, IoT devices and data remain largely unregulated; there are no specific laws that govern how IoT data can be collected or used.28 Because the responsibility for IoT privacy and security fall upon several actors in the IoT industry, including manufacturers, network providers, software developers, and others, it is difficult for the industry to implement industry-wide standards.29 Security updates to IoT devices are one of the primary ways to protect IoT devices from vulnerabilities and attacks.30

X. THE REGULATION OF IOT BY MANUFACTURERS

The National Telecommunication and Information Administration (“NTIA”) has identified ways manufacturers can communicate to better inform consumers and the market place about the capability of IoT devices to receive security updates. These include identifying whether a device can receive security updates; if so, how the updates are received; and, when the device will sunset and no longer be capable of receiving updates.31

NTIA also recommends manufacturers describe: (i) how users are notified about security updates; (ii) what happens from a security perspective once the device can no longer receive updates, and; (iii) how it will ensure that its security updates

26 Maddy Savage, “Thousands of Swedes are Inserting Microchips under Their Skin,” National Public Radio, October 22, 2018.

27 Andrea M. Matwyshyn, “The ‘Internet of Bodies’ is Here. Are Courts and Regulators Ready? A Network of Smart Devices Attached to or Implanted in Bodies Raises a Host of Legal and Policy Questions,” The Wall Street Journal, November 12, 2018.

28 See Kirk Nahra, “The Top Ten Privacy and Data Security Developments to Watch in 2018,” Bloomberg L.: Big L. Bus. (January 5, 2018), http://biglawbusiness.com/the-top-ten-privacy-and- data-security-developments-to-watch-in-2018/.

29 See Jon Gold, “IoT Security Needs a White Knight,” NetworkWorld (January 15, 2018, 4:30 AM), http://networkworld.com/article/3247774/internet-of-things/iot-security-needs-a-white-knight.html.

30 See Nat’l Telecomm. & Info. Admin. Communicating IoT Device Security Update Capability to Improve Transparency for Consumers (2017).

31 See id.

are secure.32 The FTC has also provided comments on NTIA’s recommendations, recognizing that consumers need “clear information about whether, how, for how long, and at what cost their IoT devices will receive security support.”33

XI. LIABILITY FOR THE IOT IS STILL UNANSWERED

Liability is also a topic of discussion when considering the Internet of Things. There are two main areas where liability can arise with IoT devices: (i) device malfunction, and; (ii) cyberattacks or hacks that lead to theft of personal data stored on the device or a larger network.34 The question in each of these cases is: Who is liable? To date, there is no good answer to this question.

XII. LIABILITY USING FEDERAL LAWS OF GENERAL APPLICABILITY

Regulators are utilizing the general and broad mandates of Section 5(a) of the Federal Trade Commission Act (“FTC Act”), which makes “unfair and deceptive acts or practices in or affecting commerce” illegal to hold individuals and entities accountable.35 According to the Federal Reserve’s Consumer Compliance Handbook, Section 5(a), acts or practices are considered deceptive where: “(1) a representation, omission, or practice misleads or is likely to mislead the consumer; (2) a consumer’s interpretation of the representation, omission, or practice is considered reasonable under the circumstances, and; (3) the misleading representation, omission, or practice is material.”36

Acts or practices are considered unfair if they: “cause . . . or are likely to cause substantial injury to consumers which [sic] is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”37 The FTC has used the FTC Act to support claims of “misrepresentation” where an IoT company failed to take reasonable steps to

32 See id.

33 See Fed. Trade Comm’n, Federal Trade Commission Public Comment on “Communication IoT Device Security Updated Capability to Improve Transparency for Consumers” (June 19, 2017) https://www.ftc.gov/system/files/documents/advocacy_documents/ftc-comment-national- telecommunications-information-administration-communicating-iot-device- security/170619nitaiotcomment.pdf.

34 See “Untangling the Web of Liability in the Internet of Things,” Mason Hayes and Curran Tech Law Blog (May 19, 2016), http://www.mbc.ie/latest/blog/untangling-the-web-of-liability-in-the- internet-of-things.

35 15 U.S.C. §45(a).

36 Fed. Res. FTCA §5 Unfair or Deceptive Acts or Practices, at 1 (2016), https://www.federalreserve.gov/boarddocs/supmanual/cch/ftca.pdf; see also 15 U.S.C. §45.

37 15 U.S.C. §45(n).

ensure security for routers and digital cameras designed for, marketed, and sold to consumers.38

The FTC also alleged in several cases that consumers were not notified of security breaches or of updates or patches that became available to improve security of IoT devices39 or that significant security liabilities were created because users’ internet browsers had access to all of a consumer’s sensitive personal information transmitted over the Internet – login credentials, social security numbers, financial account information, medical information, and web-based email communications.40

XIII. PRODUCT LIABILITY THEORIES

Liability may also attach based on the theories of product liability laws. Product liability is an area of law in which manufacturers and retailers are held responsible for damages caused by product failures. Product liability claims fall into three categories: negligence; strict liability, and; breach of warranty.

End User License Agreements (“EULAs”) often limit or cut-off a consumer’s ability to prevail on a products liability claim. EULAs are contracts signed or accepted by a consumer to gain access to their IoT devices and allow manufacturers to disclaim most, if not all, liability for damaged incurred through the use of IoT products.41 EULAs and software licenses make it difficult, if not impossible, for consumers to claim damages when products fail, or damage occurs.42

XIV. FUTURE REMEDIES

Perhaps the only way for consumers to hold manufacturers and others liable for damages is by demonstrating that EULAs are “unconscionable.”43 Collective

38 See Complaint for Permanent Injunction and Other Equitable Relief, Fed. Trade Comm’n v. D- Link Corp., No. 17-CV-00039 (N.D. Cal. Filed Jan. 5, 2017), http://www.ftc.gov/system/files/documents/cases/170105_d-link_complaint_and_exhibits.pdf.

39 See e.g. Complaint ¶22, FTC v. Vizio, Inc., No. 17-CV-00758 (D.N.J. filed Feb. 6, 2017), http://www.ftc.gov/system/files/documents/cases/170206_vizio_2017_02_06_complaint.pdf.

40 See Complaint, In the Matter of Lenovo, Inc., Docket No. C-4636 (filed Dec. 20, 2017), https://www.ftc.gov/system/files/documents/cases/152_3134_c4636_lenovo_united_states_decisi on_and_oorder.pdf.

41 See Bao Kham Chau et. al., Liability for Home IoT 2 (December 2015) (unpublished final paper, MIT), https://groups.csail.mit.edu/mac/classes/6.805/student-papers/fall15- papers/Liability%20for%20home%20IoT.pdf; see also Annalee Newitz, “Dangerous Terms: A User’s Guide to EULAs,” Electronic Frontier Found (Feb. 17, 2005), http://eff.org/wp/dangerous- terms-users-guide-eulas.

42 See Seth Stevens, “By Clicking on this Article, You Agree to…..,” Slate (November 17, 2014 7:00AM), http://www.slate.com/articles/technology/technology/2014/11/end_user_license_ agreements_does_it_matter_that_we_don_t_read_the_fine_print.html.

43 See Chau, supra Note 37.

consumer backlash may also deter companies from creating faulty products or discourage other consumers from purchasing faulty products.

A final recourse for consumers may be through state data disposal laws, security breach notification laws, and general data security laws that control the private sector. Kentucky does not have laws that govern our state government’s use and storage of electronic data, but in Kentucky “[w]hen a business disposes of, other than by storage, any customer’s records that are not required to be retained, the business shall take reasonable steps to destroy, or arrange for the destruction of, that portion of the records containing personally identifiable information by shredding, erasing, or otherwise modifying the personal information in those records to make it unreadable or indecipherable through any means.”44

This statute may provide limited relieve to Kentucky citizens who are damaged by improper storage and disposal of IoT data.

44 KRS 365.725 (2006).

CASE LAW ON THE USE OF THE IOT IN CRIMINAL, CIVIL, AND FAMILY LAW CONTEXTS

I. CIVIL LAW – PATENTS

In Bridge & Post, Inc. v. Verizon Communications, Inc., 319 F.Supp.3d 818 (E.D. Va. 2018), the United States District Court for the Eastern District of Virginia decided a patent case related to the IoT. This case involved three alleged patent infringements on technology to allow a persistent, unchangeable identifier associated with an internet-enabled device: (i) to track internet users and surpass cookies’ limitations; (ii) to enable advertisers to use that persistent identifier while still protecting people’s personal information, and; (iii) to tag internet traffic with an identifier to track a particular end user through an encrypted process. Bridge and Post had essentially come up with a way to track website preferences and obtain exact geographic and specific demographic information without cookies, preventing the user from turning off cookie preferences. This could be applied not just to a computer or smart phone, but to any device in the IoT.

The United States District Court found this technology was not a patentable device because the patents did not contain an inventive concept that provided significantly more than the abstract idea of using a persistent, non-changeable identifier which also failed to add significantly more than the abstract idea.

In this case, the patent teaches a system that uses an unchangeable identifier associated with each internet-connected device to track the device’s internet browsing history and physical location. The system uses that data to create a profile for the device, assign the device to a group based on the profile, and direct targeted advertisements to the device based on the profile and the group.

Before this patent, there were two ways used to target customers. The first was through the IP address, but that method only provided a rough estimate of location and provided no demographic information. The second was through cookies which store a user’s web browsing history, but users can delete or disable this function. The patents at issue in this case were each directed towards an abstract idea and lacked an inventive concept that provided significantly more than the abstract idea. The District Court therefore found the patents invalid and dismissed the case.

II. CRIMINAL LAW – FOURTH AMENDMENT SEARCH AND SEIZURE

In Carpenter v. U.S., 138 S.Ct. 2206 (2018), the United States Supreme Court considered the question of whether the government conducts a search under the Fourth Amendment when it accesses historical cell phone records that provide a comprehensive chronicle of the user’s past movements. The case did not involve the substance of cell phone calls, but the geographic locational data of the owner of that cell phone.

Each time a phone connects to a cell-site location, it generates a time stamped record. Many wireless carriers collect their own data for cell-site location for their own business purposes. Sometimes that information is sold without identifying

11 data to data brokers. That information was at issue in this case because of how the cell location was obtained.

In 2011, four men were arrested as suspects in some robberies. One of the men confessed to robbing nine different locations. The cell phone numbers of the accomplices were provided, and the FBI reviewed the information. The government then applied for a court order under the Stored Communications Act for cell phone records. The government obtained 12,898 location points cataloging the defendant’s movements.

The defendant, because of the use of the cell-site data, was charged with six counts of robbery, which linked him in time and place to the alleged robberies. He tried to get the evidence suppressed because the seizure of the data arguably violated the Fourth Amendment. The government was able to pinpoint the cell phone locations that were time stamped and thus place the defendant at the location of four of the charged robberies.

The argument for admissibility was that defendant shared his location information with the cell phone carriers by his very use of a portable cell phone and therefore lacked the expectation of privacy necessary to be protected by the Fourth Amendment. In the criminal context, cases have recognized the guideposts for privacy. First, the Amendment seeks to secure privacies of life against arbitrary power. Second, a central aim of the Framers was to place obstacles in the way of a permeating police surveillance.

Previously, the Fourth Amendment has applied in various ways to innovations in surveillance. The Supreme Court discussed a few previous cases of sense- enhancing-technology, like heat sensing technology, which constituted an invasion of privacy and would require a warrant to use.

The Supreme Court distinguished previous cases by pointing out that cell phones typically hold a lot of information that is sensitive and thus worth of privacy. Other courts have held the movement in a car does not constitute a search when tracking because the car’s location is voluntarily conveyed to anyone who wants to look. This case had a more sweeping mode of surveillance. Other courts have found that the length of time the government monitors movement is also a determining factor of a search.

The third-party doctrine was also analyzed but rejected in this case because the Supreme Court found the cell phone holder did not necessarily agree with the disclosure of the location. The information gathered was so detailed and effortlessly compiled that it was intrusive. The Supreme Court found that the third- party doctrine applied to telephone numbers and bank records, but cell-site records are a completely different category that the doctrine does not extend to that would otherwise allow a warrantless search.

The Supreme Court held the government generally needed to obtain a warrant for the search based on probable cause before acquiring the cell phone records for cell-site-location.

III. FAMILY LAW – USE OF UNLAWFULLY OBTAINED DATA IN ADOPTION PROCEEDINGS

In Adoption of T.K, 240 Cal. App. 4th 1392 (Cal. Ct. App. 2015), the Courts of Appeal of California ruled on the constitutionality of a statute precluding paternal rights for unwed fathers unconstitutional. In this case, the putative father had engaged in cyberstalking the mother during the pregnancy of the child and, therefore, the trial court found the father did not demonstrate the full commitment required by statute as an emotional element of support evidencing not only financial support but a willingness for the father to – at least to the extent the mother makes possible – emotionally support the unwed mother during her pregnancy.

The father had cyberstalked the mother throughout their rocky relationship, on one occasion noting the mother had bought someone else a drink. The couple broke up, yet the father continued the stalking. This included the father having tracked the mother’s location through her iCloud login on her phone, which password and username the father had obtained. While the mother had changed her passwords no less than five times, the father was still able to track her.

The father also used the mother’s cell phone to contact the potential adoptive parents of the baby. The father opposed any adoption of the baby, and he repeatedly contacted the potential adoptive parents for the next couple interested as well. The father was also able to email the mother’s attorney while the mother was meeting with her attorney. Other instances included the father showing up at locations where the mother was located – all found through the geolocation functions of the hacked cell phone. This first happened for a medical appointment that was only known to the mother’s own mother, and then to the hospital for the induced labor appointment for the mother to give birth.

The burden in this case to oppose the termination of parental rights of the father was on the father to show that he qualified as the father with legal rights. The California Court found the cyberstalking added stress to the mother’s pregnancy, and that the father’s actions of showing up at the same place had more to do with blocking the adoption than it did with the well-being of the child. Because the father had hacked the mother’s cell phone repeatedly to obtain confidential information, the father had not proven he was emotionally supportive during the pregnancy sufficient to grant him parental rights.

A TO Z GUIDE TO THE INTERNET OF THINGS*

• BotNet. Also called a Zombie Army, a botnet is a collection of connected Things (anything with an IP address) that has been set up to forward transmissions, typically spam or viruses, to another unsuspecting machine on the internet, often forcing it offline. The owners of these connected Things are not aware that their Thing is part of a botnet, stressing the importance of IoT security.

• Cloud Storage. Cloud storage is a model of computer data storage in which the digital data is stored in logical pools. The physical storage spans multiple servers (sometimes in multiple locations) and the physical environment is typically owned and managed by a hosting company. These cloud storage providers are responsible for keeping the data available and accessible and the physical environment protected and running. People and organizations buy or lease storage capacity from the providers to store user, organization, or application data. Cloud storage services may be accessed through a co-located cloud computing service, a web service application programming interface, (“API”), or by applications that utilize the API, such as cloud desktop storage, a cloud storage gateway, or web- based content management systems.

• Connectivity. IoT connectivity boils down to how Things connect to each other. Connections can be wired or wireless.

• Data Streaming. Real-time data streaming processes data on the fly instead of waiting to process it after it has been stored in a database, which could be too late to react. Popular streaming applications include fraud detection, network monitoring, e-commerce, and risk management.

• Fog Computing. Fog Computing works with a local area network (“LAN”) to gather, process and store data within a network via an IoT gateway or fog node.

• Geofencing. Geofencing uses GPS and RFID technologies to create a virtual geographic boundary, like around your home property. A response is then triggered any time a mobile device enters or leaves the area.

• GPS. Global Positioning System originally developed by the U.S. Department of Defense that utilizes a free satellite-based navigation system that works anywhere, at any time, and under all weather conditions.

• Hacker. A highly skilled computer expert capable of breaking into computer systems and networks using bugs and exploits. “White Hats” are ethical hackers who specialize in making sure that an organization’s information systems are secure. “Black Hats” maliciously break into a system to destroy files, steal data or some other nefarious purpose, like blackmail or ransom. “Gray Hats” violate some laws or ethical standards but not with malicious intent like Black Hats.

• Interconnectivity. Interconnectivity is focused on the quality of being connected, or the potential to connect in an easy and effective way.

• Interoperability. The ability to get an ecosystem of IT systems and software applications communicating and exchanging data with each other.

• Manufacturing or Industrial IoT. Data-collecting sensors embedding in factory machines or warehouse shelves that communicate problems or track resources in real time, making it easy to work more efficiently.

• Marai. A popular malware program that turns Linux-based machines into bots that can be used as part of a botnet in a large-scale network attack.

• Mobile Device. A portable, handheld computer – like a smartphone, tablet or DSLR camera – that is battery powered and typically connects via Wi-Fi, Bluetooth, and/or a cellular network.

• Network. Uses a mix of wired and wireless technologies to connect “endpoints” (servers, personal computers, phones) for transmitting, receiving, and exchanging data, voice, and video traffic. Each endpoint has a unique identifier (an IP address or a media access control (“MAC”) address) to identify the source and destination of the transmission. It is the foundation on which the Internet of Things is built.

• RFID or Radio Frequency Identification. Uses electromagnetic fields to identify and track tags attached automatically to objects.

• Smart. Any physical entity that can exchange data with another entity through a wired or wireless connection is “smart.”

• Things. In general, a “Thing” is a sensor, device, or anything with an IP address.

• Wi-Fi. A popular networking technology that allows connectivity to the internet and other devices wirelessly.

*Definitions obtained from SAS Institute, “A Non-Geeks A-to-Z Guide to the Internet of Things” (2018-2019), https://www.sas.com/content/dam/SAS/en_us/doc/whitepaper1/ non-geek-a-to-z-guide-to-internet-of-things-108846.pdf.