In addition to setting the stage for the next wave of product and service development, machine-to-machine in the internet of things (IoT) has become a focus of growing discourse with respect to legal risk. Identifying and responding to both the risks and opportunities presented will require new levels of collaboration between legal, compliance, and product development teams. However, tracing all the potential permutations (particularly at this early stage) is tricky business. With that in mind, the following series discusses the primary dynamics at work in Law and IoT.
“Embedded compliance” refers to the challenges and opportunities created by the ability of private parties to embed restrictions, obligations, or limitations within individualized product use. Without putting too fine a point on it, Embedded Compliance refers to the use of embedded algorithms and controls in a product to restrict use in deference to context-specific legal requirements, contractual terms, or other risks.
The best recent articulation of these dynamics comes from Kenneth Grady‘s discussion of the Breathalyzer-based ignition. However, the relationships Grady alludes to have long been identified by current guerrilla presidential candidate Lawrence Lessig’s seminal work Code or, practically, in the dynamics set by digital rights management (DRM) software. Other parallels in the software world appear to be on the rise, such as those emerging in AirWatch Content Locker’s embedded location-based risk controls or Invoiceware International’s inclusion of multi-jurisdictional Latin American invoice and reporting requirements into its electronic billing platform.
A car that only starts based on a successful Breathalyzer test provides only a rough indication of what is possible in this context. Consider how these capabilities might extend opportunities for leasing or product subscription services, where for example, a printer might shut down after a pre-determined number of pages per month and only restart on a premium. (Blue Hill has laid out more than a few thoughts with respect to the opportunities presented.) Of course, the opportunities presented extend beyond direct manufacturer benefits to include competitive and commercial value. For example, a limousine company might see tremendous risk mitigation benefits in contracting with the automotive manufacturer that provides Breathalyzer-controls or location-awareness that prohibits drivers from exceeding speed limits. Additional incentives will follow as insurers continue to study the potential benefits available.
As with DRM, embedded product compliance will be vulnerable to claims of over-enforcement. Again, these issues run back to Lessig’s explanation of how automated requirements enforcement fails to provide the awareness of circumstance necessary for legal determinations. DRM, for example, cannot understand whether a particular use of content constitutes permissible fair use. IoT has the potential to provide more individualized determinations, but also raises the stakes where errors can impose liability? For example, what might be an individual’s recourse be when his or her car fails to start due to a false positive on that embedded Breathalyzer? Is the manufacturer liable if this causes the individual to lose his or her job?
To find answers to these questions, attorneys must, once again, work with product development teams to understand the embedded heuristics, underlying data, and underlying liabilities that might be presented. This will require attorneys to not just provide guidance with respect to product decisions, but to become active participants in the product development process.