The Complexities of Clouds of Things

By TAP Staff Blogger

Posted on October 6, 2016


Final of a 3-part Interview with Christopher Millard and Ian Walden


“’Yes, I agree,’ has become essentially a meaningless process designed to reflect a legal requirement but doesn't actually reflect the reality of the consumer's experience.” – Professor Ian Walden


“The degree of complexity in the ‘cloud of things’ is so much greater than anything we've seen before.” – Professor Christopher Millard


Law professors Christopher Millard and Ian Walden, both with the Centre for Commercial Law Studies at Queen Mary University of London (QMUL), discuss their work collaborating with fellow technology lawyers and computer scientists on the challenges in cloud computing where technology and regulation intersect.


In this final post of a three-part series, Professors Millard and Walden discuss the issues that arise when cloud computing intersects the Internet of Things (IoT). Their recent work has specifically focused on the fundamental security and liability concerns. As a jumping-off point, they discussed the Nest connected thermostat. The excerpt below is from Professor Walden’s article with co-author Guido Noto La Diega, “Contracting for the ‘Internet of Things’: Looking into the Nest.”


A consumer interested in a thermostat does not expect to face a legal mountain! However, if a UK-based customer wants to have a comprehensive picture of the rights, obligations, responsibilities of the various parties in the supply chain, he has to read at least 13 legal items.


13 Legal Documents for One Connected Device?!


Ian Walden
In a modern environment where you're being confronted with 13 legal documents, to what extent do you understand and can give any meaningful form of consent to either enter into the agreement for the products or the use of the data that's generated from that product and how that data is used? You just consent. You just sign, "Yes, yes, yes, I agree."


"Yes, I agree" has become essentially a meaningless process designed to reflect a legal requirement but doesn't actually reflect the reality of the consumer's experience. I think we have to rethink how such complex products are treated by the law in order to ensure the consumers are adequately protected.


Christopher Millard
The degree of complexity in the ‘cloud of things’ is so much greater than anything we've seen before. It's difficult enough to get your head around clicking "I agree” if you're installing an app on a device, for example, or even if you're subscribing to a cloud service such as web mail. But it is much more complex when you're looking at an ecosystem where you have a huge number of connected devices with sensors or actuators in them, which may in turn be transferring data in both directions with multiple cloud services. The number of permutations is enormous, as is the potential for complexity in terms of legal relationships.


Many of the devices that you might use in a so-called “smart home” will come from different sources with different legal arrangements, different contract terms for the supply of the products, and different terms for the online services through which you get these products to talk to each other. The multiplicity of devices, multiplicity of suppliers, multiplicity of providers of services for using the products leads to a level of complexity that is probably way beyond any reasonable consumer's ability to grasp. Yet the traditional legal models are still being deployed via contracts and notices.


How Would Liability Be Determined if a Connected Device Caused Harm?


Ian Walden
One of the arguments in the paper [“Contracting for the ‘Internet of Things’: Looking into the Nest”] is to say, "Well, public law may need to intervene, it may need to resurrect concepts like product liability. Product liability laws could simplify the legal relationships, and say, "It's no longer important to show fault. All you have to show is causation. Did that product cause damage to me? And if it did, you're liable.” Whether it's a service provider or product developer’s fault has nothing to do with it; if there's a causation between the device and the damage the consumer suffered then it's a standard and strict liability. In this new era of connected devices, with this meld of products, service, and software, trying to discern the responsibility of the products, service, and software becomes impossible.


Christopher Millard
It is a more radical approach to a hugely complicated ecosystem where it is very hard to work out who really is responsible for a particular event. This may also be relevant in the area of connected vehicles, for example, or ‘smart cars’ if you want to call them that.


How Might the Legal Liability Issues Impact Product Developers and Consumers?


Christopher Millard
One of our concerns is that the complexity of the legal liability environment could be a chilling factor that slows down introduction of technologies that would actually make our lives much safer. For example, it has been estimated that 80% to 90% of road traffic accidents could be eliminated by using robots instead of humans to drive cars. It would be a perverse result if you didn't do that just because you weren't able to manage the potential arguments about allocating liability amongst the many participants in that ecosystem.


There are many arguments that can be made for introducing robotic technologies. In some countries, for example, we already have driverless trains which have not only improved safety, but have also improved efficiency because you can run the trains more closely together.


I am concerned that the anxieties about liability, or the refusal of regulators in some countries to even permit certain devices to be deployed, could be counterproductive. It may be another one of these unintended consequences where, in the name of protecting people, you actually continue to subject them to a greater risk of harm.


Learn More about Professors Millard and Walden’s research on the Clouds of Things:


** **


Christopher Millard is Professor of Privacy and Information Law and head of the Cloud Legal Project in the Centre for Commercial Law Studies, Queen Mary University of London. He is also a Research Associate at the Oxford Internet Institute and is Senior Counsel to the law firm Bristows. He is Editor and Co-Author of Cloud Computing Law (Oxford University Press, 2013) and is a founding editor of the International Journal of Law and IT and of International Data Privacy Law. Professor Millard is a Fellow and former Chairman of the Society for Computers & Law, a past-President of the International Federation of Computer Law Associations, and a past-Chair of the Technology Law Committee of the International Bar Association.


Ian Walden is Professor of Information and Communications Law and head of the Institute of Computer and Communications Law in the Centre for Commercial Law Studies, Queen Mary University of London. Professor Walden has held visiting positions at the Universities of Texas and Melbourne. His publications include EDI and the Law (1989), Information Technology and the Law (1990), EDI Audit and Control (1993), Cross-border Electronic Banking (2nd ed., 2000), Telecommunications Law Handbook (1997), E-Commerce Law and Practice in Europe (2001), Media Law and Practice (2009), Telecommunications Law and Regulation (4th ed., 2012) and Free and Open Source Software (2013), and Computer Crimes and Digital Investigations (2nd ed., 2016).


TAP graciously thanks Professors Christopher Millard and Ian Walden for sharing their expertise and time.


Read more from TAP’s interview with Professors Millard and Walden: