Skip to content

Accountability for the Internet of Torts


Rebecca Crootof (@RebeccaCrootof) is Associate Professor of Law at the University of Richmond School of Law.

This post is part of a symposium on the political economy of technology. Read the entire series here.


Tort law has always shaped political economy in the wake of technological developments. Sometimes it operates to protect the powerful; sometimes it intervenes in power relations to correct new imbalances. The history of tort law can be understood as a series of case studies in how new technologies enable new conduct and harms, and in how judges and legislatures changed the law to address the resulting power dynamics between industry and individuals. The concept of ultrahazardous activities, the creation of no-fault workers’ compensation and motor vehicle insurance, and the rise of mass tort litigation can all be partially traced to underlying technological changes and accompanying social shifts.

Today, we are at the inflection point of another such transformation. In an earlier post, Introducing the Internet of Torts, I discussed how Internet of Things (IoT) companies are able to create and impose their own contractual governance regimes. They use terms of service to displace the law of the state, and they employ technological self-help to enforce their rules. Furthermore, the physicality of IoT devices increases the likelihood of consumer property damage and physical harm when companies discontinue service or otherwise engage in digital repossession. In this post, I will use prior tort law revolutions as a springboard to discuss how new products liability law and fiduciary duties could be used to rectify this new power imbalance and ensure that IoT companies are held accountable for the harms they foreseeably cause.

Over and over, in response to technologically-fostered shifts in the political economy, tort law has evolved in response to situations where the logic of individual agreement or apparent non-relation should give way to a social logic of duty and recompense. Two of the more momentous examples are the creation of the modern conception of “negligence” and the development of products liability law. In each of these situations, tort law responded to new, technologically-enabled harms by creating more expansive duties of care and affirming the validity of more attenuated causation analyses.

Personal injury claims were rare in pre-industrial America. To the extent pre-industrial cases mention “negligence,” the term usually entails a defendant’s failure to fulfill a specific duty toward a specific other, such as a duty of a shopkeeper to deliver a purchased item in good condition. But with the advent of the Industrial Revolution—and its machines with “a marvelous capacity for smashing the human body” and tendency to explode—there was “an accident crisis like none the world had ever seen.”  Furthermore, instead of being harmed by a family member, neighbor, or other familiar individual, now people were being mangled by machines whose owners they had never met—and who they were far more willing to sue.

As more and more personal injury suits were brought, courts began changing the standard under which claims were evaluated. The modern American conception of negligence was born: whereas once it had been sufficient to show that the defendant caused an injury, plaintiffs now needed to also demonstrate that the defendant had not acted with reasonable due care. While this shift in what constitutes negligence is often described as a contraction of defendant liability, as it shifts the burden of proof to the plaintiff, along another dimension it can be understood as an expansion of liability. No longer is one only liable for a specific duty owed in a particular kind of relationship; now, one has “a more general duty potentially owed to all the world.”

Just as the Industrial Revolution and the rise of “stranger cases” spurred the evolution of negligence, mass manufacturing and newly distant seller/buyer relationships prompted the development of products liability law. Historically, consumer protections for product-caused harms were based on privity of contract: only those party to a contract of sale could bring suit for harms caused by an object. As mass production created an increasingly attenuated relationship between the manufacturer and ultimate consumer, however, courts began to hold companies liable for the harms their products caused.

IoT devices are simultaneously objects and ongoing services, which creates a new kind of ongoing relationship between companies and consumers. Once again, it is necessary to expand industry liability to address new technologically-enabled conduct and an attendant power imbalance.

Because IoT devices are products, it is natural to first look to products liability law to address their associated problems. When harm is caused as the result of a IoT device’s design defect, manufacturing defect, or inadequate warning, it can be addressed through existing products liability law. When such harm is caused by a hacker, we can debate whether the harm should lie where it falls or be considered a kind of design defect or breach of implied warranty. But what about when a company intentionally discontinues service for an IoT device, either in response to a contractual breach or as outright punishment?

For products liability law to be applicable, we may need to develop a new claim grounded in defective service—a “service defect” claim. A company could be required to provide written notice of the possibility of self-help enforcement in its initial contract, and it could install all manner of warnings to notify the device’s user of missed payments or other contractual violations that trigger the possibility of digital repossession. Alternatively, as already occurs with physical repossession, companies could be required to engage the state to ensure a certain amount of due process before digitally repossessing a device, especially should a company delegate its self-help enforcement decisions to algorithms.

In situations where IoT companies provide services that consumers rely upon—such as cars, alert systems, or medical devices—it might make more sense to focus on the trust element associated with that service relationship. Doctors, therapists, accountants, and lawyers are all fiduciaries, entities who have a “position of superiority or influence, acquired by virtue of [a] special trust.” Similarly, IoT companies could be recognized as having a distinct fiduciary relationship with IoT device users. In addition to Jack Balkin and Jonathan Zittrain’s proposed “information fiduciary” duties regarding the use of customer data, IoT fiduciaries would have duties that reflect the nature of the service they provide and their particular ability to cause physical harm.

Like other fiduciaries, IoT companies would have a duty of care; specifically, a duty not to foreseeably cause harm to their consumers by discontinuing service, remotely altering a device, or otherwise engaging in digital repossession. IoT companies would also have a duty of loyalty, which would require them to act in the interests of the IoT device user. They would not be able to use data gathered by IoT devices to enrich themselves at the expense of device users, to identify violations of contractual terms, to report certain categories of illegal activity to law enforcement, or use digital repossession to punish undesired behavior. This duty could also forbid terminating service, digitally repossessing, or otherwise altering how an IoT device operates absent adequate warning or notice.

Relatedly, IoT companies could have a duty not to overreach in their contracts. This duty could be extrapolated from Williams v. Walker Thomas Furniture, which implied that companies owe a tort-like duty of good faith to their customers, especially when customers have limited choice in negotiating contractual terms. In the IoT context, this would prohibit the industry from including overly invasive contractual terms, holding IoT devices hostage by conditioning their continued utility on acceptance of new contract terms, or using notice purely as a liability shield.

In addition to creating new duties, it will also be necessary to reconceptualize the causation evaluation. Intervening causes of harm are not necessarily unforeseeable. Additionally, different IoT devices can cause different degrees of harm. An inoperative Fitbit will not cause much harm; an inoperative Nest might; an inoperative pacemaker, alert system, or vehicle almost certainly will. Because disabling devices will usually increase the likelihood of harm, rather than directly causing harm, a balancing test that weighs both the foreseeability of harm and its likely gravity would be useful in the IoT context.

The Industrial Revolution and the associated rise of “stranger cases” prompted courts to broaden the definition of negligence; the rise of mass production and sprawling transportation systems helped spur the products liability revolution. A similar expansion in liability is needed to correct the IoT-enabled power imbalance and ensure the law protects those most likely to be harmed.

This post is adapted from a forthcoming paper, “An Internet of Torts.”