Once upon a time, missing a payment on your leased car would be the first of a multi-step negotiation between you and a car dealership, bounded by contract law and consumer protection rules, mediated and ultimately enforced by the government. You might have to pay a late fee, or negotiate a loan deferment, but usually a company would not repossess your car until after two or even three consecutive skipped payments. Today, however, car companies are using starter interrupt devices to remotely “boot” cars just days after a payment is missed. This digital repossession creates an obvious risk of injury when an otherwise operational car doesn’t start: as noted in a New York Times article, there have been reports of parents unable to take children to the emergency room, individuals marooned in dangerous neighborhoods, and cars that were disabled while idling in intersections.
This is but one of many examples of how the proliferating Internet of Things (IoT) enables companies to engage in practices that foreseeably cause consumer property damage and physical injury. But how is tort law relevant, given that these actions are authorized by terms of service and other contracts? In this post I’ll elaborate on how IoT devices empower companies at the expense of consumers and how extant law shields industry from liability. In a future post, Accountability for the Internet of Torts, I’ll discuss what we can learn from prior tort law revolutions about how the law might evolve to hold these companies accountable. Overarchingly, a political economy perspective highlights how technological developments like the development of the IoT are not neutral—they enable new conduct, new relationships, and new kinds of harm that disproportionately affect the poor—and how law can be used either to preserve or correct resulting power imbalances.
Three characteristics of IoT devices—their ability to collect personalized data, their capacity for communication with a cloud-based service provider, and their physicality—combine to form a product that is simultaneously an object and an ongoing service. And, in most cases, an IoT device’s utility depends on the perpetual provision of that service: without Alexa Voice Service, an Amazon Echo is merely an expensive doorstop. As a result, instead of an association that ends with the purchase of an item, consumers now enter into in an ongoing relationship with IoT companies.
We’ve seen how connected products enable industry overreach before. Digital tech companies have long employed terms of service and digital rights management technologies to limit how consumers use purchased products—say, to keep consumers from sharing music or accessing an e-book. Borrowing tactics from earlier digital tech companies’ playbooks, IoT companies are using their terms of service to lock consumers into contractual governance regimes, thereby supplanting the “law of the state” with the “law of the firm.” They can then engage in digital repossession and other forms of technological self-help to enforce these contracts, sidestepping the state’s checks on unfair contractual provisions.
Such practices are concerning enough in the digital world, but they have even more sinister implications in the IoT context. IoT companies can harness devices’ extensive surveillance capabilities to impose and monitor compliance with increasingly invasive terms; they can condition necessary security and software updates on consumers’ assent to contract modifications; and they can digitally repossess items by remotely impairing or completely disabling devices.
But there’s also an entirely new problem: Because an IoT device interacts with the physical environment, there is an increased risk that consumers will suffer property damage and physical harm should a company digitally repossess it. Smart fridges are marketed as being able to warn you of food spoliation, but a disconnected one might increase your chances of food poisoning. You might sleep soundly, trusting an IoT baby monitor, senior lifeline, home security system, or fire alarm to notify you of a problem—but should a company remotely deactivate the alert system, your reliance could lead to tragedy. Your front or garage door could be left open because you left a bad review on Amazon. And IoT medical devices make the risks of digital repossession all the more obvious. If, as Ryan Calo has quipped, robots are “software that can touch you,” IoT devices are contracts that can hurt you. And these harms are most likely to fall on the poor, as they will disproportionately be subject to and suffer the consequences of digital repossessions.
To be sure, these are hardly the only issues associated with the growing IoT ecosystem. Recent scholarship has highlighted a host of others, including their weak cybersecurity, privacy harms, and national security and international security risks. There are also problems associated with expanded law enforcement and industry surveillance and increased opportunities for surreptitious consumer manipulation. There has even been some discussion of how IoT devices’ weak cybersecurity increases the likelihood of physical harm, as vulnerable devices can be hacked. Hackable cars, pacemakers, and other IoT devices certainly raise problems worth addressing, but the greater threat of harm is the more systemic acts of IoT companies with the power to digitally alter or repossess devices.
Classically, an injured individual could bring a tort suit to seek compensation for harm. But in addition to social and practical deterrents, a would-be plaintiff suffering from an IoT-enabled injury faces three significant legal hurdles. First, there is likely a contract between the consumer and the company that authorizes the digital repossession. Contract law does not price harms: it leaves that determination to the bargaining parties, sometimes to the extent that it “launder[s] injustice.” When a provision is so unfair as to be unconscionable, however, the provision is void, and tort law will operate as a backstop to price the harms. But while clauses limiting liability for harms caused by consumer goods are per se unconscionable, and while companies cannot overreach in setting their terms, courts are generally unlikely to find contracts limiting liability for property damage unconscionable—and they may even have a hard time linking a remote deactivation to a consumer’s physical harm. In short, absent a better understanding of how IoT-enabled harms operate and scale, judges are unlikely to declare clauses limiting liability unconscionable when evaluating individual cases.
Even if the contract is struck, a plaintiff will still need to prove breach of a duty and causation. But there is little clarity about what duties an IoT company owes users. And proving causation will be fraught, as the doctrine of intervening causes will likely relieve the company of liability. A digitally booted car doesn’t hurt you—it is the other car that hits you when you’re trying to escape an intersection that is the direct cause of your injury.
In short, IoT devices enable both familiar and new opportunities for harmful industry overreach, with the added twist that these practices can now cause physical harm and property damage. Simultaneously, there is little government oversight or routes of recourse for injured consumers under extant law.
But law can evolve. As with prior, technological change, the proliferation of IoT devices will necessitate a reconsideration of familiar liability analyses. In my next post, I will discuss how expanded understandings of duty and causation could correct the IoT-enabled power imbalance between companies and consumers.
This post is adapted from a forthcoming paper, “An Internet of Torts.”