Institute For The Future

EASY AS 00101010

Creating Policy for the Next Frontier of Tech Adoption

ToS. RATs. IP. CFAA. ECPA. AML. KYC. HIPAA. The alphabet soup of legalese and regulation surrounding technology is enough to make the most seasoned policymaker cringe. When our devices are implantable, ambient, continuously monitoring and sensing us, keeping us healthy— what happens then? The increasing adoption of wearables, and their interconnection, won’t just complicate things. Body area networks will open up new questions and opportunities for the role public policy will play in the future of digital technologies.

The debate about which policies will affect our bodies and the technologies we connect to them isn’t new, though. Relevant legislation around the world has created important paradigms in every area of our lives from genetic property rights to criminal liabilities when sharing data—even if we don’t know it.

A 2014 ruling from the Ontario Superior Court, for example, found that human tissue, once in the possession of a medical institution for testing, is no longer the property of the person it was taken from. Pacemakers and other medical devices have come under scrutiny in recent years for susceptibility to hacking.

In 2014, the United States Food and Drug Administration (FDA), issued guidance for the management of cybersecurity in medical devices. It recommends that manufacturers “address cybersecurity during the design and development of [medical devices].” In 2015, the Federal Trade Commission (FTC) called for an amendment to the Health Insurance Portability and Accountability Act (HIPAA), to increase privacy protections on networked medical devices by minimizing the amount of data device manufacturers can store. Meanwhile, cybersecurity researchers are concerned that finding vulnerabilities within such devices could make them criminally liable under the Computer Fraud and Abuse Act (CFAA).

As body area networks become a common part of our everyday lives, policymakers will be forced to adapt, erase, or create legislation to fit the desultory use cases digital technologies will generate for our individual and collective well-being. These technologies pose both new risks and new reasons why many existing policy frameworks are insufficient.

To begin, the adoption of body area networks brings a score of new privacy and security risks to the table for individuals, enterprises, and governing bodies alike. In 2011 the late computer security expert Barnaby Jack demonstrated the capacity to wirelessly hack insulin pumps. Just before his death in 2013, it was rumored Jack had developed a method to hack into wireless pacemakers. The problem extends well beyond medical devices, though. Last year, HP’s Internet of Things Research Study found that Internet of Things devices contain an average of twenty-five software vulnerabilities—per device. To make matters worse, in an era where our devices are increasingly connected to one another, as they will be within body area networks, a single security concern can multiply to several dozen security issues across devices. If our smartphones or watches are connected to industrial machinery or microbiotic sensors in our guts, how will we know the devices are secure?

A number of industry groups and regulatory bodies around the world are attempting to get ahead of these issues. In the United Kingdom, for example, the Online Trust Alliance (OTA), a technology consortium, has published a draft “Trust Framework for the Internet of Things,” which it hopes to pass on to regulators. Recommendations include mandating device manufacturers use HTTPS encryption by default, and conspicuously disclose all personally identifiable data collected to users. Part of the challenge will be getting regulators uniformly on-board, and doing so in a way that transcends international borders, while simultaneously respecting specific sovereignty issues or existing legislation.

To further complicate matters, a range of existing policies are encouraging the use of such connected personal devices before such regulations or standards are being adopted. The Affordable Care Act (ACA), for example, appeals to patients in the U.S. to become bigger players in managing their own health, using personal medical devices to do so. Companies that make personal health devices, in response, are calling on Medicare to incentivize doctors to encourage patients to use them. While ostensibly this poses challenges for cybersecurity legislation relevant only to healthcare, the wider impacts such policies have on data storage and brokerage could have ramifications in industries ranging from financial services to social media.

In addition, it’s unclear that end users will have ownership over data generated from such devices. While numerous bills, including the Data Broker Accountability and Transparency Act, have been introduced in the American legislature to regulate such issues, no votes have yet taken place to determine how such regulation will come to life. Nevertheless, the U.S. Supreme Court has held that one cannot expect a reasonable level of privacy over information that is given to third parties, or made available publicly. This is likely a point that will come under scrutiny amongst civil liberty advocates, who seek to protect such data from the grasp of government surveillance programs. Under Supreme Court doctrine today, however, such information falls outside the scope of the Fourth Amendment’s protections.

None of this is to say that there is not an opportunity for policymakers to use the rise of body area networks to develop legislation that enhances consumer protections while enabling commercial innovation. Already groups like the FDA are instituting best practices for updating implantable medical devices, allowing companies to build devices that can evolve and be integrated with body area networks. This is a first step. Regulators can extend these types of best practices into broader communication devices that will complement the array of devices within a body area network.

For example, instead of developing medical device classifications for smartphones, which could hinder further hardware innovations, establish such classifications for software, and open it to the broader software community to rigorously and continuously check systems for vulnerabilities. This would provide clarity to developers about levels of encryption and data security such devices must employ, and help detect and patch flaws in software before and after its deployment.

Furthermore, regulators should act to institute data brokerage legislation to allow consumers to transparently understand what components of their personal data are available in the public and commercial domains. Finally, putting forth regulations surrounding encryption and security practices that can continuously and easily be updated for the Internet of Things can help both businesses and consumers know what devices and software should be manufactured and purchased.

As with any policy, striking the balance of flexibility and rigor will be critical. In an age when our devices will be monitoring us, assisting us, and allowing us to perform our daily tasks in ways that we currently are only beginning to understand, doing so could mean the difference between human advancement or standing still.