Speaker 0
0:10 – 0:13
Welcome to Tech Talk. Bye. CT.
Speaker 1
0:13 – 0:14
Tea.
Speaker 2
0:16 – 2:30
Welcome to CDT's tech talk where we dish on tech and Internet policy while also explaining what these policies mean to our daily lives. I'm Brian Waslowski and it's time to talk tech. Almost everything is connected to the Internet today from household devices to traffic lights. What happens when these Internet of Things devices cause real harm? Whether it's damage to your home or the disruption of a critical service at a a hospital. When it comes to liability for the Internet of Things, there are not easy answers, but we'll try to find some. And we'll also tackle the many questions around how the US Immigration and Customs Enforcement Agency or ICE is using data from license plate readers across the country. CDT has filed a FOIA request for information about a contract ICE awarded to a private company that provides subscription access to a massive license plate database. What does the public need to know about ICE's practices? A lot. If you look around your home, you'll undoubtedly see tons of products and devices that are connected to the Internet. Beyond your phone and laptop, you might have a fitness tracker, your thermostat, and maybe even one of your kids' toys. If you step outside, you might not notice, but even more devices are connected to the Internet, such as heat sensors, traffic lights, and oh so much more. So who is responsible when something serious goes wrong with these devices? The answer is rather unclear. Many of these Internet of Things or IoT devices are notoriously insecure, but have sailed under the radar for liability. Should that be the case? CDT's Ford Democracy Fund fellow, Benjamin Dean Benjamin Dean, I got that right, joins us to discuss. Welcome, Ben. Hello, Brian. So let's let's get started on this. Everyone probably has IoT devices, and you have a paper coming out on them. Clearly, you're concerned about them. Should generals general consumers be concerned as well? Well, if we look back over the last couple of decades of digital technologies, and we're talking about Internet connectivity,
Speaker 1
2:30 – 3:17
software, kind of a tangential element is is batteries. Over time, we've seen that these devices have got problems with them all these technologies. So there are flaws and bugs in software, other certain safety features not put in place for certain digital devices with batteries, so on and so forth. This is not a new problem cyber security. It's in fact one that's only getting worse. And as we continue to integrate these digital technologies into more and more things around us, my concern is that without any changes in the way in which we design these technologies, that we're gonna see the same failures that have afflicted our computers and personal devices before, but now in things that can potentially hurt us. So
Speaker 2
3:17 – 3:26
let's let's go right to that. How can they hurt us? What are these potential harms? I mean, probably so many of us have these devices and think of them as not scary, but what could happen?
Speaker 1
3:27 – 4:49
Well, there are kind of two levels here. Remember that historically, whenever our digital devices failed, it was usually something that we think of as an economic cost. That is to say something that's an inconvenience. You have to sit down and reboot your computer, and really it it hasn't hurt anyone physically. Well, I have the feeling that this is going to change. As we start a a lot of the items that you listed in your introduction, if those devices fail, they could, cause physical harm to people, or they could at least, cause property damage. Now at a level above that, so not just the individual failures of the devices. Remember that when we connect all these devices to one another, we then create, the potential for systemic risk. We're already kind of well, we've seen this many times in the digital kind of ecosystem. Just think about the intel, floors, the spectrum meltdown floor. While that hasn't, resulted in physical harm or property damage, keep in mind that the same floor existed in all of the chips across the ecosystem. Now when we start integrating more and more digital technologies into objects around us, the risks aren't just to one individual person. You can actually have cascading failure across the entire ecosystem that could potentially lead to physical harm or property damage, especially if you think in the context of connected cars, for instance.
Speaker 2
4:49 – 5:07
Yeah. Cars or, you know, energy grid, there's a lot of models where you could see, IoT devices having pretty catastrophic effects on folks. So the paper you're you have coming out, which will be published on cdt.org at some point. We're getting on it. You talk about strict products liability.
Speaker 1
5:08 – 8:12
Tell us what that is and how that might relate to the Internet of things. Strict's product liability is a theory of tort. Tort comes it's the French word for wrong, and the law of torts, is grounded actually in, the Seventh Amendment. Since we're in this Center for Democracy and Technology, let's stop for a second and do a brief digression and remind ourselves about the Seventh Amendment. The founding fathers of this country country thought that it was so important that people should have a right to a civil jury trial that they put in your constitution a Seventh Amendment that gave people that right. We we forget that sometimes it's in the bill of rights. And I can't think of anything more democratic than the right to go to court, have open proceedings and then have a matter, a private matter judged by a jury of one's peers. So just to remind everyone, Thomas Jefferson said, I consider trial by jury as the only anchor yet imagined by man by which a government can be held to the principles of its constitution. So good. Thanks. Tort law is, one of the most democratic things that I can think about. And when we think about torts, I don't wanna go too deeply into it. This paper actually, kind of goes through concepts from economics, technical concepts without going too deep. But just to go a little deep on on torts, there are two, theories that, I go straight to. One is the strict product liability, and there's kind of a sister theory of torts, negligence. Okay. They usually come up together and what they concern is instances in which somebody has been harmed. Negligence, you have to go improve a duty of care, and that there's been a breach of that duty of care, and there usually has to be contractual relationship between the parties. Strict product liability does away with that. The basic idea is that some product or some action has been undertaken that is so unreasonably dangerous that and that the person that's been harmed really could not have done much about it, that the person who actually did the action that caused the harm should be held liable for the damages that are caused. Oh, interesting. Okay. This is something that becomes very important in a technological age. Consumers quite simply, don't have the skills and the ability to be able to evaluate the relative safety of the digital products around them. Nor should they really when you get down to it. Absolutely. It's just it's not possible. And, really, those who design these products, have got the inside view as to what the potential, defects are in those devices, and also best placed to implement changes at the lowest cost that would mitigate the or at least reduce the probability of failures that could harm people further down the line. Okay. Give us just an example of that. You know? I mean, we've talked a little bit about the harms, but, you know,
Speaker 2
8:13 – 8:19
just some random device. Give us a sense just to kind of crystallize what you mean there. Let's go through two examples.
Speaker 1
8:19 – 9:45
One example you know, when I started doing this work a bit over a year ago, people told me that, we don't hold, people who develop software liable for damages caused or at least the companies that Yeah. Sell the devices with the software in them. About twenty years ago, there was a case though about an x-ray machine that had a bug in its software that gave too much of a dose of radiation to patients killed a few of them. So this is not new is my point. And it's certainly not unprecedented to hold, producers of products with software that has bugs in it liable for the failure, that results in harm. Let's think also perhaps a more contemporary example is, fitness trackers. So fit well, think about what a fitness tracker is. It's an Internet connected computer on your arm with a lithium ion battery in it. Yeah. And when those devices fail, they it can cause physical harm. Fitbit already knows this because they were taken to court not so long ago because the devices were overheating and hurting people. They ended up paying a few million dollars in damages for that case. Oh, wow. So these are are not hypothetical Yeah. Kind of examples. I actually think what we're seeing now is just kind of the the earliest signs of of what the potential damage could be if we don't sit down and start implementing more secure development practices and start thinking about ways in which to make these devices, safer for consumers and for society.
Speaker 2
9:46 – 10:00
So the approach that you kind of outlined with, products liability and and torts and all this stuff that I'm gonna have to listen to again so I make sure I get that all right. Do you think this is a a good path forward if to get a more secure world of IoT?
Speaker 1
10:01 – 11:57
I do. Keep in mind that the cybersecurity problems we have today, in part due to a series of market failures, that have existed for a very long time. Now my paper goes into explain a number of these, but I just like us to focus right now on a concept called negative externalities. This is something that economists use as a term to describe, a situation where products are designed or some economic activity takes place that imposes costs upon society that are not priced into the good at the time of sale. Usually, we think about things like pollution from driving one's car around. The the pollution or the c o two that's emitted from your car is not priced into the car itself, and in that way, we have kind of a suboptimal, quantity produced. Now, one of the interesting things about, liability is that it allows us one way in which to impose the costs that result from certain economic activity upon those who actually undertake the activity. In this way, I hope that we might be able to start forcing some producers to begin pricing in the costs of the insecure products And in that way, actually, design products in a safer way Mhmm. Than they have in the past. Helpful. The second element that we have to think about with products liability is that it acts as a deterrent. So one of the problems we might say about torts as well, you have to have the damages actually occur for people to actually go and seek compensation. There's actually sec second element here, and we should remind those, organizations that wish to make things smart, if those things fail, they are likely to be held liable for the the harms that are caused. So rather than releasing products that could cause harm, we might think a little bit ahead in a way in which we might design these products safer. And in that way, I think that the the law of torts might be, act as a deterrent.
Speaker 2
11:58 – 12:14
Yeah. No. That that makes a lot of sense. So, you know, just like we were talking a bit before we started recording, and I I did ask, is there an appetite for this? And my hunch was no, that people would be opposed to this. But you think there might be somewhat of an appetite for this sort of approach. Why? Well,
Speaker 1
12:14 – 13:51
one of the interesting things about being in Washington is often we hear, in the wake of large scale systemic failures of digital devices, we hear calls like, we need new legislation to hold people liable for these costs. We need more regulations and so on and so forth. One of the great things about the law of torts is it's already in place. You don't actually require any changes and you have the in your bill of rights, you have the right to turn up in court, and pursue civil a civil civil case against people who have wronged you. So in a way, there's not really much changes needed. Those people who are harmed have got the right to go and pursue this course of action. And in that way, it's a little bit beside the point whether people like it or not. But let's think, a little bit more though because there is a group of people who will say, well, this think about the innovation and think about the effects this will have on innovation. Well, let's unpack that concept of innovation and think a little bit about whether strict product liability will, increase or decrease innovation. Innovation implies an idea of change, and that that change has got some implicit, progress, some improvement that results from the change. Well, if we sit down and start designing products in a safer way, we do fulfill that criteria of change. And I would have thought we also fulfill the criteria of progress. At least we have greater progress in the sense that we have less damages caused by the technological change that occurs around us compared to the kind of damages that would occur without the the safer technological development.
Speaker 2
13:52 – 14:03
So what's the path forward on this? I mean, obviously, you've certainly made me feel concerned about IoT devices. Not that I wasn't already paranoid. But what do you hope happens? What comes next?
Speaker 1
14:05 – 17:04
Well, let's take a relatively positive, and optimistic look here. The good news is it's not too late. And the good news is that if we sit down and really think through, how we might design these products in a safer way, we can probably avert the need to even take any of these negligence or strict product liability cases to court. Now in this paper, I finished with a series of questions in essence. One of the interesting things about this paper is that it raises more unanswered questions that we will actually have to sit down and work out over the next five to ten years. If we are to ensure that, the devices that are released on the market are safe as possible. So, a couple of the ideas that I'd like to pursue after this, after the release of this initial paper, I'd like to start thinking about what a digital defect might be. If you sit down with the technical folks, they'll rightly point out to you that not all bugs or vulnerabilities, not all vulnerabilities are exploitable in the same way. And they're quite right. So we're gonna have to sit down and actually work out well which bugs are avoidable and which ones are not. And in that way actually start determining in a very sensible way, what is an actual defect and and which ones are not. The second area that we might, look into has to do with the question of open versus closed source software. One of the really unique parts of this digital technology is that we do have this concept of open versus closed source. And it's not entirely clear to me, what kind of application of liability should occur, in the event that open versus closed source software is in question. We know that the open source community has delivered a number of products over time that had, huge benefits, across all of society. And I don't think anybody wants to see the open source software movement go away. In fact, one of the best things about the open source software is you can actually have a look at the the code itself and identify whether there are any defects in it before you use it. That's terrific. On the other hand though, we have communities of people, and it's very hard to actually determine who is liable in the event that, messy open source code is used and then results in failures. You know, the on the other hand, we don't want open source software leading to people to be hurt. So we have some questions sort out there. We also have to think about closed source software. Think through for a consumer if you want to sit down and work out whether the software that you're purchasing is safe or not. Closed source software doesn't actually let you do that. In fact, a lot of producers put in place technical measures to stop you from even having a look. It's illegal. So how should we treat this differently when we sit down and think through what risks the consumers exposing themselves to in buying open versus closed software closed source software? Event that that software fails. Now I don't wanna focus too much on software, but that's just one example. There are countless other examples, I think, in the whole, spectrum of different tech digital technologies,
Speaker 2
17:05 – 18:40
but those are perhaps two areas that that are worth thinking about a little bit more. Yeah. And we didn't even touch on it here. But, you know, as you were talking through all that, I thought, well, gosh, wouldn't some of these things be neat to have governments build in vulnerabilities that they could exploit? But that's a topic for another, so we're not gonna go there. Ben, thank you so much for joining. Everyone should check out your paper, cdt.org. We'll have to have you on again soon. Thanks, Ben. Thank you. If you own a car, chances are your license plate has been captured by a commercial license plate reader at some point and is now in a massive database of license plates. The information that these readers record about you goes far beyond just your license plate number, though. They record your location, the time you were there, and sometimes they even snap a photo of you and your passenger. That's a lot of personal information. And when this data is collected over time, it could paint a detailed picture about who you are and what you do. So when the US Immigration and Customs Enforcement Agency, or ICE, contracted with a private company to access a commercial license plate reader database, CDT had some questions and sent a FOIA request for more information. CDT's legal fellow, Mada Azirami, joins us now to talk about what CDT hopes to find out. Welcome, Mada. Hi, Brian. See, that's the energy that we invited you on for. She has been wanting wanting to do this podcast since she's joined CDT and now here she is. So what does ICE want to access? Why or why does it want access to all this license plate data?
Speaker 0
18:40 – 19:49
License plate reader data reveals quite a lot as you mentioned. It provides a snapshot of where you were at a particular time and place and over time could reveal your associations and sensitive information like your political and religious beliefs. So this data can be incredibly valuable to law enforcement while they conduct investigations. For example, if your car has been stolen, license plate readers can help law enforcement locate the vehicle. Sounds useful. It certainly can be. In the case of ICE, they have two offices, the office of enforcement and removal operations, which deals with enforcing immigration laws, and homeland and security investigations, which investigates a number of criminal activities like human trafficking and drug smuggling. ISIS stated that they want access to this data because it'll be useful deportation, or it would be helpful in tracking down a vehicle associated with smuggling. They also want this data because it will greatly reduce the man hours needed for physical surveillance. Gotcha. And just so folks know, LPR,
Speaker 2
19:50 – 20:11
that's that's short. Go for it. Or a license plate reader. I mean, that is someone who's written a FOIA request saying that. Shorten it down. Okay. So what do we know about ICE's policy? I mean, obviously, this is sensitive sensitive information. So what's their policy when it comes to accessing this data? Do they have rules and practices in place? And what specifically do you wish you knew more about their practices?
Speaker 0
20:12 – 21:58
Yeah. It's, worth saying at the outset that ICE has acknowledged that there are serious civil liberties issue issues associated with having access to this data. And some of what we know about their policy, are their efforts to mitigate the extent to which they violate our privacy. So we know a number of things. We know that ICE has query based access to this database, so they have to search using a license plate number. We know that they will not contribute data to the database. ICE agents can only access this database and query a license plate if it is related to an ongoing investigation, which can be interpreted very broadly as you'd imagine. But they must, for every query completed, provide details on which investigation the query is associated with. ICE has limited the number of personnel that can directly access the database, but those agents can complete queries for officers who don't have direct access. Mhmm. A record of all the queries will be kept, which enables an audit of the queries to ensure conformity with whatever internal policies they develop. Unfortunately, ICE's latest privacy impact assessment does not make clear when these audits will take place, but, presumably, they will take place. We know that ICE agents will have to go through some training on how to properly use this database in a nondiscriminatory fashion before they can access it. And we know that ICE has self imposed restrictions such that ERO agents, the ones dealing with immigration, can only access five years of license plate reader data for every query, which frankly isn't much of a restriction, but it is a restriction nonetheless. And they can access even more historical data with permission from their supervisor. It's worth noting that all of what I've just described are matters of policy and can be changed at ICE's discretion.
Speaker 2
21:59 – 22:19
Ah, okay. So it sounds like we know a fair amount, but it's there's a lot more in terms of actually what's happening and gotcha. One of the other things you highlight, you know, you there's a great blog post that Mana wrote, online at cdt.org. And you talk about ICE's hot list. What is the hot list, and why are you concerned about it?
Speaker 0
22:20 – 23:14
So the hot list allows ICE to be alerted when new data is collected about a specific license plate number. For example, say an ICE agent is trying to track down an individual, so they place their license plate on this hot list. When a license plate reader connected to this commercial database spots that license plate, it sends that agent an alert. Oh. Again, helpful function for law enforcement. But you're right. We have concerns with this practice. This hot list feature puts someone under constant surveillance. Imagine having your movements in your car tracked constantly and ping to an ICE agent. ICE's policy is somewhat positive in that a designated license plate is set to expire after a year, at which point the license plate number is removed from the hot list. However, the agent need only renew the designation. So for practical purposes, the surveillance could be indefinite. When an Oh. Sorry.
Speaker 2
23:15 – 23:18
Have a sip of water. It's okay. We ask a lot of questions on
Speaker 0
23:22 – 23:49
here. So, when an individual is subjected to this treatment, to this type of surveillance, we need to know why. We want ICE to be clear about what behavior or threats warrant placement on this list. The placement on the hot list should be severely constricted. And, unfortunately, this technology makes the decision of who warrants constant surveillance a lot easier for law enforcement because they don't have to dedicate man hours to physically tracking someone. They don't need to allocate resources judiciously.
Speaker 2
23:49 – 24:20
Yeah. No. That would be a really interesting picture, Pam, just picturing my car in the hot list. You will learn way too much about me. Although, most of you would learn that I don't drive it too much. It's it's parked there for a bit. So tell me, another thing, obviously. I mean, we haven't talked about these yet. The cameras themselves, you know, and, you know, how these are commercial cameras all over cities, and non cities. Why is placement an issue for you? You mentioned that actually as well. You want more information about that.
Speaker 0
24:21 – 26:02
Yeah. So DHS and ICE have two policies that to a certain extent restrict their enforcement activities. One on racial profiling and one on activities at sensitive locations. I'm concerned that using a commercial vendor without proper limits inhibits conformity to these policies. Mhmm. So for example, ICE is prohibited from considering race or ethnicity in its daily law enforcement activities in all but some exceptional circumstances. We don't know where or how their commercial vendor places license plate readers. We don't know if specific communities have been targeted on the basis of race or ethnicity. Their partner in this case is Vigilant Solutions. We don't know, for example, if Vigilant Solutions thinks it's good business to target certain communities because they believe that's what law enforcement will find most useful and what law enforcement will want to pay for. ICE also has a policy prohibiting enforcement actions, including surveillance at certain would have been deemed sensitive locations, absent specific exceptions. Sensitive locations include places of worship, schools, hospitals, schools, hospitals. This is an Obama era policy, the purpose of which is to minimize disruption of immigrant communities and to prevent individuals from feeling too scared or frightened to access necessary services like medical care at hospitals. ICE claims they will continue services like medical care at hospitals. ICE claims they will continue to abide by that policy, but, again, we don't know where the license plate readers are placed. If they're located at schools, hospitals, places of worship, and ICE accesses data from those readers. That's not abiding by their policy. This is why we want the contracting information and their communications with the vendor. We want to see how, if at all, ICE and the vendor plan to address this problem.
Speaker 2
26:03 – 26:19
That's a lot of good questions there. There. These license plate readers, are they connected at all to speed cameras? Because then people would know where where they are. No. You don't know. We just don't know. Right? That's the thing we don't know. So you sent in the FOIA, Freedom of Information Act request. Do you think you're gonna get a response from this? Are you hopeful?
Speaker 0
26:20 – 26:52
I'm hopeful, about getting something back. I don't think we'll get everything. We asked for a lot of information that ICE won't want to share, but I'm hopeful that we'll get some of it, through communications with the FOIA office. For example, a priority item is a document they specifically referenced in their recent privacy impact assessment, outlining the principles and practices ICE adheres to when accessing and using LPR data. This will help us determine what we're dealing with here. I think it's possible we might get some of the contracting information
Speaker 2
26:52 – 27:43
and perhaps some of their training materials, but we'll see. Well, let's let's hope so, and then we'll follow-up on that. People should, again, check out Mana's blog online and her beautiful FOIA request. I got to read that. It was a lovely piece of writing. Obviously, a great lawyer. Thank you for joining us, Mana. Thanks, Brian. That's it for this episode of Tech Talk. For the latest Internet of Things more secure and our challenges to overly intrusive government surveillance, follow us on Twitter, like us on Facebook, or just visit cdt.org. And if you want to meet the cool folks from CDT, join us for Tech Prom on March 29. More information about the event can also be found on our website. I'm Brian Wasilowski. Thanks for listening.