Skip to Content

Cybersecurity & Standards

REPORT: Strict Product Liability and the Internet of Things

Increasingly, objects in our environment are computerized and networked, bringing both the promise and the peril of the internet to our everyday lives. We are starting to see serious harm resulting from errors, attacks, and misdesign of these systems, including recent deaths due to autonomous vehicles. It’s an unfortunate occasion to reflect about who will be held liable in the future for the harm caused by the failure of products with autonomous capabilities.

Today, we release a paper that examines issues in product liability for Internet of Thing (IoT) devices to mark the start of a research agenda in this area. We expect that the digital technology industry is about to undergo a process of change akin to what the automobile industry experienced in the 1960s and 70s. Then, as now, insufficient security measures, dangerous design or adding-on of security features post-design were widely accepted industry practice. Those practices had to change as the perils of unsafe cars became obvious – as is increasingly the case today with IoT devices.

The benefits from technological advances also come with risks. It may be more convenient to have a ‘smart’ Kettle, but consider if such a kettle has buggy software that inadvertently turns the kettle on (or all similar kettles at once!) and starts a fire in the kitchen? What happens if it fails because a factory-set default password allows it to be hacked remotely, starting a fire? How would we know the cause of the failure – who is responsible for the cause – and ultimately who is liable for the damages caused?

Failures of IoT devices have a higher probability of physical injury, property damage or death – especially when these are so-called “cyber-physical systems” that use software and networking to control real-world physical objects, machines, and devices. This raises the possibility of application of law that has not, up until now, been widely applied to digital technologies: strict products liability. The paper here, “Strict Products Liability and the Internet of Things,” explores how strict product liability might be applied to digital goods in a time where the very fabric around us is being networked, computerized, and digitized.

As we suggest in the concluding section of our paper, a sea change will be required in software development practices so as to identify and remove defects. A minimum set of agreed upon security practices for IoT products will be required and these practices will have to be adjusted so as to be suitable to a wide range of contexts. Development of safety standards for autonomous systems will be required, which will have to be based on a firmer understanding of the risks of such systems than we possess today. Finally, some difficult questions will have to be answered around the appropriateness of open versus closed source software in certain contexts. If these questions cannot be answered adequately, and the costs of these ‘smart’ devices are disproportionately placed on those least able to avoid or bear them, we may have to rethink whether making devices ‘smart’ is such a smart idea after all.