When Cybersecurity meets Consent: On the Role of Fine Print in the Era of ‘Internet of Things’

By: Meirav Furth-Matzkin and Asaf Lubin

The proposed research will begin by surveying the federal and state statues, doctrines and case-law regulating the content of IoT consumer contracts in the United States.[1] It will shed light on the questionable legal enforceability of liability waivers and warranty disclaimers in this context. Although the law to date does not explicitly prohibit the use of such contractual clauses in IoT agreements, these terms may be susceptible to ex post judicial invalidation if they are deemed unconscionable or if the court finds that the consumer did not consent to the company’s terms of service (for example because the terms were buried in the fine print and were not sufficiently conspicuous).[2] The goal of this section will be to investigate whether courts invalidate such clauses in practice, and under what circumstances.

This part of the proposed research will also analyze the relevant sections of the recently proposed Restatement of Consumer Contracts (presented in May 2017 at the American Law Institute’s Annual Meeting). Recognizing that consumers barely read or review the terms of the fine print before entering into the transaction, the proposed Restatement advocates for the use of the unconscionability doctrine as “a primary tool against the inclusion of intolerable terms in the consumer contract.”[3] The proposed Restatement designates clauses that limit a business’s liability (or the consumer’s remedies) for any loss caused by intentional or negligent acts or omissions, or for death or personal injury for which the business would otherwise be liable, as presumptively unconscionable, especially in cases where the business “failed to take cost-effective measures to reduce the risk.”[4]

Under this legal backdrop, the project will empirically explore the prevalence of liability waivers and warranty disclaimers in agreements for the purchase of IoT devices, as well as the implications of such contractual terms for consumers and the market. For these purposes, a database of at least 100 IoT agreements (used by different companies) will be established. We have already obtained access to 15 agreements, most of which included various types of warranty disclaimers and liability waivers.[5] Hopefully, through the generous financial support of the H-CSRC, we will be able to collect at least 85 additional agreements (by purchasing various IoT devices or offering financial incentives for consumers to share their license agreements with me). After establishing a sufficiently large and representative sample, we will analyze and code the sampled agreements, with a particular focus on liability limitations and warranty disclaimers. As part of the coding, we intend to develop a taxonomy of IoT contracts, one which takes into consideration the unique functions of the associated IoT device and thereby its potential security and privacy risks. we have already acquired experience in collecting, coding and analyzing standardized contracts while working on my dissertation paper, which was awarded the Harvard John M. Olin Prize for the best paper in law & economics, and was recently published in the Journal of Legal Analysis.[6]

Following this in-depth inquiry into the content of IoT agreements, and building on its findings, we will proceed to empirically investigate the possible implications of the identified drafting patterns for consumers through a series of online experiments. The experiments will allow me to randomly assign consumers to read different types of contractual terms, and to test whether consumers’ perceptions, judgments, and decisions change as a result. For example, if a liability disclaimer is introduced in an IoT contract, would consumers be reluctant to file a suit against a company for damage caused to them as a result of cybercrime which was foreseen at the time of the purchase? Would they believe that such a liability disclaimer is legally enforceable? Would they perceive their purchase and use of the product as an expression of meaningful assent to the manufacturer’s terms and conditions? As we have recently conducted a series of experiments investigating consumers’ perceptions towards fraud and consent, we are certain that an experimental design would allow for a careful examination of consumers’ contract schemas and mechanisms.[7] 

Our hypothesis is that consumers are likely to fail to realize that the contractual terms to which they had “consented” can, in fact, be subject to judicial scrutiny and invalidation. This prediction is consistent with earlier findings showing that consumers are reluctant to bring claims to court when facing an unfavorable clause—such as an exculpatory clause, choice of law clause, or choice of forum clause—even when such a clause is unlikely to be upheld by the court.[8] In the housing market, for example, tenants feel bound by contractual terms to which they “consented” even when these terms are unenforceable and void according to applicable landlord and tenant law.[9]

 If this prediction holds true, it has important policy implications. Namely, it may be desirable to back regulation with strong enforcement measures. This is because putting the onus on consumers to bring claims when they are taken advantage of is unlikely to succeed if consumers’ beliefs about contract norms tell them they have not been wronged, or if they misperceive the legal status of the fine print in such cases. Accordingly, agencies such as the FTC and CFPB must be prepared to take on the lion’s share of enforcement. This is particularly important in light of a first-of-its-kind bi-partisan bill introduced in the Senate earlier this month for standardizing certain aspects of the IoT marketplace.[10] The study’s findings might have significant impact on the conversations that will ensue in the coming year over the drafting of the bill.

Finally, we plan to complement the experimental study with real-world evidence by conducting a field study, which will explore whether consumers will be willing to pay a premium for for ‘better contract terms’ (such as express warranties that the IoT product meets certain cybersecurity standards). My concern is that there will be no market for ‘better contract terms’ in light of consumer’s cognitive biases, such as present bias (defined as people’s tendency to over-value immediate rewards at the expense of their long-term intentions) and optimism bias (understood as people’s tendency to underestimate the probability that risks will materialize). If consumers underestimate the probability that they will be subjected to a cybercrime, and therefore discount the value of a contract that holds the manufacturer liable in such cases, there will be insufficient demand for ‘high-quality contracts.’ If my hypothesis is confirmed by the field study’s findings, such a behavioral market failure may warrant stronger regulation and enforcement measures in the market for IoT devices, including imposition of minimal cybersecurity standards that all IoT manufacturers must meet.[11]

 

[1] The U.S. is currently at the forefront of IoT technology and regulation. Therefore, the U.S. market will serve as an important test-case. My hope is to be able to conduct comparative studies, focusing on the EU and Israel, at a later stage of this project.

[2] See, e.g.,  Bao Kham Chau et al., Liabiltiy for Home IoT (MIT)(2015).

[3] See Proposed Restatement of Consumer Contracts, §5 p. 55

[4] Proposed Restatement of Consumer Contracts, §5 p. 57.

[5] For example, the Nest license agreement (common across all of its ‘smart’ products, including thermostats, smoke detectors, and security systems) stipulates as follows:“Nest Labs does not guarantee any specific results from the use of the product software. Nest Labs makes no warranty that the product software will be uninterrupted, free of viruses or other harmful code, timely, secure, or error-free. ”The agreement also includes the following liability disclaimer: “If you choose to use the product, you (the homeowner) will be solely responsible for (and Nest Labs disclaims) any and all loss, liability, or damages… Resulting from your use of the product in formation, product software, or product… even if Nest Labs knew or should have known of the possibility of such damages.” Notably, one of Nest’s devices has already been hacked. See: Takahashi, “Hello, Dave. We Control Your Thermostat. Google’s Nest Gets Hacked.”

[6] Meirav Furth-Matzkin, On the Unexpected Use of Unenforceable Contract Terms: Evidence from the Residential Rental Market, 9 J. Legal Analysis 1 (2017).

[7] See Meirav Furth-Matzkin & Roseanna Sommers, When Fine Print Meets Deception: On the Misleading Role of Consent in Shaping Consumers’ Misperceptions (under review; on file with the authors).

[8] Dennis P. Stolle & Andrew J. Slain, Standard Form Contracts and Contract Schemas: A Preliminary Investigation of the Effects of Exculpatory Clauses on Consumers’ Propensity to Sue, 15 Behav. Sci. L. 83 (1997); Tess Wilkinson-Ryan, The Perverse Behavioral Economics of Disclosing Standard Terms, 103 Cornell L. Rev. (2017).

[9] See Furth-Matzkin 2017.

[10] On August 1, 2017, the “Internet of Things (IoT) Cybersecurity Improvement Act of 2017” was introduced in the U.S. Senate. The proposed act would establish minimum cybersecurity standards for the Internet of Things (“IoT”) devices sold to the U.S. Government. The proposed bill attempts to safeguard the security of executive agencies’ IoT devices by directing executive agencies to include specified clauses in contracts for the acquisition of Internet-connected devices. The bill’s provisions leverage federal purchasing power to improve the security of IoT devices by requiring, among other things, IoT device, software, and firmware providers to certify compliance with specified security controls and requirements relating to vulnerability patching and notification, unless such contractors otherwise satisfy one of three waiver requirements.

[11] Such standards can be based on the standards set forth in the proposed IoT Cybersecurity Improvement Act of 2017. Currently, the bill is supposed to oblige only companies that work with the government. Because so many organizations do business with the Federal Government the hope is that this legislation will create a new minimum threshold for IoT security that will wind up being adopted within private industry as well. It could also create a baseline that courts would employ to determine liability in cases where they would need to determine whether a minimum level of IoT security was put in place. Yet, it is probably preferable to establish cybersecurity standards that all manufacturers must meet in legislation.