WORKING PAPER Surfing the third wave of computing: a framework for legal analysis of socio-technological change arising out of eObjects Kayleen Manwaring1 Abstract A new model, o thi d a e , of computing is emerging, based on the widespread use of processors with data handling and communications capabilities embedded in a variety of objects and environments that were not previously computerised. Various terms have been used to describe this third wave, including u i uitous a d pe asi e a o puti g, ie t i tellige e , a d the I te et of Thi gs . A previous paper coined the term eO je ts fo the e t al ele e t of this thi d a e, and developed a technical framework for research into legal, business and policy issues arising from this trend, based on the attributes of, and interactions between, eObjects. The implementation and use of eObjects contain some significant innovations. With the socio-technological change brought about by these innovations comes the possibility of a disconnection between the law and the new things, activities, and relationships enabled by eObjects. This second paper proposes a theoretical framework through which to analyse the impact of this change and the legal problems that may arise. It then continues on to marry the technical and theoretical framework in order to examine the key innovations arising from the attributes of eObjects and begins the process of uncovering and analysing legal problems that may arise. 1 Introduction [A]s technology changes, legal dilemmas arise. As technological change becomes increasingly rapid, the need for a methodological approach to these problems becomes increasingly urgent.2 1 Lecturer, UNSW Business, School of Taxation & Business Law and PhD candidate, UNSW Law, UNSW Australia. Please direct any comments about this working paper to kayleen.manwaring@unsw.edu.au. Beginning with Mark Weiser in the early 1990s, commentators have been predicting the widespread consumer and commercial adoption of a third wave of computing . This third wave encompasses the development and commercial and consumer use of previously unconventional forms of distributed information technologies, including smartphones, wearable computers and human ICT implants. This third wave contemplates a sociotechnological shift where access to networked computing is no longer confined to desktop machines, but where sensors and microprocessors with internetworking capabilities are embedded in everyday objects and environments not previously computerised, such as cars, fridges, people and animals. This new model has been called a number of different names, most commonly ubiquitous and pervasive computing, ambient intelligence , and the Internet of Things . There has been a plethora of technical literature discussing these terms. Unfortunately, the literature reveals considerable inconsistencies and confusion around their definitions and use. An earlier article3 traced the history of these terms and their various uses, and proceeded to extract and analyse the key attributes of the terms. That paper proposed a new term, eO je t , fo the e t al te h ologi al ele e t of the e odel, a d defi ed that te as: An eObject is an object that is not inherently computerised, but into which has been embedded one or more computer processors with data-collection, data-handling and data communication capabilities. However, while this definition outlines the core attributes of the new model, by itself it does not give a full picture of the types of technologies that the literature discusses. Therefore, this earlier paper went on to outline a research framework of core and common attributes to assist in exploring legal, business strategy, and public policy problems that might arise out of socio-technological change brought about by eObjects. These included technical attributes such as volatility and vulnerability, as well as functional attributes such as 2 Lyria Bennett Moses, 'Recurring dilemmas: the law's race to keep up with technological change' (2007) 2 University of Illinois Journal of Law, Technology & Policy 239, 285. 3 Kayleen Manwaring and Roger Clarke, 'Surfing the third wave of computing: a framework for research into networked eObjects' (2015) 31 Computer Law & Security Review 586 increased mobility of devices and people, the change in the geographical extent of technology, the use of context-aware and autonomic decision-making technologies, and the likelihood of decreased visibility due to implicit human computer interaction, just to name a few. This paper builds on the earlier article and shifts the emphasis to implications of sociotechnological change arising out of eObjects, and investigates possible repercussions for the development of the law. It uses the technical framework developed in the previous paper to assist in an analysis of potential legal problems that might arise. In addition to the technical framework, Part 2 of this paper proposes a theoretical framework through which to analyse the impact of socio-technological change brought about by eObjects. This framework outlines the categories of legal problems that might arise because of the new things, activities and relationships made possible by eObjects. It also proposes that the most fruitful way to begin an analysis of legal problems is through identification and examination of the innovations that arise out of the attributes of eObjects. Part 3 marries the technical and theoretical frameworks together, demonstrating how they can be used to develop a legal analysis of the socio-technological change brought about by eObjects. Firstly, key innovations arising out of particular attributes of eObjects, and the interactions between them, are identified. These innovations have been chosen as the ones most likely to cause significant harm to individual users of eObjects. Illustrative examples of existing and potential legal problems arising out of these key innovations are then explained and categorised. It is not possible within the scope of this paper to be comprehensive in such an analysis, due to the nature and diversity of innovations within eObjects and possible effects on the law. However, the purpose of this paper is to provide a roadmap for further research that concentrates on more confined issues and/or legal areas in depth. 2 The interaction between socio-technological change and law The current state of technology limits, in practice, what actions we can perform, what objects we can create, and what relationships we can form. It is thus common for technological change to impact the law, which limits what actions we may perform, what objects we may create and use, and what relationships will be recognized.4 The o ept of so io-te h ologi al ha ge used i this pape a k o ledges that ele a t does ot a ise o l i i u sta es he e a e p odu t o p o ess is de eloped or an existing product or process is modified. Socio-technological change also occurs where new forms of conduct enabled by new or modified technologies emerge to form part of social practice.5 Where particular socio-technological changes have significant impacts, questions about how law and other regulatory tools should respond will inevitably be asked. In particular, should the new actions, products and/or relationships brought into being be permitted, prohibited, encouraged, required6 or limited in some way? And if so, how? Changes to law or other forms of regulation should of course be approached cautiously. Failure to prohibit particular activities may lead to socially undesirable results, 7 such as allowing unlimited surveillance of private spaces. Ho e e , p e atu e, o e -reaching or e essi e la aki g a … e a optio o se tha doi g othi g , pa ti ula l he e investment in beneficial new technologies may be unnecessarily fettered or driven offshore by regulatory interference and compliance costs.8 It is also important to remember that just because a technology is new, or significantly changed, does not by itself mean that its applications operate outside of the scope of existing law.9 A new technology, especially in the ICT industry, is rarely completed unregulated by existing law. For example, a new product is still usually subject to existing tortious principles and product liability regulation, 4 Lyria Bennett Moses, 'Why have a theory of law and technological change?' (2007) 8 Minnesota Journal of Law, Science & Technology 589, 594. 5 Lyria Bennett Moses, 'How to Think about Law, Regulation and Technology – P o le s ith Te h olog as a Regulatory Target' (2013) 5 Law, Innovation and Technology 1, 10. 6 Roger Brownsword, Rights, Regulation, and the Technological Revolution (Oxford University Press 2008), Ch 6. 7 Michael Kirby, 'The Fundamental Problem of Regulating Technology' (2009) 5 The Indian Journal of Law and Technology 1, 11. 8 Ibid, 12. 9 Bennett Moses, 'How to Think about Law, Regulation and Technology – P o le s ith Te h olog as a Regulatory Target', (n 5), Error! Bookmark not defined.. those selling it subject to consumer protection and competition law, and creators able to protect it under existing intellectual property legislation.10 Even with the very real problems envisaged by the Collingridge dilemma, there is no need to overreact to technological change with unnecessary regulation. A thief who steals a driverless smart car is still clearly in breach of section 154F of the Crimes Act 1900 (NSW). What may be uncertain is who is liable in a driverless car accident causing injury or property damage: the thief; the owner; the manufacturer; and/or the programmer of faulty software? However, in many (although not all) cases there are legitimate reasons for law or, more broadly, regulation, to change as technology or the socio-technological landscape changes. O e a this has ee o e tio o dis o ha a te ised is Bo s o d, as the halle ge of egulato e tio .11 The concept of regulatory disconnection encompasses the discrepancies between existing law and other regulation created to order a previous socio-te h ologi al e i o e t, hi h the e ui e e o e tio ith e a tio s, products and relationships made possible by new technologies.12 This issue has also been ha a te ised as a o e that la i he e tl has p o le s keepi g up te h ologi al ha ges, so eti es efe ed to as the pa i g p o le ith .13 The need to address regulatory disconnection in a timely manner is drawn out by examination of the pote tial effe ts of hat has ee la elled the Colli g idge dile o as Colli g idge hi self des i ed it, the dile a , 14 a of so ial o t ol .15 The Collingridge dilemma, in the context of law and other regulation, can be described as the recognition that: 10 Lyria Bennett Moses, 'Agents of Change: How the Law Copes with Technological Change' (2011) 20 Griffith Law Review 763, 768. 11 Brownsword, Rights, Regulation, and the Technological Revolution (n 6). The challenges of regulatory connection and disconnection are discussed in detail in Chapter 6. 12 Bennett Moses, 'How to Think about Law, Regulation and Technology – P o le s ith Te h olog as a Regulatory Target', (n 5), 7. 13 See eg Gary E Marchant, Braden R Allenby and Joseph R Herkert (eds), The Growing Gap Between Emerging Technologies and Legal-Ethical Oversight: The Pacing Problem (Springer 2011). 14 Bennett Moses, 'How to Think about Law, Regulation and Technology – P o le s ith Te h olog as a Regulatory Target' (n 5), 8; Roger Brownsword and Morag Goodwin, Law and the Technologies of the TwentyFirst Century: Text and Materials (Cambridge University Press 2012), 132. 15 David Collingridge, The social control of technology (Pinter 1980), 11. potential benefits of new technology are widely accepted before enough is known about future consequences or potential risks to regulate the technology from the outset, while by the time enough is known about the consequences and possible harms to enable regulating it, vested interests in the success of technology are so entrenched that any regulatory effort will be expensive, dramatic and resisted.16 A number of categories of eObjects are already very much in evidence, and others are at the prototype stage. Some contemplated eObjects, on the other hand, are as yet purely speculative technologies, or are at an early stage of development. However, the possible negative results of the Collingridge dilemma may dictate a need to respond to technologies as they emerge, and even before they come into existence or into commercial use. Once a technology has been fully developed, there is usually a strong incentive to resist any regulatory change, due mainly to the expense of changing technological design. Therefore, in some cases it may make sense to implement new regulation before the technology is fully developed and/or the risks are fully known.17 In order to answer the question posed in the first paragraph in Part 2, this paper adopts the approach proposed by Bennett Moses in 2007.18 Bennett Moses classifies problems that might arise out of a failure of regulatory connection in the context of technological change into four categories (and associated subcategories): (1) there may be a need to create special rules designed to ban, restrict, encourage, or coo di ate use of a e te h olog ; [ new harms or benefits”] (2) there may be a need to clarify how existing laws apply to new artifacts, activities, and elatio ships; [ un ertainty”] (3) the scope of existing legal rules may be inappropriate in the context of new technologies; [ under- or over-in lusiveness”] and 16 Morag Goodwin, 'Introduction: A Dimensions Approach to Technology Regulation' in Morag Goodwin, BertJaap Koops and Ronald Leenes (eds), Dimensions of Technology Regulation (Dimensions of Technology Regulation, Wolf Legal Publishing 2010), 2. 17 Bennett Moses, 'How to Think about Law, Regulation and Technology – P o le s ith Te h olog as a Regulatory Target' (n 5), 8. 18 Bennett Moses, 'Recurring dilemmas: the law's race to keep up with technological change' (n 2). (4) existing legal rules may become o solete. [ o soles en e”]19 Be ett Moses app oa h is helpful particularly because it also recognises that some changes in technology will not give rise to regulatory disconnection, and even those which do to some extent will not create problems in all of the above four categories.20 This approach also actively discourages any assumptions that just because a technology is new, it automatically generates uncertainty or a need for new rules.21 The e is o e ha ge I ould p opose to Be p oposed a atego ett Moses atego ies. Bennett Moses has of u e tai t , ut has confined this to a concept of legal uncertainty, where it is unclear whether new artefacts, activities or relationships have particular rules that apply to them. Bennett Moses specifically excludes diffi ult of appl i g the la to the fa ts a d othe fa to s elati g to litigatio f o this atego 22. However, as a result of my analysis of problems that arise out of eObjects, I would propose an additional category, p a ti al u e tai t . Practical uncertainty arises in circumstances where it is uncertain how facts surrounding the development, use or sale of eObjects will be viewed when applying the law. For example, it may be clear that the law of negligence applies to the manufacture of an eObject, but what may be unclear is exactly what type of design flaws would actually constitute negligent manufacture. This type of uncertainty may persist for some time, even if eventually a judge clarifies the situation. And while this type of uncertainty exists, so does the potential for a surge in litigation, an increase in insurance premiums and/or exclusions. All of these risks may well limit investment in and development of beneficial technologies, and therefore Collingridge dilemma-type problems may be found in this category. Throughout this paper, I have separated into two the concepts of practical uncertainty and legal uncertainty. However, one category may suffice for further research, with the appropriate amendments to Bennett Moses defi itio s. So how do we discover whether one or more of these types of problems arises in the case of particular eObjects? How do we best approach a review of existing regulation to examine if 19 Ibid, 285. Ibid, 246. 21 Ibid, 252. 22 Ibid (n 2), 250. 20 there is a need for new legal rules to manage new risks or to encourage new behaviours, or if there exist legal rules which are obsolete, under or over-inclusive, or are uncertain? Koops, in his 2010 attempt to map the field of technology regulation research, placed pa ti ula i po ta e o the di e sio of i o atio and the fact that non-innovative technologies are more likely to operate within existing regulatory frameworks than adi all e te h ologies . 23 Ho e e , he also e plai s that i o atio is ot o fi ed to technologies that did not exist previously, but includes technologies which may have existed for some time, but where some form of change in the socio-technological environment has led to them becoming far more widely used. He argues that [i]t is far from rare that a change in the scale of a technology gives rise to significant regulatory uestio s .24 The efo e, i o atio a e see he a old te h olog e o es significantly more popular, or is re-purposed to achieve different outcomes. It is useful then to examine the innovations contained within or around eObjects to see he e p o le s falli g i to o e o o e of Be ett Moses atego ies will most likely arise. Although some of the technology comprised in eObjects, such as Internet connectivity, may not be radically new , when compared with other innovations such as cloning or nanotechnology, a search for innovation should not be narrowly circumscribed to mere technical advances. For example, it is part of the very nature of the thi d a e that many o e thi gs , or eObjects, will be connected to the Internet (or other internetworks) than previously. A change in scale this significant is likely to cause social change, which in itself may give rise to legal problems. This section has identified the types of legal problems that might arise as a result of sociotechnological change brought on by the development of eObjects. The categorisation of legal problems is important because it assists in ensuring that any legal problems identified are specific and defined, and reduce the likelihood that there is an overreaction to sociotechnological change. The next section illustrates how this categorisation can assist in a legal analysis of the socio-technological change brought about by the introduction of and 23 Bert-Jaap Koops, 'Ten dimensions of technology regulation. Finding your bearings in the research space of an emerging discipline' in Morag Goodwin, Bert-Jaap Koops and Ronald Leenes (eds), Dimensions of Technology Regulation (Dimensions of Technology Regulation, Wolf Legal Publishing 2010), 313. 24 Ibid, 314. growth in scale of the use of eObjects. It will do so by discussing some of the critical innovations contained in eObjects, based on the technical framework developed in the first paper. Those innovations will be examined in order to develop a number of sample analyses of new things, activities and relationships arising out of eObjects, and the possibility that legal problems may arise out of these aspects of socio-technological change. Each innovation will be examined to identify the new things, activities and/or relationships that may be created because of the innovation. The interaction between innovations will also be examined, with the same purpose. Next, the paper will identify some general areas of law affected by these new things, activities and/or relationships, in which legal problems might be found. One or more examples will then be discussed in detail, in order to identify specific legal problems that may arise. It is not possible to be comprehensive in such an analysis, due to the nature and diversity of innovations within eObjects and possible effects on the law. However, this paper is intended to provide a roadmap for additional research where particular issues and legal areas will be explored in more depth. 3 Dimensions of innovation What is really different about mobile computing? The computers are smaller and bits travel i eless athe tha Ethe et. Ho a this possi l ake a diffe e e? Is t a o ile system merely a special case of a distributed system? Are there any new and deep issues to be investigated, or is mobile computing just the latest fad?25 Although Satyanarayanan asked this question about mobile computing, the same questions can be asked generally about the broader range of technologies encompassed within eObjects. This section of the paper will discuss socio-technological change arising out of some important innovations within eObjects. These innovations are not confined to developments in technical features, but also to changes in when and how the technologies are used. 25 Mahadev Satyanarayanan, 'Fundamental challenges in mobile computing', Principles of distributed computing: Proceedings of the fifteenth annual ACM symposium (Principles of distributed computing: Proceedings of the fifteenth annual ACM symposium, ACM 1996), 1. As discussed in Part 2, in innovations ased o o epts ot o l of e ess ut i changes of scale or purpose) lie some of the likely places for legal researchers to look for legal problems. The first paper in this series26 outlined the common attributes of eObjects. Many innovations can be identified using this framework of attributes. These innovations – both technical and functional - have given rise to significant changes in how people use and interact with information technologies. However, it is important to remember, especially considering the large amount of marketing hype that exists regarding the potential of eObjects, that ma i o atio s ha e side effe ts that are not beneficial. Putting computers where no computers have previously existed creates technical problems that need to be overcome, act as constraints on performance or function, or provide affordances which may be beneficial to the creator but a disbenefit to the people being acted upon by the technology (for example sensor technologies that allow for collection of large amounts of personal information). Detriment to users may also arise when the law applies more restrictively to an activity that is carried out via an eObject as opposed to the same activity carried out using non-innovative technologies. This paper concentrates on innovations that are most likely to contain some form of disbenefits for individual users of eObjects. These innovations include:   increased volatility and vulnerability of computers and computing resources (see 3.1 and 3.2); the reintroduction of physical world concerns into cyberspace, particularly where the physical world affects and is affected by eObjects with attributes such as vulnerability     26 and active capacity (see 3.3), the effect of the mobility of eObjects (see 3.4); and the adaptability of eObjects to the context surrounding them, particularly when combined with geo-locatability and prevalence (see 3.5); the different levels of implicit human computer interaction, particularly where it leads to reduced visibility of the device (see 3.6); and the increased use of autonomous or semi-autonomous devices (see 3.7). Manwaring and Clarke, 'Surfing the third wave of computing: a framework for research into networked eObjects' (n 3). It is not only the characteristics themselves, but also the relationships between them, which give rise to significant innovations in the way human beings interact with the technologies. These innovations in turn can raise questions about how these interactions are and should be regulated. One illustration can be drawn from the interaction of the characteristics of mobility, adaptability and prevalence. Mobility and prevalence of portable smart devices containing sensors, and the mobility of users interacting with smart environments with embedded sensors and communication links, mean that the places at which data might be captured have increased exponentially. The use of context-aware devices means that a particular action by a user actually generates more data about that user: where, when, how (and the list goes on). This all means that there is a lot more data being captured, much of which is stored, mined, manipulated and disclosed to third parties. It is not therefore surprising that most of the legal literature discussing eObjects concentrates on the privacy and data protection implications.27 This is due to the ready availability of this potentially vast store of data about individuals, their lives, and their preferences, and in particular the inadequacy of existing laws and security systems to protect individuals.28 However, legal problems that may arise from the collection, storage 27 Note that these two terms are distinct, although they can be overlapping. For a discussion of the distinction, see for example R. Gellert and S. Gutwirth, 'The legal construction of privacy and data protection' (2013) 29 Computer Law & Security Review 522. Others have further broken down the distinction into distinct di e sio s eg Roger Clarke, 'Introduction to Dataveillance and Information Privacy, and Definitions of Terms (last updated 21 October 2013)' <http://www.rogerclarke.com/DV/Intro.html#Mis> accessed 15 December 2015 o t pes eg Rachel L Finn, David Wright and Michael Friedewald, 'Seven Types of Privacy' in Serge Gutwirth and others (eds), European Data Protection: Coming of Age (European Data Protection: Coming of Age, Springer 2013). 28 Eg Scott R Peppet, 'Regulating the Internet of Things: First Steps Toward Managing Discrimination, Privacy, Security & Consent' (2014) 93 Texas Law Review 85, Anne Uteck, 'Reconceptualizing Spatial Privacy for the Internet of Everything' (PhD thesis, University of Ottawa 2013), Robert M. Davison, 'The privacy rights of cyborgs' (2012) 27 Journal of Information Technology 324, Adam D. Thierer, 'The Internet of Things & Wearable Technology: Addressing Privacy & Security Concerns Without Derailing Innovation' (2015) 21 Richmond Journal of Law & Technology , Grace Li, 'Deciphering Pervasive Computing: a Study of Jurisdiction, E-Fraud and Privacy in Pervasive Computing Environment' in Varuna Godara (ed), Risk Assessment and Management in Pervasive Computing: Operational, Legal Ethical and Financial Perspectives (Risk Assessment and Management in Pervasive Computing: Operational, Legal Ethical and Financial Perspectives, Information Science Reference 2009), Kevin King, 'Personal Jurisdiction, Internet Commerce, and Privacy: The Pervasive Legal Consequences of Modern Geolocation Technologies' (2011) 21 Albany Law Journal of Science & Technology 61, Nancy J King, 'When Mobile Phones Are RFID-Equipped — Finding EU-US Solutions to Protect Consumer Privacy and Facilitate Mobile Commerce' (2008) 15 Michigan Telecommunications & Technology Law Review 107, Rolf H. Weber, 'Internet of things – New security and privacy challenges' (2009) 26 Computer Law and Security Review: The International Journal of Technology and Practice 23, David Wright and others (eds), Safeguards in a world of ambient intelligence, vol 1 (The International Library of Ethics, Law and Technology, Springer 2008). and distribution of large amounts of data made possible by eObjects are unlikely to be confined to these areas. For example, Walker Smith contends that the increasing amount of information available to sellers about the way their customers use their products is set to increase product liability claims as the nature of foreseeability of harm changes.29 Technical innovations found in eObjects are not the only innovations of relevance. How the technology is operationalised, applied and used in a functional sense is also important. The nature of the interaction between a user and a desktop computer is different to that of a user and a smartphone, and different again to that of a person driving past a traffic sensor embedded in a stop sign. The affordances – the things that can be done with eObjects (both intended and unintended) – will also be different. The differences are not just ones of overall design and functionality, but also of agency: that is, who or what is initiating and controlling the interaction. Also, individual attributes may not be the most relevant ones, as the interaction between attributes may give rise to the most interesting legal issues. Innovative affordances can be beneficial, for example utilities meter systems that can ode ate o su ptio to edu e a household s e e g ills, o ha ful, for example a vulnerable, mobile eObject that can be turned into a physical weapon. 3.1 Volatility of resources Increased volatility eObjects, and the systems in which they participate, may have harmful side effects. However, the disbenefits of these attributes are not uniform. Depending on the type of device architecture, these particular constraints can operate weakly, strongly, or somewhere in between. “at a a a a a as a o g the fi st to outli e hat he o side ed the ajo o st ai ts of o ilit , which differentiated first mobile and then ubiquitous computing from other forms of distributed computing.30 According to Satyanarayanan, smart devices will always 29 Bryant Walker Smith, 'Proximity-Driven Liability' (2013-2014) 102 Georgetown Law Journal 1777 Satyanarayanan, 'Fundamental challenges in mobile computing'(n 25); Mahadev Satyanarayanan, 'Pervasive computing: vision and challenges' 8 IEEE Personal Communications 10. “at a a a a a s pape s a e still widely quoted by modern computer scientists eg Frank Adelstein and others, Fundamentals of mobile and pervasive computing (McGraw-Hill 2005), 5; Stefan Poslad, Ubiquitous computing: smart devices, environment 30 e esou e-poo i elatio to o e tio al desktop o puti g, i pa ti ula i elatio to processing and network speed, memory and storage. He attributes this restriction on resources to o side atio s of eight, po e , size a d e go o i s .31 Coulouris, writing 15 years later, essentially agreed with Satyanarayanan as to these o st ai ts, ut o flated the ithi his o ept of olatilit . Volatility is the key factor by which he differentiates eObjects from the original model of Internet-based distributed computing (desktop personal computers with mostly wired access to the Internet). Volatilit is defi ed as he the set of use s, de i es a d soft a e o po e ts i a given environment is liable to ha ge f e ue tl .32 These volatility constraints manifest themselves in the different types of connections, energy sources and processing power utilised by smart devices.33 In particular, connectivity for devices using wireless networks (whether the device is mobile or embedded) is usually more variable in relation to bandwidth, latency and reliability. It is not as if other types of distributed systems do not exhibit volatility in these areas. However, Coulouris also makes two key points about the operation of volatility as a diffe e tiati g fa to i elatio to o ile a d u i uitous s ste s. Fi stl , the f e ue t ha ges efe ed to a o e happe commonly rather than exceptionally. Secondly, he acknowledges that other systems, such as peer-to-peer computing, are often volatile in e tai a eas, ut [ ]hat is diffe e t a out o ile a d u i uitous s ste s is that the exhibit all of the above forms of volatility, due to the way they are integrated with the ph si al o ld Coulou is e phasis .34 However, while the constraints of mobility are real and continuing,35 they do not necessarily operate in the same way for all smart devices. For example, for small single- or limitedpurpose devices, such as sensors in a thermostat system, poverty of processing power may and interaction (John Wiley & Sons Ltd 2009), George F Coulouris and others, Distributed systems : concepts and design (Addison-Wesley (Pearson Education) 2012). 31 Satyanarayanan, 'Fundamental challenges in mobile computing'(n 25). 32 Coulouris et al, (n 30), 817. 33 Coulouris and others, Distributed systems : concepts and design (n 30), Ch 19. 34 Ibid, 821-822. 35 Matt Smith, 'Why your smartphone won't be your next PC' 3 August 2013 Digital Trends <http://www.digitaltrends.com/computing/why-your-smartphone-wont-be-your-next-pc/#!US6P1> accessed 5 January 2016 well be a given. However, this must be contrasted with the more sophisticated technology available in modern smartphones and tablets. Advances in miniaturisation and other technologies have granted access to processing power, memory and storage for these multifunction devices to an extent that was well beyond the capacity of even desktop computing only a few years ago. It may always be possible to build a faster, more powerful desktop. But for many applications and many users, the difference in speed and processing power may not have an appreciable effect on the user. The converse may well be true of access to a power source. Some low-power sensors may have access to what is effectively unlimited power for their lifetime, as they draw what little they need from energy harvesting devices, such as solar cells or piezoelectric materials (which harvest energy from motion).36 Other smart devices, such as smart cards, obtain the minimal power supply needed for their functions from other parts of the smart system, for example a card reader. However, access to a power source is still a significant problem for more complex devices with greater computational power. Almost anyone with a smartphone has at one time or other lamented over the speed at which his or her battery has been drained. While there have been some recent advances in energy harvesting te h olog that a e e tuall lead to ha geless o ile pho es,37 any commercial application of this is some years away. As a result, many eObjects still need to be designed to minimise power consumption, with corresponding negative effects on processing power and speed. There are significant liability issues which might arise here, especially in relation to the failure of eObjects used in healthcare, such as wirelessly-controlled insulin pumps and pacemakers, which can cause serious physical personal harm. It is possible that litigation against software and hardware providers will increase as a result of the widespread use of eObjects. Many of the issues likely to be raised in such litigation may well already be o e ed the e isti g la s of to t a d o t a t. If so, an increased level of litigation may not indicate a case of legal uncertainty, as defined by Bennett Moses and outlined in Part 2. 36 Eg solar-powered calculators, or Midé's Volture Piezoelectric Vibration Energy Harvesters (commercially available), http://www.mide.com/products/volture/piezoelectric-vibration-energy-harvesters.php . 37 Eg Y. Mao and others, 'Sponge-Like Piezoelectric Polymer Films for Scalable and Integratable Nanogenerators and Self-Powered Electronic Systems' (2014) 4 Advanced Energy Materials . This paper describes their work in developing a mesoporous piezoelectric nanogenerator. But a practical uncertainty may exist, as developers, suppliers, investors and consumers may be uncertain about how the law will apply to the specific facts surrounding their development, use and sale of particular eObjects. Entities throughout the provider network may well also be uncertain as to whether their insurance contracts may respond to such claims. Even if they do, the likelihood of higher insurance premiums for software companies, along the lines of the professional health care worker who pays out many thousands a year in public liability insurance, is more probable than not. And this may lead to further uncertainty about maintaining profitability, and therefore stifle investment in innovative health technologies. Judges interpreting the common law of tort and contract may well, left to themselves and the litigation system, make it clear how the law applies in new factual situations. However, the litigious process is not a speedy one. Therefore, business and society may legitimately expect Parliament or other holders of regulatory power to act, where the uncertainty is so significant as to negatively impact the way the technology is funded, developed and used. The Collingridge dilemma may well have an important part to play here. If assumptions are made about the way judges will determine liability in a particular circumstance, development of the technology may follow a certain path in order to avoid unwanted consequences. This path may be a sub-optimal one from an economic and/or social viewpoint, and unnecessarily so if the assumptions are proven incorrect by the cases which are eventually decided. 3.2 Vulnerability and security Very early on, Satyanarayanan identified that eObjects are in many cases inherently less secure.38 This particularly applies to mobile hardware, which can be stolen or damaged more easily. For example, a mobile phone, or a wearable electronic device such as a fitness tracker,39 is more vulnerable to theft than a desktop computer. However, this issue is not 38 Satyanarayanan, 'Pervasive computing: vision and challenges' (n 25). Eg the Fitbit Flex wristband (commercially available) which contains sensors which tracks physical activity and sleep patterns, and then syncs with smartphones or conventional computers to create a data profile. See www.fitbit.com. 39 confined to the simplicity of stealing a small, light and robust machine as supposed to a large, heavy and fragile one. More recently, significant evidence is emerging that some eObjects and the systems in which they are used may well be more prone than conventional connected computers not just to physical interference but also to remote attacks. This is due to the existence of particular security vulnerabilities in the eObjects themselves and the systems in which they participate. These vulnerabilities include: insecure network services; insecure interfaces; insecure software and firmware; lack of encryption; insufficient authentication and authorisation; insufficient security configurability; the storage of personal data; and the lack of physical safeguards.40 Remote attacks can include the remote operation of the eObject without the permission of the local user ha ki g ) and/or the delivery of ali ious soft a e malware .41 Examples of consequences of these types of attacks include:       the disclosure of sensitive data (eg passwords, personal information) for use by the attacker, or exposure to the outside world; modification of data for personal gain (including repudiation); allowing the atta ke to a t o ehalf of the use spoofi g o masquerading ; instigating denial of service (DoS), and distributed DoS attacks; attacking other eObjects or conventional computers; and causing physical harm to or destruction of the eObject, surrounding objects and/or people.42 Peppet attributes the amount of security problems with these devices to: 40 This is a consolidated list adapted from the Open Web Application Security Project, 'Top 10 IoT Vulnerabilities (2014) Project' (Open Web Application Security Project Wiki, <https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=Top_10_IoT_Vulnerabilities__2 82014_29> accessed 17 December 2015 41 Roger Clarke and Alana Maurushat, 'Passing the Buck: Who Will Bear the Financial Transaction Losses from Consumer Device Insecurity?' (2007) 18 Journal of Law, Information & Science 8, 35. 42 This is a consolidated list adapted from Cloud Security Alliance Mobile Working Group, Security Guidance for Early Adopters of the Internet of Things (IoT) (April 2015), 2015).    the inexperience of (and possible disinterest by) consumer goods manufacturers in security issues (as compared to specialist IT manufacturers); the small size of some devices may not support the processing power needed for strong security measures such as encryption; and most of the devices are not designed to accommodate software updates, making security patches unworkable. 43 Security researchers have recently proven the ease of remote attacks on consumer devices such as the aforementioned fitness trackers,44 healthcare devices such as insulin pumps45 and heart defibrillators,46 domestic appliances such as Internet-connected kettles47 and smart fridges,48 and even childrens toys.49 The security implications and the damage security exploits can cause already extends past intimately personal devices and their potential harm to one person. In the last five years, security researchers have successfully managed to exploit flaws in so e a s Internet-connected internal systems in order to wirelessly control a s lo ks, brakes, steering and transmission. Hacks have also included remote tracking of the car through its IP address.50 General Motors took nearly five years to 43 Peppet, 'Regulating the Internet of Things: First Steps Toward Managing Discrimination, Privacy, Security & Consent' (n 28), 43-45. Also see Bruce Schneier, 'The Internet of Things is Wildly Insecure - and often Unpatchable' Wired (1 June 2014) <http://www.wired.com/2014/01/theres-no-good-way-to-patch-theinternet-of-things-and-thats-a-huge-problem/>. 44 Eg Fitbit, Mahmudur Rahman, Bogdan Carbunar and Madhusudan Banik, 'Fit and Vulnerable: Attacks and Defenses for a Health Monitoring Device' (2013) arXiv:13045672 [csCR] ; Mario Ballano Barcena, Candid Wueest and Hon Lau, How safe is your quantified self? (Symantec Security Response Report, 11 August 2014) 45 Jordan Robertson, 'Insulin pumps, monitors vulnerable to hacking' Sydney Morning Herald <http://news.smh.com.au/breaking-news-technology/insulin-pumps-monitors-vulnerable-to-hacking20110804-1idfn.html> accessed 29 May 2014. 46 Anthony M. Townsend, Smart cities: big data, civic hackers, and the quest for a new utopia (W. W. Norton & Company 2013), 269. Other healthcare eObjects with identified security concerns include drug infusion pumps, X-ray systems, blood refrigeration units and CT scans. See Kim Zetter, 'Medical devices that are vulnerable to life-threatening hacks' Wiredcom <http://www.wired.com/2015/11/medical-devices-that-arevulnerable-to-life-threatening-hacks/#slide-x>. 47 Catalin Cimpanu, 'Insecure Internet-Connected Kettles Help Researchers Crack WiFi Networks Across London' Softpedia (20 October 2015) <http://news.softpedia.com/news/insecure-internet-connected-kettleshelp-researchers-crack-wifi-networks-across-london-494895.shtml> accessed 12 November 2015 48 Ibid 49 Security Ledger, 'Update: Hello Barbie Fails Another Security Test' securityledgercom (4 December 2015) <https://securityledger.com/2015/12/hello-barbie-fails-another-security-test/> accessed 17 December 2015 50 Andy Greenberg, 'Hackers Remotely Kill a Jeep on the Highway - With Me in It' Wired (21 July 2015) <http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/>; Stephen Checkoway and others, 'Comprehensive Experimental Analyses of Automotive Attack Surfaces' in D Wagner (ed), Proceedings of USENIX Security 2011, Aug 2011 (Proceedings of USENIX Security 2011, Aug 2011, USENIX 2011); Nick Bilton, fully protect its cars against an exploit identified by security researchers in 2010.51 This sluggish response by General Motors gives weight to Peppet s o e s a out the apa ilit of consumer goods manufacturers – even highly sophisticated ones with significant resources – to deal with security problems in an efficient and timely way. In most jurisdictions with developed legal systems, detailed rules about car safety exist. However, depending on drafting, these may well be inadequate to deal with the increased ability of third parties to cause harm by malicious remote control of a heavy motor vehicle at speed. The harm itself is not e . Personal injury and property damage resulting from the impact of a vehicle has been occurring since the first wheeled vehicles were invented, and these harms are already regulated under both tort law and specific motor vehicle legislation. The legal p o le he e is ost likel to e o e of u de -i lusi e ess . Of course, unauthorised remote intrusion is already a criminal offence in many jurisdictions,52 but considering the myriad of approaches and definitions used by drafters, it is worth reexamining whether this particular type of intrusion will automatically be covered under existing legislation. For example, the Western Australian legislation confines the offence to unlawful access to password-protected computer systems.53 An individual user buying a cheap consumer eObject has no guarantee that their device is actually password-protected, and usually no capacity to implement that protection for themselves. Even rules that are not under-inclusive – that is, they cover all relevant conduct – may nevertheless be ineffective if they cannot be enforced effectively. A hacker may well be in ea h of a o a ess ithout la ful e use ule, ut any hackers are notoriously difficult to find and enforce criminal penalties against, especially as they could be anywhere 'Bits Blog: Disruptions: As New Targets for Hackers, Your Car and Your House' New York Times (11 August 2013) <http://bits.blogs.nytimes.com/2013/08/11/taking-over-cars-and-homes-remotely/?_r=0>;. 51 Andy Greenberg, 'GM Took 5 Years to Fix a Full-Takeover Hack in Millions of OnStar Cars' Wired (10 Sep 2015) <http://www.wired.com/2015/09/gm-took-5-years-fix-full-takeover-hack-millions-onstar-cars/> 52 Eg the US: 18 USC §1030, and under the State Codes (http://www.ncsl.org/research/telecommunicationsand-information-technology/computer-hacking-and-unauthorized-access-laws.aspx); Australia: Criminal Code Act 1995 (Cth), Part 10.7, Crimes Act 1958 (Vic) ss 247A-247I, Crimes Act 1900 (NSW) Pt 6 ss 308 – 308I, Summary Offences Act 1953 (SA) s 44, Criminal Code 2002 (ACT) ss 412-421, Criminal Code Compilation Act 1913 (WA) s 440A, Criminal Code 1899 (Qld) s 408E, Criminal Code Act 1924 (Tas), Schedule 1, ss 257A-F; Computer Misuse Act 1990 (UK). 53 Criminal Code Compilation Act 1913 (WA) s 440A. on the planet54. To ensure the safety of the public, it would make more sense to ensure that car manufacturers should be expected to take some responsibility for security flaws in their systems. Ho e e , a ufa tu e s most likely response in the absence of regulatory intervention will be an attempt to exclude tortious and other liability for security breaches by clauses inserted in sale contracts. Software contracts are already notorious for the breadth of their exclusion clauses,55 and it is naïve to assume that car manufacturers legal ad iso s ill ot adopt a si ila l oad approach. Some premium car manufacturers may also of course improve security features in order to increase brand reputation among consumers; but not all, and not all to the same extent. Although car manufacturers are already required to manufacture cars to quite strict (and detailed) safety standards that are enforced by legislation, these standards are not currently likely to include security standards for Internet-connected systems. In the US, at least, the existing safety standards are not considered sufficient to cover this type of intrusion. On 21 July 2015, a Bill directing government bodies56 to promulgate regulatory standards for car cybersecurity (and data protection) was introduced into the US Senate.57 3.3 Vulnerability and active capacity The discussion above highlights that one of the key consequences of technological developments related to eObjects is the re-emergence of physical spaces and places as an important concept in information technology.58 When scholars and others talk about cyberspace, they tend to concentrate on its intangible aspects, its status as a mass o se sus-hallu i atio 59 rather than a space in which actions are carried out. Cyberspace has traditionally been conceived as a world without boundaries or physicality. It has e e 54 ee a gued that the o d e spa e o stitutes a positi e de ial of a ph si al Or even in low Earth orbit, considering even the International Space Station has an Internet connection http://www.tested.com/science/space/449539-how-fast-isss-internet-and-other-space-questions-answered/ 55 Marc Goodman, Future crimes : everything is connected, everyone is vulnerable and what we can do about it (Doubleday 2015), 7664-73 [Kindle edn location]. 56 National Highway Traffic Safety Administration (NHTSA) and the Federal Trade Commission (FTC). 57 SPY Car Act of 2015, S 1806, 114th Congress (2015) 58 Paul Dourish and Genevieve Bell, Divining a digital future: mess and mythology in ubiquitous computing (MIT Press 2011), Ch 5, Uteck, 'Reconceptualizing Spatial Privacy for the Internet of Everything (n 28). 59 William Gibson, 'Burning Chrome (short story)', Burning Chrome (Burning Chrome (5th reprint) Harper Collins 1995), 196-7. place.60 The role of the physical environment in conventional distributed systems is usually limited to acting as a conduit for power and communications, and as a repository for data storage and processing units.61 However, the physical location of an embedded smart device – or, in the case of a mobile device, its ability to move quickly and easily in space between physical locations without losing functionality - forms an essential part of its nature, and is inextricably linked to its use by humans. 62 So when we move from a e spa e o-pla e to a o f o tatio ith the limitations of the physical world, this gives rise to certain questions about how the law will and should act in particular situations. One of the most obvious implications of the physicality of devices and systems in eObjects is in the security concerns outlined in section 3.2, particularly in the example of car hacking. A desktop computer is a large and heavy object, but remote hackers have not been generally able to pick one up and throw it across a room. Within the world of eObjects, a potentially dangerous innovation lies in the interaction between the eObject attributes of vulnerability and mobility – a malicious hacker can remotely control a one-and-a-half tonne piece of metal travelling at 100km/hour and use it to injure people and property. The relevant legal p o le of u de -i lusi e ess is dis ussed i se tio . a o e. The greatly desired s a t ho e pote tiall brings with it similar practical problems, although mobility is not the attribute interacting with vulnerability here, but rather active capacity, the ability of eObjects to interact with the physical world. For example, you may own a smart house, and have just bought an Internet-enabled designer lamp for both its aesthetic appeal and its advertised compatibility with your particular smart house system. However, unbeknownst to you, the lamp contains a security vulnerability that allows a rogue to hack into your smart house system, turn off the sprinklers and the fire alarm, and turn on the stovetop. Consequently, the house burns down. The rogue cannot be tracked down, so a search for liability will begin with the service providers relating to your smart house. A si ila p o le a a ise he e ith u de -i lusi e ess a ou d safet a d security standards as applies to car hacking (see section 3.2). However, in the smart home 60 Roger Clarke, 'Paradise gained, paradise re-lost: how the Internet is being changed from a means of liberation to a tool of authoritarianism' (2001) 18 Mots Pluriels 61 Poslad, Ubiquitous computing: smart devices, environment and interaction (n 30), 8. 62 Dourish and Bell, Divining a digital future: mess and mythology in ubiquitous computing (n 58), 109. example there are likely to be many more suppliers and manufacturers providing eObjects and their related services. Therefore, a new set of uncertainties arises around concepts of causation and liability in contract, in tort and under consumer protection laws. These uncertainties a ot fall i to Be ett Moses atego of legal u e tai t , ut rather that of practical uncertainty. For example, in Australia, consumer goods are sold su je t to a gua a tee of a epta le ualit , u de section 54 of the Australian Consumer Law (ACL)63. A lamp that does not turn on is obviously not of acceptable quality, but what about an Internet-connected lamp with a security vulnerability? This is not legal uncertainty nor under-i lusi e ess, the e is o gap in the law. A rule exists, the ule of a epta le ualit , a d it is oad e ough to e o pass a e t pes of p odu ts, i ludi g those incorporating new technologies. However, in a common law system like Australia s, u til a judge a s e s the spe ifi uestio as to o hi h side of the a epta le ualit li e security vulnerabilities lie, consumers, suppliers and insurance companies will not know how the law applies in this situation. And, as factual situations shift, this uncertainty will continue. The position may be somewhat clearer in the United States. The Federal Trade Commission (FTC) has brought a number of enforcement actions against companies relating to inadequate cybersecurity practices under section 5 of the Federal Trade Commission Act,64 hi h p ohi its u fai o de epti e a ts o p a ti es i o affe ti g o e e . However, it has only recently been confirmed by the US Court of Appeals that inappropriate cybersecurity practices could amou t to u fai o du t under section 5, in an action by the FTC against a hotel chain whose customer data had been subject to three data breaches in two years.65 The consequences of this uncertainty outside of judicial decisions are however somewhat predictable. Consumer guarantees of acceptable quality cannot be excluded by contract. However, specific disclosures by a supplier can remove the protection of this guarantee.66 63 Competition and Consumer Act 2010 (Cth), Schedule 2, Part 3-2. 15 USC §45. A list of FTC enforcement actions on Data Security can be found on the FTC website at https://www.ftc.gov/tips-advice/business-center/legalresources?title=&type=case&field_consumer_protection_topics_tid=249&field_industry_tid=All&field_date_v alue[min]=&field_date_value[max]=&sort_by=field_date_value 65 Federal Trade Commission v Wyndham Worldwide Corporation Federal Trade Commission v Wyndham Worldwide Corp, No 14-3514, F 3d (Aug 24, 2015) 66 Competition and Consumer Act 2010 (Cth), Schedule 2, ss54(2)-(4). 64 Knowing this, and once aware of the potential liability, suppliers will (particularly to maintain insurance coverage) most likely amend their point of sale material and/or o t a tual oile plate to i lude a oad dis losu e , hi h ill have the same effect as an exclusion clause. An attempt by consumers to shift blame to the smart home system supplier for a failure to block security exploits at the point of interconnection will most likely face the same contractual roadblock. 3.4 Mobility One common attribute of eObjects is mobility. This attribute, along with a closely related attribute, portability (where the eObject itself can be moved but is not designed to communicate while doing so) mean that transactions and interactions with people, with businesses, with information and with the devices themselves are carried out in different ways and in different places, than those transacted under the desktop model. One important consequence is that the nature of the information flow around the transactions can also be substantially different from that found in traditional computing, particularly traditional e-commerce. In particular, the widespread use of sensor technologies makes it likely that a greater quantity of data can and will continue to be collected by eObjects (whether they are mobile or whether the people interacting with them are). This increase in data collection is occurring alo gside the apid deplo e t of a illa e uip e t, a d se i es to agg egate i fo ake it idel a essi le .67 atio a d te h ologies, This greater availability of data can lead to issues around privacy, data protection and the legitimacy of surveillance; but it can also have benefits for individuals. For example, Peppet argues that the greater availability of information that consumers can access about products while in-store, including review sites that specifically raise issue with onerous contract terms, means that, at least in the US, courts may well be less likely to hold a contract unenforceable on the grounds of unconscionability and unfairness.68 67 Kevin Werbach, 'Sensors and Sensibilities' (2007) 28 Cardozo L Rev 2321, 2338. See also the discussion in Uteck, 'Reconceptualizing Spatial Privacy for the Internet of Everything (n 28), : [ ]he o ilit a d digital i fo atio e ge, the atu e of the i fo atio ha ges . 68 Scott R Peppet, 'Freedom of Contract in an Augmented Reality: The Case of Consumer Contracts' (2012) 59 UCLA Law Review 676. The o st ai ts of o ilit ide tified “at a a a a a 69 also mean that in some cases different technical or business solutions are implemented for activities that are functionally the same to a user whether undertaken on a desktop or via an eObject. The solutions proposed to overcome a problem with, or meet an opportunity for, mobility may well have different legal implications, even though the difference cannot be seen or is considered irrelevant by the end user. One particular example of this has already been raised in formal litigation. In Australia, s111 of the Copyright Act 1968 allows for copying of television shows for private use without breach of copyright the ti e-shifti g e eptio . In National Rugby League Investments Pty Limited v Singtel Optus Pty Ltd [2012] FCAFC 59, however, an implementation of a time-shifting solution via mobile phones led to a breach of the Act. Telstra had entered into an exclusive deal with the AFL and the ARL for its mobile customers to view football matches on their mobile phones. Optus offered a competing service where its mobile users could record and play back football matches offered on freeto-air television on their mobile phones or other computers. The technical structure of the service offered by Optus involved:    the interception of the television signal by Optus receivers; the making and storage of an individual copy (one for each user) on Optus servers; and access by the user when s/he wished to watch a particular show. The making and storing of the copies by the service provider on their own server, rather tha the use s de i e, would have been done (at least in part) in order to address the resource constraints of mobile phone hardware and Internet connectivity. In particular, the storage space required to copy large media files would soon overwhelm the capacity of most smartphones. It is arguable that from the perspective of the individual user, this activity whether performed at home or on the move was the same, comprising the recording and playback of free-to-air television shows at a time that suited them. The trial judge agreed with this approach. However, the appellate court disagreed. The extent of the uncertainty raised by this issue here was highlighted by the fact that the trial judge s app oa h as si ila to that 69 Satyanarayanan, 'Fundamental challenges in mobile computing'(n 25). adopted by appellate courts in the US and Singapore. The Full Federal Court in Australia preferred the approach of a Japanese appellate court, but not without controversy.70 When the dispute first arose, it revealed a legal p o le u e tai t falli g i to Be ett Moses legal atego : that is, the uncertainty of the application of s111 to new ways of making copies of television programs for private use. The Full Court itself acknowledged the uncertainty in the questions raised in the appeal.71 They also admitted that uncertainty continued to exist in relation to other technical solutions for time-shifting, which were not the subject of this litigation.72 In addition to the continuing uncertainties, the decision has raised a potential problem of u de -i lusi e ess , depending of course on the viewpoint of the person examining s111. However, a policy question remains. Is the interest that a private user has in being able to make copies for time-shifting purposes one that should be protected notwithstanding any third party technologies and third party services they employ? The question of possible under-inclusiveness was addressed, in an indirect way, in the decision. The Full Federal Court explicitly recognised that technological neutrality was seen to be a desirable goal,73 but did not believe that s111 as drafted operated to achieve this goal. The judges implied that if this goal was to be met, Parliament must act to amend the wording of s111. A li e al app oa h to i te p etatio , such as that proposed by the law and technology theorist Cockfield,74 may have allowed the judges to address the lack of protection of private users interests. However, the judges refused to take this approach, based partially o a a gu e t that the e e e o fli ti g i te ests a d alues 75 to be taken into account, which in their opinion called for a legislative choice to be made, not a judicial one. 70 National Rugby League Investments Pty Limited v Singtel Optus Pty Ltd [2012] FCAFC 59. For a discussion of this case, see Rebecca Giblin, 'Stranded in the Technological Dark Ages: Implications of the Full Federal Court's decision in NRL v Optus' (2012) 35 European Intellectual Property Review 632 and Kayleen Manwaring, 'A shift in time saves no-one: mobile technologies and the NRL v Optus decision' (2012) 5 Journal of the Australasian Law Teachers Association 83. 71 NRL v Optus (n 70) [9]: [w]e have found the questions raised in the appeals to be of some difficulty and considerable uncertainty . 72 Ibid, [ ]: We a ept that different relationships and differing technologies may well yield different o lusio s to the ho akes the op uestio . 73 Ibid, [95]. 74 Arthur J. Cockfield, 'Towards a law and technology theory' (2004) 30 Manitoba Law Journal 383. 75 NRL v Optus (n 70) [95]. Of course, this interpretation by default ranked the interests of the copyright owners and their licensees above those of private users and technology innovators. The question remains for Parliament of whether this is the appropriate ranking to make? This dilemma of ou se does ot just illust ate a e a ple of u de -i lusi e ess , ut also highlights the difficulties regulators must face in addressing such a legal problem. For in many, if not most, cases of socio-technological change leading to claims of under- (or indeed over-) inclusiveness, there will be a competition of interests. The competition will be between those of members the u de -i luded o u it , a d those o po atio s, i di iduals o governments who receive an economic, social or other benefit from the status quo. 3.5 Adaptability, geo-locatability and prevalence Adaptability and geo-locatability are closely related attributes of eObjects. Adaptability, also k o as ontext-awareness , refers to the idea that an eObject can identify in real time so e pa t of its use s o te t - who the user is, where she is, the environment through which she is moving, her habits and preferences – and it or the system in which it participates can reconfigure and adapt itself accordingly. The greater capabilities brought about by adaptability in technology, if realised to their full potential a d this is a ig if , will most likely bring about the greatest socio-technological changes related to eObjects. In contrast, geo-locational technologies have been adopted in very many mobile eObjects. Within the traditional model of distributed information technologies, where a desktop is physically located has been, in most contexts, irrelevant,76 as well as difficult to determine accurately. However, now eObjects are mobile, and more likely to be personal , that is, intimately associated with an individual. A person with a smartphone can be located (almost) anywhere at (almost) anytime. Geo-locatability is not only available to telecommunication carriers or government security agencies, but to everyday consumers using a cheap (or even free) app on their smartphones, su h as Fi d F ie ds Apple iOS) or Life360 (Windows 8). However, it must be emphasised that the accuracy of such location tracking, whether consensual or imposed, is not always, or even often, particularly There is at least one notable exception to this - geo lo ki g the p a ti e of li iti g a ess to o te t (particularly TV programs and movies) on the Internet based on your geographic location): http://theconversation.com/explainer-what-is-geoblocking-13057 . 76 robust. Accuracy and reliability of common geo-locational technologies are heavily dependent on the device, the actual location techniques and the circumstances at the time that they are used.77 Geo-locational data may also be obfuscated or falsified, for example to protect privacy or hide responsibility for criminal activity.78 This is particularly important to remember when such technologies are presented as evidence in criminal trials. People (and animals79) can be tracked even without a smartphone. Most cars manufactured in the US in 2013 have GPS-enabled data event recorders installed. Some car manufacturers claim that these systems store location information from the GPS and communicate it to the manufacturers.80 The widespread introduction of smart card systems81 to access public transport means that governments have the potential for access to significant location data linked to individuals, in cases where the system is designed to track and store location information. For example, the NSW state government expressly collects and retains location data linked to individuals using Opal cards on public transport.82 Also, the increased use of chipped contactless cards to pay for small transactions,83 in circumstances where previously consumers used cash, means that a large amount of location data on individuals (who are readily identified from their cards) is now available to the banks and their third party contractors, and vulnerable to recovery by government (and hackers). This means that governments, carriers and internet service providers (and the third parties such as consumer goods distributors to whom this information may be disclosed) have the potential to exercise much greater control over devices and consumers. These organisations and individuals can monitor buying patterns, impose taxes and even block 77 Katina Michael and Roger Clarke, 'Location and Tracking of Mobile Devices: Überveillance Stalks the Streets' (2013) 29 Computer Law & Security Review 216, 217-218. 78 Roger Clarke, 'A Framework for Analysing Technology's Negative and Positive Impacts on Freedom and Privacy (Draft of 16 August 2015)' <http://www.rogerclarke.com/DV/Biel15-DuDA.html#App3>. 79 Eg RSPCA TrakaPet (commercially available), GPS locating device specifically designed for the pet market, https://www.worldforpets.com.au/products/148772207. 80 Edito ial, 'Fo d VP: 'We ha e GP“ i ou a , so e k o hat ou e doi g'' t o <http://rt.com/usa/ford-vp-auto-surveillance-382/> 81 Eg Octopus in Hong Kong, Myki in Melbourne, Oyster in London, Opal in Sydney. 82 See the Opal Privacy Policy at https://www.opal.com.au/en/asset/c96bc3e6-b501-4180-a0181096503a625e/privacy_policy.pdf , particularly section 3.2 (Purpose of collection), 4.2.2 (Registered Cards) and 4.2.3 (Information collected when the Opal card is used). 83 Eg via Visa PayWave (http://www.visa.com.au/cardholders/paywave/index.html#s=customer.Home), Mastercard Paypass (http://www.mastercard.com.au/paypass.html), or American Express Contactless (ExpressPay in the US) (http://www.americanexpress.com/au/content/chip-and-pin.html, https://www295.americanexpress.com/cards/loyalty.do?page=blue.expresspay.faq) transactions. The a ket s e pe tatio of a ks may well mean that security of payment information is at a relatively high standard (at least against third parties), but there are other geo-locatable eObjects that are much more vulnerable. For example, wearable activity trackers have recently shown themselves susceptible to the theft of location data (albeit by a security company), even when the consumers themselves are not granted access to that data.84 The use of geo-locatability and adaptability attributes in the commercial sphere was early postulated by Kang and Cuff in 1996, through the development of their speculative description of a et o ked all .85 This idea of a et o ked all has recently manifested itself in reality with the introduction of enterprise mobile marketing eObjects su h as Apple s iBea o (although the adaptability features are fairly unsophisticated at present). iBeacon and like products marry precise geo-location targeting and context data (for example retail products within near proximity, purchase history and preferences, time of day). Beacon services use indoor positioning devices and systems with small low-power sensors86 to track when subscribers carrying their mobile phones enter a particular physical space (such as a particular section of a department store). When a person is located in a particular place (for example the shoe aisle in a department store), this triggers an action by applications in the mobile phone, such as notifications as to nearby items which are then offered at a discount. Although the use of beacon technology is not yet widespread, in 2015 it had already been installed in some malls and has extended into other public spaces such as airports, baseball stadiums and museums. This technology is also currently being used or piloted by retail, fast food, sporting, airline and pharmacy and other business enterprises.87 84 Barcena, Wueest and Lau, How safe is your quantified self? (n 44). Jerry Kang and Dana Cuff, 'Pervasive Computing: Embedding the Public Sphere' (2005) 62 Washington and Lee Law Review 93, 121-145. 86 iBeacon uses the Bluetooth Low Energy communications standard, but other beacon technologies use both Bluetooth and Wi-Fi (eg Motorola Solutions and Datzing). 87 Eg Ma s, M Do alds, Majo League Base all, Walg ee s, Virgin Atlantic, Japan Airlines, American Airlines. Trips Reddy, '15 Companies From Airports to Retail Already Using Beacon Technology' <https://www.umbel.com/blog/mobile/15-companies-using-beacon-technology/> accessed 10 November 2014, James Wood, 'iBeacon: the Future of Content Marketing?' (B2B Marketing, 17 February 2014) <http://www.b2bmarketing.net/blog/posts/2014/02/17/ibeacon-future-content-marketing> accessed 7 October 2015 85 Beacon implementations rely on eObjects with access to personalised profiling data and with the potential to be programmed to act in accordance with copious research on how consumers actually make purchasing decisions. An average human shop assistant, at least when dealing with a new customer, is unlikely to have either the personal knowledge of the customer, or the aggregated knowledge of purchasing patterns, that can be contained in or associated with an eObject. The digitisation of commerce generally (mediated through conventional desktops and eObjects) may grant firms with large marketing budgets an e ha ed a ilit to ta get o su e s og iti e iases a d particular vulnerabilities and use that information to encourage consumers to inte ests, athe tha i the o su e s o ake pu hasi g de isio s i the fi s est .88 A further attribute of eObjects – prevalence – will come into play here, not just in terms of delivery of the message, but in collection of data. The uses of eObjects in e-commerce widen the reach of a marketer to a significant degree. Calo has expressed concern that consumer protection law in the United States, concentrating as it does on unfairness and deception, will not be broad enough to cope with the increased capacity of firms to collect data and use it in the fi s , rather than in the consumers , best interests.89 This is also a concern for Australia. Current consumer law in the Competition and Consumer Act 2010 (CCA) relating to marketing and advertising focusses o isleading or deceptive o du t o false or misleading ep ese tatio s .90 The relevant object of the CCA is to p o ide fo o su e p ote tio . Ho e e , i the a se e of a is ep ese tatio , attempts to exploit a consume s vulnerabilities will not be prohibited by these sections, esulti g i a pote tial legal p o le of u de -i lusi e ess . It is not settled that the law should protect a consumer against these types of consumer frailties,91 so the problems of competing interests identified in section 3.4 will also come into play in this situation. 88 Ryan Calo, 'Digital Market Manipulation' (2014) 82 George Wash Law Rev 995, 999, 1043-4. Ibid 90 Eg Part 2-1 and Part 3-1 Division 1, Schedule 2, Competition and Consumer Act 2010 (Cth). 91 Margaret Jane Radin, Boilerplate : the fine print, vanishing rights, and the rule of law (Princeton, N.J. : Princeton University Press 2013), 196 fn 14, The question whether the legal system should try to correct for prevalent heuristic biases does not have a consensus answer . 89 This type of taking advantage of consumer weaknesses can be sensibly categorised as some so t of u fai pe suasio 92. The law prohibiting unconscionable conduct, both under statute and in equity, may be called into action. But this in itself will most likely lead to a problem of practical uncertainty, as most judges dealing with unconscionable conduct doctrine have e e pe so alisatio et had to deal ith this o i atio of i te se s ste atisatio a d of data.93 3.6 Reduced visibility and human-computer interaction Fo the egi i g, Weise a d othe s ha e ha a te ised u i uitous o puti g as te h olog , o te h olog al hi h disappea s .94 Of course, many eObjects are still highly conspicuous, for example smartphones or phablets .95 For other eObjects however, particularly wearables or surveillance technologies, the computing power and/or data communication capabilities of the objects are unobtrusive to a greater or lesser degree. This lack of visibility potentially has consequences for the nature of human interaction with these types of technologies. Of course, this concept is already known within conventional distributed computing. Much of the interaction between the multiple machines and systems that are required to do mundane tasks, such as searching the Internet, is hidden from users, who to all intents and purposes appear to themselves to be interacting with one machine and one software application. However, the interactions are still there and tend to be intentional and purposeful, through the use of peripherals such as a keyboard, mouse, or touchpad. However, advances in implicit (or at least less obtrusive) human computer interaction (both current and projected), mean that this level of purposeful interaction should not be taken 92 Calo, 'Digital Market Manipulation' (n 88), 237. Calo, 'Digital Market Manipulation' (n 88), 1021. 94 Mark Weiser, 'The Computer in the 21st Century' Scientific American 94, 1; Mark Weiser and John Seely Brown, 'The Coming Age of Calm Technology' 1996) <http://www.ubiq.com/hypertext/weiser/acmfuture2endnote.htm> accessed 26 February 2015; Satyanarayanan, 'Pervasive computing: vision and challenges' (n 25). Poslad i luded this al o puti g concept as a sub-property of his iHCI core property classification. 95 Pha lets – a po t a teau of pho e a d ta let , efe i g to s a tpho es ith la ge s ee s. 93 for granted. Much of this technology is still in the research stage,96 but some technologies have already matured to commercialisation. Networked sensors to manage lighting in commercial buildings are already mainstream.97 Gesture-based command technology is common in the games market.98 Wearable cameras with automated photo-taking functions, o lifelogge s ha e also e e tl e te ed the consumer and healthcare markets,99 following on from a longer history of use of body-mounted cameras by law enforcement agencies.100 If visibility of the technology used to mediate consumer contracts does decrease significantly, this may well give rise to contractual and consumer issues. It is no new thing to have contracts mediated through technology. However, interesting questions can be asked as to whether the absence of particular forms of contractual processes changes the dynamic of the relationship between contracting parties. If the dynamic does change, how will judges interpreting the existing common law and legislation deal with this? For example, what issues might arise around enforceability of contracts formed through interaction with i isi le de i es? Ho is o se t to te s a d o ditio s indicated, and proved, in the absence of point-and-click? How will a judge interpret the requirements of notice for onerous clauses in environments where such notice can only practically be provided a step, or number of steps, removed from the purchase and use of a relevant item? One of the greatest impacts of developments in implicit human-computer interaction is of course its potential impact on privacy and data protection. If the level of implicit human computer interaction built into an eObject, or a series of eObjects, is such that a person does not know you are interacting with a device or devices that gathers data and transmits 96 For examples, see Rami Albatal and others (eds), Shaping our digital lives (8th Irish Human-Computer Interaction Conference, 2014), Masaaki Kurosu (ed), Towards Intelligent and Implicit Interaction (15th International Conference on Human-Computer Interaction, HCII 2013, Springer 2013). 97 Eg http://www.legrand.com.au/products/energy-management/sensors/scs-networked-sensors/ 98 Eg Mi osoft s Ki e t s ste , http://www.xbox.com/en-AU/Kinect . 99 Eg Autographer, Narrative, SenseCam. 100 Fanny Coudert, Denis Butin and Daniel Le Métayer, 'Body-worn cameras for police accountability: Opportunities and risks' 31 Computer Law & Security Review . See also Steve Mann, 'Wearable Computing' in Mads Soegaard and Rikke Friis Dam (eds), The Encyclopedia of Human-Computer Interaction (The Encyclopedia of Human-Computer Interaction, 2nd edn, The Interaction Design Foundation 2012). at 23.7 for a dis ussio of the ea l histo of lifeloggi g, also k o as o gloggi g o gloggi g . it to others, how can that person prohibit or limit the use of the information gathered as a result of that interaction? When personal information is collected from individuals by firms and government bodies, privacy policies are required in many jurisdictions, such as Australia, the US and Europe. For example, the Australian Privacy Principles (discussed in more detail below) require Australian government bodies and commercial organisations to have a privacy policy. A privacy policy is easy to implement as part of conventional computing via a link on a website to a detailed p i a poli a da I ag ee utto . Most companies (in jurisdictions such as the US, Australia and Canada at least) will have a privacy policy and display it on their website, and will, theoretically, be subject to sanctions if the policy is not complied with.101 However, the content and effectiveness of privacy policies are routinely criticised.102 However, even this weak protection appears to be breaking down with the advent of eObjects. As implicit human computer interaction techniques become more developed, more eObjects will not need traditional display screens or input mechanisms such as keyboards. Privacy policies require text and screen space, but it is difficult to find a practical way for many eObjects to deliver notice of the data it is collecting, let alone what the vendor or user is planning to do with it. This situation becomes more complicated when the buyer is not the only person about whom data is collected, such as in the case of eObjects with embedded cameras. Early indications are that makers of eObjects are not aware of their own obligations in relation to privacy notices, or are choosing to ignore them (possibly due to weak enforcement mechanisms). A recent survey103 of 20 popular consumer eObjects ranging from fitness trackers to breathalysers to home automation systems found that none contained a privacy policy packaged with the object, nor any indication where one could be located.104 Many of the eObjects examined did require an app to be downloaded to make them fully functional, which assumes the use of at least a small screen on a See for example Gordon Hughes and Lisa di Marco, 'Online privacy policies — it s ot just a out the Privacy Act' (2015) 2015 Internet Law Bulletin 38 (Australia); Daniel J. Solove and Woodrow Hartzog, 'The FTC and the New Common Law of Privacy' (2014) 114 Columbia Law Review 583 (US). 102 A long list of articles critical of privacy policies can be found in Part 4 of http://www.rogerclarke.com/EC/PPSE0812.html 103 Peppet, 'Regulating the Internet of Things: First Steps Toward Managing Discrimination, Privacy, Security & Consent' (n 28). 104 Ibid, 141 and Appendix 1. 101 smartphone. However, even in the downloading step, many did not provide a privacy policy or any indication of where to find one.105 One example analysed in the survey was that of Breathometer Inc, which currently markets a device that tests alcohol breath levels. The Breathometer device is connected wirelessly to an application on a smartphone, which stores and displays data on current and historical breath levels. There was no privacy policy provided in the package, or as part of the download of the related smartphone application, and there was no information provided in the packaging on where to find one. The author of the survey eventually tracked down a pi a poli i a o s u e pa t of the o pa s e site. This policy prohibits deletion of user data and allows the company to use the data to customise advertisements, as well as other terms. The lack of connection between the purchase and the privacy terms is troubling: Given the many potentially troubling uses for breathalyzer data—think employment decisions; criminal liability implications; and health, life, or car insurance ramifications—one might expect data-related disclosu es to do i ate the B eatho ete use s pu hasi g a d activation experience. Instead, the consumer is essentially led to the incorrect assumption that this small black device is merely a good like any other—akin to a stapler or ballpoint pen—rather than a data source and cloud-based data repository.106 The Breathometer purchasing structure is not the most problematic example uncovered by the research. The privacy policy that existed on the Breathometer website was at least specifically designed for the eObject and services sold by the companies. However, many of the other privacy policies examined in the survey, when finally located, had serious issues with their drafting. The wording of the clauses related only to use of the a ufa tu e s website rather than the eObject itself, and therefore contained considerable ambiguities and key omissions.107 105 Ibid, 143-146 Ibid, 90. 107 Ibid, 146. 106 Australian Privacy Principle (APP) 1.5 requires that a o ga isatio a e easo a le i the i u sta es to ake its … p i a poli ust take su h steps as a aila le … i su h fo as app op iate .108 Additionally, APP 1.5 includes a Note that an APP entity will usually make its APP privacy policy available on the entity's website . I t aditio al e-commerce, where goods and services are sold on a website, privacy policies, as well as other terms and conditions, at least usuall sit ithi the sa e i tual spa e as the pu hase al eit ofte somewhat obscurely placed). The seller can without any significant uncertainty comply with its obligation in the APP, and a consumer knows where to look. However, meeting the obligation in the APP is not nearly so clear when it comes to eObjects. Suppliers will most likely continue to take the existing cheapest and simplest route of website-based privacy policies. They may or may not change the text of the policies to specifically apply to eObjects, which may then be problematic for both suppliers and consumers. For example, a user s need to know what data is being collected and how it is being used in relation to such eObjects is actually greater than in traditional e-commerce due to:  eO je ts g eate potential to gather data about a purchaser and the people they interact with, such as in the case of a breathalyser, a fitness tracking device or a lifelogging camera; and  the reduced likelihood of consumers considering the possibility and consequences of data being gathered, stored and used when such activities happen in a less obtrusive way than by active entry of information into a text box. The ea i g of app op iate fo is u lea i the o te t of eO je ts, the e pla i g it in the context of practical uncertainty. There is also a potential problem of underinclusiveness if the Note to APP 1.5 is used as intended as a guide to interpretation by the regulator109 and judiciary, meaning a supplier could fulfil its obligation merely by placing the policy on its website without other forms of notice to the ultimate user. If eObject purchasing and use activities are completely disconnected from the data-gathe e s website, then it seems insufficient that the only notification is contained there. The unobtrusiveness of the data-gathering function adds to the problems. Consumers using eObjects are viewing 108 109 Part 1.5, Schedule 1, Australian Privacy Principles, Privacy Act 1988 (Cth). Currently the Office of the Australian Information Commissioner. themselves as performing physical activities such as breathing out, or walking, or injecting insulin. They are not consciously providing information to a third party as they do when they fill in a website form. 3.7 Autonomy Autonomous devices and systems are those with the capability to make decisions and take actions that are independent of a human user.110 Autonomy is a common and desired attribute in eObjects, especially when viewed through the lens of those supporting ambient intelligence scenarios. Where it is present, decisions are made by systems and machines rather than humans. Of course this is often advantageous, as it reduces the need of humans to be involved in low-level decision making when they are only interested in high-level outcomes. For example, a person may regularly be engaged in making presentations in a large organisation with a number of different meeting rooms. A smart office system in conjunction with a mobile device could be programmed to find a pe so s location within the office, and project the slideshow onto the nearest screen, without any intervention from the user other than a si ple i st u tio to u slidesho . One current focus for autonomous design in eObjects is the self-driving car. The first tests of a driverless car in the southern hemisphere were undertaken in Adelaide in November 2015,111 following on from at least 5 years of trials in other countries.112 Depending on the ele a t ju isdi tio , e la s a e e ui ed to allo d i e less a s to e egiste ed and driven on the roads. For example, current New York legislation prohibits drivers from operating a motor vehicle without having at least one hand on the wheel at all times.113 The rule is clearly directed towards the goal of ensuring that a driver can react quickly to avoid a 110 Manwaring and Clarke, 'Surfing the third wave of computing: a framework for research into networked eObjects', (n 3), 591, 594, 600-601. For a discussion of the different levels of autonomy that can exist, see Roger Clarke, 'Understanding the drone epidemic' (2014) 30 Computer Law and Security Review 230 111 ABC, 'Driverless cars 'could be on roads by 2020', Volvo predicts ahead of first Australian trial (7 Nov 2015)' 2015) <http://www.abc.net.au/news/2015-11-07/driverless-car-trial-on-southern-expressway/6921060> accessed 16 November 2015 112 “e astia Th u , 'What e e d i i g at' 9 O to e <https://googleblog.blogspot.com.au/2010/10/what-were-driving-at.html> accessed 5 January 2016 113 New York Vehicle & Traffic Law, Title 7, s 1226. collision, but is arguably obsolescent u de Be ett Moses categorisation in an age where contact with the steering wheel is not required for control.114 Not surprisingly, some significant risks have been identified with the capacity of autonomous systems to control decision-making. An autonomous system may well have clear embedded rationales and procedures for its decision-making, but those procedures are usually programmed by someone other than the ultimate user. Moving from current capabilities of autonomous systems to those that might occur in the future, systems that can learn and adapt to environmental change have an even greater capacity to deviate from what is known about the system when it is first installed or interacted with by a user. The risks of this type of autonomous design can include:     loss of user control; 115 unanticipated and undesired behaviours116 – from the perspective of the primary user and/or others affected by its use117; and systems which learn to operate outside safe or normal limits, or to conflict with user intentions; 118 and the algorithms for decision-making processes and the assumptions behind them may not be accessible to users,119 which makes them vulnerable to undiscovered error and consequent inappropriate decision-making. In the case of future developments in driverless cars, the risks of loss of user control and undesired behaviours have recently been the subject of some concern. These concerns concentrate on the possibility of very sophisticated crash-avoidance systems in cars, and the programming of decision-making in the case of an imminent crash that has multiple harmful 114 The New York Senate has recognised the problems that such a law poses for semi- and fully-autonomous vehicles, and passed an amending Bill to repeal this section on 17 June 2015 (the Bill had not yet passed the Assembly at the time of writing). See http://www.nysenate.gov/legislation/bills/2015/s5280. 115 Poslad, Ubiquitous computing: smart devices, environment and interaction (n 30), 423. 116 Ibid (n 30), 423. 117 Patrick Lin, 'Here's a Terrible Idea: Robot Cars with Adjustable Ethics Settings' Wired (18 August 2014) <http://www.wired.com/2014/08/heres-a-terrible-idea-robot-cars-with-adjustable-ethics-settings/> accessed 3 November 2015 118 Poslad, Ubiquitous computing: smart devices, environment and interaction (n 30), 423. 119 Goodman, Future crimes : everything is connected, everyone is vulnerable and what we can do about it(n 55), 6967-89 [Kindle edn]. possible outcomes.120 Scholars have reformulated the so- alled t olle p o le thought experiment121 to apply to self-driving vehicles, for example as: You e d i i g a auto o ous a i headi g to a ds fi e people at a fa a ual e s ode— ou e i atte ti e and suddenly are a ket. You a se ses this i o i g ollisio , and has to decide how to react. If the only option is to jerk to the right, and hit one person instead of remaining on its course towards the five, what should it do?122 Other formulations postulate a decision-making algorithm that chooses the safety of the driver over pedestrians, or passengers over drivers.123. A driver somewhere makes such a decision every day, but usually in a split second, without any real possibility of considering the ethics of his or her decision. The ability of manufacturers to pre-meditate such decisions (or for drivers to choose at leisure particular ethics settings in their cars) may well be seen as a legal problem fitting i to Be ett Moses fi st atego of requiring specially tailored laws required due to the unique nature of new forms of conduct. 4 Conclusion eObjects with a myriad of different affordances are experiencing significant growth in modern society. With this growth comes change, and with socio-technological change comes the possibility of a disconnection between existing law and the new things, activities, and relationships that arise out of the development and use of eObjects. There exist significant imperatives for legal researchers to be able to quickly and rigorously analyse this disconnection. These imperatives include not only the need for timely intervention due to the operation of the Collingridge dilemma, but also to ensure that any legal reaction is not 120 Similar questions have been raised in work relating to robotics eg Roger Clarke, 'Asimov's laws of robotics: implications for information technology - Part I' (1993) 26 Computer 53 and Roger Clarke, 'Asimov's laws of robotics: Implications for information technology - Part II' (1994) 27 Computer 57. 121 Eg as described in Judith J. Thomson, 'Killing, Letting Die, and the Trolley Problem' (1976) 59 The Monist 204. 122 Patrick Lin quoted in Lauren Cassani Davis, 'Would You Pull the Trolley Switch? Does it Matter?' The Atlantic (9 October 2015) <http://www.theatlantic.com/technology/archive/2015/10/trolley-problem-historypsychology-morality-driverless-cars/409732/> accessed 5 November 2015 123 Lin, 'Here's a Terrible Idea: Robot Cars with Adjustable Ethics Settings', (n 117). an overreaction which may inappropriately or prematurely stifle development of useful technologies. This paper has demonstrated the use of a combined technical and theoretical research framework to uncover existing and potential legal problems that might arise in different contexts arising out of the development of the third wave of computing. The use of this framework has elucidated some specific legal problems in all four categories of regulatory disconnection proposed by Bennett Moses, as well as a refinement of those categories to include practical uncertainty. This analysis has not only identified specific legal problems in particular areas but also some problems more general in their application, which are worth further investigation. Firstly, uncertainty – both legal and practical – has emerged as a significant issue, with important consequences. Rule-making bodies must find ways to deal appropriately with the Collingridge dilemma. Otherwise, regulation runs the risk of stifling beneficial innovative practices or being i ade uate to p ote t use s legiti ate i te ests. The likelihood of the latter is heightened by the fact that the most likely reaction of manufacturers and suppliers to risks posed by uncertainty will be an attempt to exclude liability through contractual terms and conditions. These (usually) non-negotiable terms and conditions, including clauses relating to privacy and data protection, pose particular risks for individual users. 124 The limitations on text display of many consumer eObjects means that forms of consent are often questionable, and proper notice of terms contested. Secondly, the category of underinclusiveness has emerged as critical when considering new conduct made possible by eObjects. Under-inclusiveness (as well as over-inclusiveness) will often give rise to a competition of interests. Therefore, when faced with questions of under- or overinclusiveness of new products, activities and relationships arising out of new technologies, rule-making bodies will need to make significant policy decisions as to whose interests should be given priority. For should those detrimentally affected by the conduct be protected at the expense of those making a commercial return from the conduct, or the opposite? 124 See eg Radin, Boilerplate : the fine print, vanishing rights, and the rule of law, (n 91). Due to the diversity of both the technologies concerned, and the areas of law and regulation that may be affected, this paper cannot provide a comprehensive analysis of all legal problems that might arise out of the new activities, things and relationships made possible by eObjects. The emphasis in this paper has been on demonstrating a particular approach to uncovering legal problems for individual users of eObjects, predominantly in the private law space. However, the framework is not limited to any one area of the law, nor to the specific eObjects discussed in detail. This paper is intended to provide a roadmap for further research into any and all legal problems arising out of the new activities, products and relationships made possible by eObjects. For example, further research may use the framework to analyse legal problems that arise out of a particular subset of eObjects, for example driverless cars, or those that arise in a particular industry, such as healthcare. This paper does not attempt to provide solutions to the legal problems identified, but is relevant for further research of this type. The analysis and categorisation suggested by Bennett Moses, and applied in this paper, can also be very useful in research focussing on solutions. Categorisation is a useful analytical tool, to ensure that regulations focus on a specific defined harm to protect against, or a benefit to encourage. But its use also allows successful solutions applied in particular regulatory areas to be considered for application across other regulatory areas. Where the essential nature of the proble s a e the sa e , such as under-inclusiveness or practical uncertainty, then solutions for one specific problem may well be the basis for solutions to other problems. Bibliography SPY Car Act of 2015, S 1806, 114th Congress (2015) Privacy Act 1988 (Cth) Competition and Consumer Act 2010 (Cth) National Rugby League Investments Pty Limited v Singtel Optus Pty Ltd [2012] FCAFC 59 Federal Trade Commission v Wyndham Worldwide Corporation Federal Trade Commission v Wyndham Worldwide Corp, No 14-3514, F 3d (Aug 24, 2015) ABC, 'Driverless cars 'could be on roads by 2020', Volvo predicts ahead of first Australian trial (7 Nov 2015)' (2015) <http://www.abc.net.au/news/2015-11-07/driverless-car-trial-on-southernexpressway/6921060> accessed 16 November 2015 Adelstein F and others, Fundamentals of mobile and pervasive computing (McGraw-Hill 2005) Albatal R and others (eds), Shaping our digital lives (8th Irish Human-Computer Interaction Conference, 2014) Barcena MB, Wueest C and Lau H, How safe is your quantified self? (Symantec Security Response Report, 11 August 2014) Bennett Moses L, 'Recurring dilemmas: the law's race to keep up with technological change' (2007) 2 University of Illinois Journal of Law, Technology & Policy 239 Bennett Moses L, 'Why have a theory of law and technological change?' (2007) 8 Minnesota Journal of Law, Science & Technology 589 Bennett Moses L, 'Agents of Change: How the Law Copes with Technological Change' (2011) 20 Griffith Law Review 763 Bennett Moses L, 'How to Think about Law, Regulation and Technology – Problems with Te h olog as a ‘egulato Ta get' La , I o atio a d Te h olog Bilton N, 'Bits Blog: Disruptions: As New Targets for Hackers, Your Car and Your House' New York Times (11 August 2013) <http://bits.blogs.nytimes.com/2013/08/11/taking-over-cars-and-homesremotely/?_r=0> Brownsword R, Rights, Regulation, and the Technological Revolution (Oxford University Press 2008) Brownsword R and Goodwin M, Law and the Technologies of the Twenty-First Century: Text and Materials (Cambridge University Press 2012) Calo R, 'Digital Market Manipulation' (2014) 82 George Wash Law Rev 995 Calo R, 'Digital Market Manipulation' (2014) 82 George Washington Law Review Cassani Davis L, 'Would You Pull the Trolley Switch? Does it Matter?' The Atlantic (9 October 2015) <http://www.theatlantic.com/technology/archive/2015/10/trolley-problem-history-psychologymorality-driverless-cars/409732/> accessed 5 November 2015 Checkoway S and others, 'Comprehensive Experimental Analyses of Automotive Attack Surfaces' in Wagner D (ed) Proceedings of USENIX Security 2011, Aug 2011 (Proceedings of USENIX Security 2011, Aug 2011, USENIX 2011) Cimpanu C, 'Insecure Internet-Connected Kettles Help Researchers Crack WiFi Networks Across London' Softpedia (20 October 2015) <http://news.softpedia.com/news/insecure-internetconnected-kettles-help-researchers-crack-wifi-networks-across-london-494895.shtml> accessed 12 November 2015 Clarke R, 'A Framework for Analysing Technology's Negative and Positive Impacts on Freedom and Privacy (Draft of 16 August 2015)' <http://www.rogerclarke.com/DV/Biel15-DuDA.html#App3> Clarke R, 'Introduction to Dataveillance and Information Privacy, and Definitions of Terms (last updated 21 October 2013)' <http://www.rogerclarke.com/DV/Intro.html#Mis> accessed 15 December 2015 Clarke R, 'Asimov's laws of robotics: implications for information technology - Part I' (1993) 26 Computer 53 Clarke R, 'Asimov's laws of robotics: Implications for information technology - Part II' (1994) 27 Computer 57 Clarke R, 'Paradise gained, paradise re-lost: how the Internet is being changed from a means of liberation to a tool of authoritarianism' (2001) 18 Mots Pluriels Clarke R, 'Understanding the drone epidemic' (2014) 30 Computer Law and Security Review 230 Clarke R and Maurushat A, 'Passing the Buck: Who Will Bear the Financial Transaction Losses from Consumer Device Insecurity?' (2007) 18 Journal of Law, Information & Science 8 Cockfield AJ, 'Towards a law and technology theory' (2004) 30 Manitoba Law Journal 383 Collingridge D, The social control of technology (Pinter 1980) Coudert F, Butin D and Le Métayer D, 'Body-worn cameras for police accountability: Opportunities and risks' 31 Computer Law & Security Review Coulouris GF and others, Distributed systems : concepts and design (Addison-Wesley (Pearson Education) 2012) Davison RM, 'The privacy rights of cyborgs' (2012) 27 Journal of Information Technology 324 Dourish P and Bell G, Divining a digital future: mess and mythology in ubiquitous computing (MIT Press 2011) Edito ial, 'Fo d VP: 'We ha e GP“ i ou a , so e k o hat ou e doi g'' t o <http://rt.com/usa/ford-vp-auto-surveillance-382/> Finn RL, Wright D and Friedewald M, 'Seven Types of Privacy' in Gutwirth S and others (eds), European Data Protection: Coming of Age (European Data Protection: Coming of Age, Springer 2013) Gellert R and Gutwirth S, 'The legal construction of privacy and data protection' (2013) 29 Computer Law & Security Review 522 Giblin R, 'Stranded in the Technological Dark Ages: Implications of the Full Federal Court's decision in NRL v Optus' (2012) 35 European Intellectual Property Review 632 Gibson W, 'Burning Chrome (short story)' Burning Chrome (Burning Chrome (5th reprint) Harper Collins 1995) Goodman M, Future crimes : everything is connected, everyone is vulnerable and what we can do about it (Doubleday 2015) Goodwin M, 'Introduction: A Dimensions Approach to Technology Regulation' in Goodwin M and others (eds), Dimensions of Technology Regulation (Dimensions of Technology Regulation, Wolf Legal Publishing 2010) Greenberg A, 'GM Took 5 Years to Fix a Full-Takeover Hack in Millions of OnStar Cars' Wired (10 Sep 2015) <http://www.wired.com/2015/09/gm-took-5-years-fix-full-takeover-hack-millions-onstarcars/> Greenberg A, 'Hackers Remotely Kill a Jeep on the Highway - With Me in It' Wired (21 July 2015) <http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/> Group CSAMW, Security Guidance for Early Adopters of the Internet of Things (IoT) (April 2015), 2015) Hughes G and di Marco L, 'Online privacy policies — it s ot just a out the P i a A t' Internet Law Bulletin 38 Kang J and Cuff D, 'Pervasive Computing: Embedding the Public Sphere' (2005) 62 Washington and Lee Law Review 93 King K, 'Personal Jurisdiction, Internet Commerce, and Privacy: The Pervasive Legal Consequences of Modern Geolocation Technologies' (2011) 21 Albany Law Journal of Science & Technology 61 King NJ, 'When Mobile Phones Are RFID-Equipped — Finding EU-US Solutions to Protect Consumer Privacy and Facilitate Mobile Commerce' (2008) 15 Michigan Telecommunications & Technology Law Review 107 Kirby M, 'The Fundamental Problem of Regulating Technology' (2009) 5 The Indian Journal of Law and Technology 1 Koops B-J, 'Ten dimensions of technology regulation. Finding your bearings in the research space of an emerging discipline' in Goodwin M and others (eds), Dimensions of Technology Regulation (Dimensions of Technology Regulation, Wolf Legal Publishing 2010) Kurosu M (ed), Towards Intelligent and Implicit Interaction (15th International Conference on Human-Computer Interaction, HCII 2013, Springer 2013) Ledger S, 'Update: Hello Barbie Fails Another Security Test' securityledgercom (4 December 2015) <https://securityledger.com/2015/12/hello-barbie-fails-another-security-test/> accessed 17 December 2015 Li G, 'Deciphering Pervasive Computing: a Study of Jurisdiction, E-Fraud and Privacy in Pervasive Computing Environment' in Godara V (ed) Risk Assessment and Management in Pervasive Computing: Operational, Legal Ethical and Financial Perspectives (Risk Assessment and Management in Pervasive Computing: Operational, Legal Ethical and Financial Perspectives, Information Science Reference 2009) Lin P, 'Here's a Terrible Idea: Robot Cars with Adjustable Ethics Settings' Wired (18 August 2014) <http://www.wired.com/2014/08/heres-a-terrible-idea-robot-cars-with-adjustable-ethics-settings/> accessed 3 November 2015 Mann S, 'Wearable Computing' in Soegaard M and Dam RF (eds), The Encyclopedia of HumanComputer Interaction (The Encyclopedia of Human-Computer Interaction, 2nd edn, The Interaction Design Foundation 2012) Manwaring K, 'A shift in time saves no-one: mobile technologies and the NRL v Optus decision' (2012) 5 Journal of the Australasian Law Teachers Association 83 Manwaring K and Clarke R, 'Surfing the third wave of computing: a framework for research into networked eObjects' (2015) 31 Computer Law & Security Review 586 Mao Y and others, 'Sponge-Like Piezoelectric Polymer Films for Scalable and Integratable Nanogenerators and Self-Powered Electronic Systems' (2014) 4 Advanced Energy Materials Marchant GE, Allenby BR and Herkert JR (eds), The Growing Gap Between Emerging Technologies and Legal-Ethical Oversight: The Pacing Problem (Springer 2011) Michael K and Clarke R, 'Location and Tracking of Mobile Devices: Überveillance Stalks the Streets' (2013) 29 Computer Law & Security Review 216 Peppet SR, 'Freedom of Contract in an Augmented Reality: The Case of Consumer Contracts' (2012) 59 UCLA Law Review 676 Peppet SR, 'Regulating the Internet of Things: First Steps Toward Managing Discrimination, Privacy, Security & Consent' (2014) 93 Texas Law Review 85 Poslad S, Ubiquitous computing: smart devices, environment and interaction (John Wiley & Sons Ltd 2009) Project OWAS, 'Top 10 IoT Vulnerabilities (2014) Project' (Open Web Application Security Project Wiki, <https://www.owasp.org/index.php/OWASP_Internet_of_Things_Project#tab=Top_10_IoT_Vulnera bilities__282014_29> accessed 17 December 2015 Radin MJ, Boilerplate : the fine print, vanishing rights, and the rule of law (Princeton, N.J. : Princeton University Press 2013) Rahman M, Carbunar B and Banik M, 'Fit and Vulnerable: Attacks and Defenses for a Health Monitoring Device' (2013) arXiv:13045672 [csCR] Reddy T, '15 Companies From Airports to Retail Already Using Beacon Technology' <https://www.umbel.com/blog/mobile/15-companies-using-beacon-technology/> accessed 10 November 2014 Robertson J, 'Insulin pumps, monitors vulnerable to hacking' Sydney Morning Herald <http://news.smh.com.au/breaking-news-technology/insulin-pumps-monitors-vulnerable-tohacking-20110804-1idfn.html> accessed 29 May 2014 Satyanarayanan M, 'Fundamental challenges in mobile computing' Principles of distributed computing: Proceedings of the fifteenth annual ACM symposium (Principles of distributed computing: Proceedings of the fifteenth annual ACM symposium, ACM 1996) Satyanarayanan M, 'Pervasive computing: vision and challenges' (2001) 8 IEEE Personal Communications 10 Schneier B, 'The Internet of Things is Wildly Insecure - and often Unpatchable' Wired (1 June 2014) <http://www.wired.com/2014/01/theres-no-good-way-to-patch-the-internet-of-things-and-thats-ahuge-problem/> Smith BW, 'Proximity-Driven Liability' (2013-2014) 102 Georgetown Law Journal 1777 Smith M, 'Why your smartphone won't be your next PC' 3 August 2013 Digital Trends <http://www.digitaltrends.com/computing/why-your-smartphone-wont-be-your-next-pc/#!US6P1> accessed 5 January 2016 Solove DJ and Hartzog W, 'The FTC and the New Common Law of Privacy' (2014) 114 Columbia Law Review 583 Thierer AD, 'The Internet of Things & Wearable Technology: Addressing Privacy & Security Concerns Without Derailing Innovation' (2015) 21 Richmond Journal of Law & Technology Thomson JJ, 'Killing, Letting Die, and the Trolley Problem' (1976) 59 The Monist 204 Th u “, 'What e e d i i g at' 9 O to e <https://googleblog.blogspot.com.au/2010/10/what-were-driving-at.html> accessed 5 January 2016 Townsend AM, Smart cities: big data, civic hackers, and the quest for a new utopia (W. W. Norton & Company 2013) Uteck A, 'Reconceptualizing Spatial Privacy for the Internet of Everything' (PhD thesis, University of Ottawa 2013) Weber RH, 'Internet of things – New security and privacy challenges' (2009) 26 Computer Law and Security Review: The International Journal of Technology and Practice 23 Weiser M, 'The Computer in the 21st Century' (1991) Scientific American 94 Weiser M and Brown JS, 'The Coming Age of Calm Technology' (1996) <http://www.ubiq.com/hypertext/weiser/acmfuture2endnote.htm> accessed 26 February 2015 Werbach K, 'Sensors and Sensibilities' (2007) 28 Cardozo L Rev 2321 Wood J, 'iBeacon: the Future of Content Marketing?' (B2B Marketing, 17 February 2014) <http://www.b2bmarketing.net/blog/posts/2014/02/17/ibeacon-future-content-marketing> accessed 7 October 2015 Wright D and others (eds), Safeguards in a world of ambient intelligence, vol 1 (The International Library of Ethics, Law and Technology, Springer 2008) Zetter K, 'Medical devices that are vulnerable to life-threatening hacks' Wiredcom <http://www.wired.com/2015/11/medical-devices-that-are-vulnerable-to-life-threateninghacks/#slide-x>