Taglegal

Connected doll Cayla, connected TVs & the legal status of IoT in Germany

C

Over the last few weeks there’s been a lot of discussion around the security of connected toys. One case stood out not just because of insufficient security practices but also because in Germany it was declared illegal by Bundesnetzagentur (BNetzA, Germany’s Federal Network Agency).

BNetzA referred to §90 of the telecommunications law which states, among other things, that surveillance equipment is mostly illegal and that everyday appliances may not be equipped for surveillance (i.e. no audio/video recording “disguised” as everyday devices that purportedly serve a different purpose). Cayla, so BNetzA’s argument (English version) roughly, is a spy tool disguised as a toy; what’s worse, the kids using it have no chance of knowing what’s going on, and neither do the parents:

The Bundesnetzagentur has taken action against unauthorised wireless transmitting equipment in a children’s toy and has already removed products from the market.

“Items that conceal cameras or microphones and that are capable of transmitting a signal, and therefore can transmit data without detection, compromise people’s privacy. This applies in particular to children’s toys. The Cayla doll has been banned in Germany,” says Jochen Homann, Bundesnetzagentur President. “This is also to protect the most vulnerable in our society.”

Concealed surveillance device Any toy that is capable of transmitting signals and that can be used to record images or sound without detection is banned in Germany. The first toys of this type have already been taken off the German market at the instigation of the Bundesnetzagentur and in cooperation with distributors.

There is a particular danger in toys being used as surveillance devices: Anything the child says or other people’s conversations can be recorded and transmitted without the parents’ knowledge. A company could also use the toy to advertise directly to the child or the parents. Moreover, if the manufacturer has not adequately protected the wireless connection (such as Bluetooth), the toy can be used by anyone in the vicinity to listen in on conversations undetected.

Further products to be inspected The Bundesnetzagentur is to inspect other interactive toys and, if necessary, will take further action. In this respect the requirements of section 90 of the German Telecommunications Act must be met: Objects must, by their form, purport to be another object or are disguised as an object of daily use and, due to such circumstances or due to their operation, are particularly suitable for intercepting the non-publicly spoken words of another person without his detection or for taking pictures of another person without his detection. This also applies to customised devices.

Ever since reading the bit about concealed surveillance in objects of daily use I’ve been wondering about where to draw the line. Smart fridges? Connected TVs? Game consoles? Smart home hubs?

I decided to send an inquiry to BNetzA’s press office and picked two: Connected TVs (because they are disguised as an object of daily use) & smart home hubs (because they are particularly suitable for intercepting the non-publicly spoken words).

They replied promptly and were very helpful. Here’s what they said (Original German reply below):

Regarding the devices you named, the crucial point is the question if they are suitable for recording non-public conversations unnoticed or for recording images of a person unnoticed.

In other words: Is it clear to everyone that the device has a microphone or a camera? According to the current interpretation of §90 of the telecommunications law this is the case, for example, for cell phones and baby phones.

For devices that are controlled by voice or gestures we haven’t come to a final assessment yet.

So that’s pretty interesting and shows just how much we’re in a transition period we are with this. One one hand it’s a matter of reasonable consumer expectations: Would a regular consumer reasonably know what they’re buying? The other is a question of interfaces: If this is how a thing is controlled, is it then an obvious (or obvious enough) part of using the device to make it ok?

Ame on UX   security for iot   thingsconAMS
Ame Elliott making the case for UX & IoT Security at ThingsCon Amsterdam. (Watch her presentation.)

For designers and makers of connected devices that include a microphone or camera, this is tricky terrain. For a while, expect some level of uncertainty. This is something to keep an eye on. In the meantime, obviously make sure to maintain good security practices. No matter what the legal ruling on this larger question ends up being, if your device isn’t secure you got much bigger problems to begin with.

///

Here’s the original reply from Bundesnetzagentur’s media relations office in German:

“Hinsichtlich der von Ihnen genannten Geräte ist ein entscheidender Punkt die Frage, ob sie dazu geeignet sind, das nicht öffentlich gesprochene Wort eines anderen von diesem unbemerkt abzuhören oder das Bild eines anderen von diesem unbemerkt aufzunehmen.

Andersherum gefragt: Ist sich Jeder darüber im Klaren, dass das Gerät über ein Mikrofon verfügt oder eine Kamera eingebaut ist? Nach der Gesetzesbegründung zu § 90 Telekommunikationsgesetz ist das zum Beispiel gegeben bei Mobiltelefonen und bei Babyphones.

Dies ist von der Bundesnetzagentur hinsichtlich Geräten, die mit Sprache oder gar Bewegungen gesteuert werden, noch nicht abschließend bewertet.”

ATT & Cargo Cults

A

Ulaanbaatar, Mongolia Image by One Laptop Per Child (CC by)

 

As BoingBoing reports, a leaked memo indicates that AT&T will introduce a creepy and stupid policy: If a user is suspected of copyright infringement (by which means is unclear – Hadopi style maybe?) repeatedly, AT&T will block access to Youtube and other sites and instead re-direct that user to an “on-line education tutorial”, and only after completing said tutorial will allow their users again to access the web as they please.

All the enforcement issues and the details of this particular instance aside, the political implications of what’s been going on in the world of copyright enforcement over the last 10-15 years are so creepy and skewed that it’s hard to believe we’re still even talking about this. And that a company would still even consider the option to screw their customers without a legal warrant or equivalent, just like that. When did that become acceptable?

I’m guessing that in 10 years or so we’ll look back at this era and laugh about it like today we laugh about Cargo Cults.

Unless, that is, we won’t be laughing about it because this is still going on, but then it’d be a world I wouldn’t want to live in.

Catch up to the 21st century some time soon & find business models where you get paid voluntarily without suing or surveilling anyone?

More on Boingboing.