We’ve all heard of the Internet of Things, a network of products ranging from refrigerators to cars to industrial control systems that are connected to the internet. Now comes the Internet of Bodies—a network of smart devices that are attached to or inside our bodies. But using the human body as a technology platform raises a host of challenging legal and policy questions that regulators and judges may not be prepared to answer. Among them: Who controls these “IoB” devices in our bodies? Who can use the body-derived data? Who is responsible for ensuring that the devices work as intended?
Already, there is an “artificial pancreas” device that monitors blood glucose and delivers insulin, remotely monitored heart pacemakers and a Bluetooth-enabled cochlear implant. There are “smart pills” containing sensors being developed to deliver cancer treatment or send status reports to a smartphone from inside your stomach. A self-tuning brain implant powered by chips is being tested to treat Parkinson’s and Alzheimer’s symptoms. Prosthetic limbs can include software or be “hard-wired” to bones, while neural-bypass devices can reroute brain signals past a spinal injury, enabling paralysed limbs to move again. The future promises much more, including electronic tattoos that monitor vital signs and injected contact lenses with internet connections that augment vision or let you play a video game. While these changes could transform medicine and our daily lives, they also introduce a new level of peril: For the first time, our physical safety, autonomy, and well-being can—and inevitably will—be harmed because of flawed software or lapses in security. The law is unprepared to address the injuries that the Internet of Bodies will bring. Here is a look at some of the questions that might play out inside regulatory agencies and in intellectual property, contracts and bankruptcy.
The U.S. Food and Drug Administration is responsible for ensuring that medical implants are safe, but the FDA deemed healthy-lifestyle IoB devices such as fitness trackers to generally fall outside the agency’s purview. So under the FDA’s current approach, some IoB devices wouldn’t necessarily have to meet the more stringent safety standards of, say, a heart pacemaker—though they would be subject to federal product-safety and unfair-trade-practices laws like any other electronic device. Consider a hypothetical smart pill that combines vitamins and includes a sleep tracker that sends information about your vital functions to your phone. It isn’t clear whether this would be deemed a “medical device” by the FDA. Sleep trackers, like other first-generation fitness trackers, generally aren’t considered to be medical devices, and when it comes to vitamin supplements, the agency generally relies on manufacturers to verify their own products’ safety. The FDA, which said in an email that it doesn’t comment on how it might regulate hypothetical devices, could take a similar hands-off approach with parallel IoB devices.
That would leave oversight of IoB functionality and health claims primarily to the Federal Trade Commission. The agency’s primary role is to police unfair and deceptive trade practices, including enforcing rules against false or misleading advertising. For first-generation IoB devices, the FTC has also been the main enforcement agency for security and privacy issues. The FTC is a much smaller agency than the FDA, and it may lack the bandwidth to aggressively monitor an explosion of IoB devices without additional resources. An FTC spokeswoman says that the agency has been active in policing consumer Internet-of-Things devices, including bringing an enforcement action against the maker of video baby monitors and more recently the maker of internet-connected electronic toys for privacy violations.
Another murky area for IoB devices centres on patent law. Consider a smart contact lens that is injected directly into the eyeball—a concept that has already been patented and is in active development. Such a device could improve vision, monitor glucose levels, deliver augmented-reality content or film the wearer’s surroundings. Suppose the patent for this lens ends up in the portfolio of a patent assertion entity or a “patent troll”—a company that obtains the rights to patents to profit from enforcement, rather than by producing its goods or services. If the patent holder successfully sues a smart-lens maker, alleging that the underlying code infringes its patent, the IoB company may terminate support for the lens, either because of profitability concerns or because of a judicial order. Suddenly the consumers who have the lens injected into their eyeballs may find themselves implanted with a device that may no longer function fully, if at all. They may face the choice of whether to incur the cost and physical risk of having the device removed from their bodies—a far bigger problem than dealing with a non-IoB consumer product that stops working. Congress faced a somewhat similar situation when it limited the ability of holders of medical-procedure patents to recover damages—a response to doctors’ objections that patent rights were hurting patient safety and care. The Internet of Bodies may require similar congressional action.
Like most of the tech industry, existing IoB companies rely on end-user license agreements and privacy policies to retain rights in software and to create rights to monitor, aggregate and share users’ body data. Courts have tended to enforce these kinds of agreements, sometimes even when the contract allows for arguably draconian results. For example, some end-user license agreements have allowed companies to deactivate, or “brick,” a device unless a consumer agrees to changes in privacy or information-sharing provisions. This might seem a mere annoyance for a networked doorbell or speaker, but when an IoB device is involved, the consequences could be much more serious. Imagine a smart prosthetic arm that uses software to translate brain commands into action. The user agreement could assert that the device and its software is only licensed to the consumer and that the manufacturer retains rights to the IoB arm even after the device is attached to the consumer’s body. What happens if a consumer with one of these devices declines to assent to a revised privacy agreement? Particularly because many nonmedical IoB companies will assert that they aren’t covered by HIPAA (the Health Insurance Portability and Accountability Act), consumers’ agreements with IoB companies will create the primary privacy constraints in most U.S. states. Should contract law allow the company to require the consumer to undergo surgery to have the device removed? Should courts permit the manufacturer’s contract rights to extend to deactivating an IoB device remotely if the device is connected to the internet? Depending on individual cases, some courts might strictly enforce the user agreement; others are likely to be uncomfortable with strictly enforcing contracts when the possible consequences include physical harm to human bodies.
Credit: Dr Andrea M. Matwyshyn, Professor of Law and Computer Science and Co-Director of the Center for Law, Innovation and Creativity at Northeastern University, for The Wall Street Journal, 12 November 2018.