The following is a short excerpt from my Rise of the Intelligent Information Brokers: Role of Computational Law Applications in Administering the Dynamic Cybersecurity Threat Surface in IoT paper. I will be presenting this paper at the University of Minnesota Law School’s “The Legal Landscape of the Internet of Things: Minnesota Journal of Law, Science & Technology Symposium” on March 2, 2018. (This has not yet been edited by the Law Review folks. Footnote numbering has been adjusted just for this post. “CLAI” refers to “computational law artificial intelligence” application.)

****

4. CLAIs as Intelligent Information Brokers

CLAIs can fulfill this educational role, functioning as intelligent (by virtue of AI) information brokers for users of IoT devices.[1] There are a number of possible implementations. For instance, a CLAI can be used to distill and compare relevant device information from multiple sources and deliver a succinct message (referred to as a “signal”) to the user. Of course, a user could also select to be advised through other means, such as a chat session. Some devices may have distinct default (though still user-configurable) communication formats that depend on the device type. For example, messaging for a home lighting kit can be easily accommodated by signaling, as the more complex chat format is likely unnecessary (but still available).

Action signals and the more complex chat drivers are distilled from the CLAI’s assessment of multiple reference points. An illustrative list includes: (a) existence of unfavorable terms and conditions (a poor warranty[2]); (b) litigation frequency (manufacturer has a-greater-than certain amount of relevant litigation in any given year[3] and/or has been the subject of enforcement actions by the FTC)[4]; (c) evaluation of conformance with privacy and security-by-design principles; (d) identification of compliance, or lack thereof with cybersecurity best practices[5] and with FTC consent decrees; (e) manufacturer-issued security and privacy notices[6] and (f) user’s risk tolerance profile.[7] When any of these monitored parameters meets or exceeds a certain set threshold, the CLAI generates the score and alerts the user with an actionable symbol, such as a red flag.

****

[1] This capability can also be useful for manufacturers of the devices.

[2] A “poor warranty” is the result from a comparison of every known warranty in a central repository. This is the subject of research at CodeX. At a high level, warranty information is constructed from data mining bots. See also, https://patents.google.com/patent/US20070100790A1/en?oq=20070100790 (last visited 1/15/2018), specifically, the reference to connecting the automated assistant to an active ontology.

[3] Lex Machina delivers this information today. Lex Machina was a project born from Stanford Law School’s Center for Computational Law (CodeX). Lex Machina was sold to Lexis.

[4] See, for example, the FTC and toymaker VTECH settlement agreement over the latter’s breach of its privacy policy, https://www.ftc.gov/news-events/press-releases/2018/01/electronic-toy-maker-vtech-settles-ftc-allegations-it-violated (last visited 1/12/2018).

[5] See discussion on the legal significance of cybersecurity best practices in FN5. CLAI also promote the “Core” cybersecurity best practices, which are “five concurrent and continuous functions—Identify, Protect, Detect, Respond and Recover.” The Core is a strategic view of the lifecycle of an organization’s management of cybersecurity risk. Consider, for example, that in the FTC’s action against HTC America, Inc., https://www.ftc.gov/enforcement/cases-proceedings/122-3049/htc-america-inc-matter last visited 1/15/2018 (last visited) and TRENDnet, Inc., https://www.ftc.gov/enforcement/cases-proceedings/122-3090/trendnet-inc-matter (last visited 1/15/2018) the companies were accused of neglecting to implement basic security monitoring processes, specifically receiving, addressing, or monitoring vulnerabilities.  CLAIs can automate the threat and vulnerability monitoring process.

[6] “Terms of use are no less a part of ‘the product’ than are the size of the database and the speed with which the software compiles listings.” ProCD, Inc. v. Zeidenberg, 86 F.3d 1447, 1453 (7th Cir. 1996).

[7] The profile is rendered through a series of questions presented to the user. As the CLAI learns more about the user’s behavior, such as her interaction with other IoT devices, the risk tolerance profile is updated, which can impact future signaling events, such as increasing or decreasing their frequency. See also, the SPY Car Act https://www.blumenthal.senate.gov/imo/media/doc/SPY%20Car%20legislation%20BlumenthalMarkey%2020150721.pdf (last visited 1/15/2018). It seeks (among other things) to protect drivers from security and privacy risks through the development of a “cyber dashboard” rating system. The dashboard concept is representative of the actionable information principle, providing consumers with an efficient representation of information, in this case how well the vehicle protects the driver from cyber-related risks.