Covington CleanEquity Conversations: AI and IoT – Benefits, Risks, and the Role of Regulation.

On March 8-9, 2018, a bespoke group of approximately 200 leading entrepreneurs, investors and advisors focused on deploying and commercializing cutting edge technologies gathered in Monte Carlo from across the globe for the 11th annual CleanEquity® Monaco Conference.  Complementing other plenary sessions and emerging company presentations, the conference initiated a new feature — Covington CleanEquity Conversations — intended to capture and memorialise the unique thought leadership opportunity presented by the gathering in Monaco. On the first day, conference participants separated into three breakout groups for Chatham House Rule discussions curated by partners from the international law firm Covington & Burling LLP of three critical issues confronting cleantech deployment and commercialisation:

  • AI and IoT – Benefits, Risks, and the Role of Regulation
  • Sustainability – What goals should businesses prioritise and what are the right metrics?
  • Will market driven innovation alone save us from climate change?

On the second day, the Covington team reported during the conference’s final plenary session key takeaways from the three breakout group discussions.  Covington and CleanEquity organizer and specialist investment bank, Innovator Capital, are pleased to share brief summaries of the thought leadership developed by the proceedings of conference participants on each of the three topics.

________________________________________________________

AI and IoT –  Benefits, Risks, and the Role of Regulation

  • Rapid evolution and proliferation of artificial intelligence and the Internet of Things holds tremendous promise for dramatic, transformational efficiency gains in nearly every industry.
  • At the same time these technologies present risks of massive employment disruption, losses of privacy and yielding of human free will to decisions made by algorithms and machines.

In a session led by Covington’s Corporate Partner Simon Amies, conference participants examined these propositions and then considered two questions:  Where should regulation step in?  Can regulation be effective to manage the risks without diminishing the benefits?

The Benefits

There was universal agreement that evolution and proliferation in AI and the Internet of Things have the potential to bring transformational efficiency gains across virtually all sectors of industry.  AI has already transformed business models in the technology sector through the deployment of sophisticated algorithms to process vast quantities of data, and machine learning and automation are already being utilized on a large scale in other areas of industry, revolutionizing processes and delivering significant efficiency gains.

A number of the presenting companies noted that artificial intelligence already plays a pivotal role in their businesses, with some utilizing the technology at the heart of their business model — one company uses its machine learning system to manage and optimize grid operations — and others use AI as a tool to enhance research and refine product development.  One participant flagged the fundamental change to supply chain dynamics and manufacturing processes with the emergence of the smart factory in the Industry 4.0 model, leading to increased efficiency, reduced costs and maximization of resources.  Mass-customisation of lower-cost goods manufactured to order in close proximity to the market bring reduced shipping costs and lead times.

The Risks

But as often happens with the adoption of disruptive technology, new and often unforeseen risks and challenges emerge.

One participant noted concerns surrounding access to, control and ownership of personal data in the field of healthcare with the focus on development of personalized and precision medicines.  Another flagged how personal data could be used by employers to make hiring decisions or by insurers to price auto or life policies, but without explicit consent from the individuals.

One participant pointed to the safety and security concerns of having automated intelligent systems replace humans at the controls of cars and other machines and equipment.  In the case of the autonomous vehicle, who is responsible in the event of an accident where the system makes a conscious decision which turns out to be the wrong one, causing a fatality?  Another participant identified the risks of malicious attackers disrupting or asserting control of systems run by AI and IoT, whether on an industrial scale or on a micro level seeking to take advantage of one individual.

The threat of AI and IoT to jobs was also highlighted.  Many jobs that have kept the workforce occupied for generations could become redundant almost overnight as businesses look to adopt technologies that bring gains in efficiency and productivity and at the same time reduce labour costs.  The labour market is predicted to encounter massive change of a scale not seen since the Industrial Revolution which will have consequent effects on wealth inequality and potentially global stability. While governments and policy makers are likely to take steps to protect jobs, there will be increasing demand for skilled technicians capable of supporting digital capabilities.

The Role of Regulation

The discussion then focused on the two key questions of (a) where should regulation step in and (b) can regulation be effective to manage the risks without diminishing the benefits?

The first observation was that against the backdrop of recent high profile data breaches and the imminent deadline for implementation of the EU’s General Data Protection Regulation, regulation is appropriate and has an important role in managing the risks presented by AI and IoT.  Data privacy legislation has continually evolved since the emergence of the internet, adapting and reacting to the challenges associated with mass collection, use and storage of personal data to ensure privacy, security and transparency.  Privacy laws already apply to AI systems that process personal data, which means new systems need to be designed adhering to these standards where applicable.

One participant commented that it should not be left to the law-makers to ensure risks are adequately legislated against. There is also a role for participants in the market, particularly large corporations, to ensure responsible and fair practices are followed through the adoption of codes of best practice reflecting key ethical principles.  It was noted that Microsoft had established six ethical principles to guide the development and use of artificial intelligence — AI systems should be fair, reliable and safe, private and secure, inclusive, transparent, and accountable.[1]

In discussing the risks of autonomous vehicles, one participant noted that current product liability laws would apply, meaning that claims may exist where loss is caused by a vehicle that is found to be defective or unsafe.  It is likely that these laws will evolve to clarify where responsibility lies, and manufacturers and insurers will look to law-makers to set down standards on how autonomous systems that control driverless vehicles should operate in specific situations rather than make these decisions for themselves.

It was noted that the adoption of standards and regulations for AI and IoT would need to be consistent and coordinated on a global level.  International policy-makers such as the Organisation for Economic Co-operation and Development will need to develop standards that will be accepted universally.  With an increasingly fierce arms-race developing between developed nations to be the economic leader in AI and IoT, this will be challenging.

The final point tackled by the group was the need for employment laws to evolve to recognize the changes in employment practices that are likely to flow from the move to automated systems.  Current employment laws are based around the model of employers employing workers at specific worksites, whereas people are increasingly engaged through remote, part-time or project-based work.  As jobs are displaced through adoption of AI and IoT, new skilled roles will be created to develop, monitor and manage the new systems.  Governments will have an important role in ensuring that the education curriculum adapts to ensure students acquire the necessary skills required to support digital capabilities.

[1] Microsoft. 2018. The Future Computed – Artificial Intelligence and its role in societyhttps://blogs.microsoft.com/uploads/2018/02/The-Future-Computed_2.8.18.pdf

IoT Update: China Releases National Automatic Vehicle Road Testing Rules

In April 2018, China released its nationwide automatic vehicle road testing rules, the Intelligent Internet-connected Vehicles Road Test Administrative Rules (for Trial Implementation) (the “National Rules”), which took effect on May 1, 2018. “Intelligent Internet-connected vehicles,” as defined under the National Rules, are commonly referred to as “intelligent vehicles” or “autonomous vehicles,” which involve a system of advanced sensors, controllers, actuators, etc. that may ultimately become a substitute for human drivers. The National Rules governs three categories of autonomous vehicles depending on the level of automation and human interaction required, i.e., conditional automation, high-level automation and full automation.

Prior to the release of the national Rules, selected Chinese cities including Beijing, Shanghai, Baoding and Chongqing had already implemented their own respective local road test rules for autonomous vehicles, and Shenzhen’s local proposals were at public consultation phase. The National Rules are largely consistent with the already existing various local rules, and provide an example for additional local governments to formulate their own detailed implementation rules. Continue Reading

IoT Update: Will California’s New Autonomous Vehicles Regulations Provide a Roadmap for a National Regulatory Framework on Driverless Cars?

On April 6th, the California Public Utilities Commission (CPUC) issued a Proposed Decision authorizing pilot testing for autonomous vehicles (AVs) in California. This action follows up on the California DMV’s permitting rules for AVs in California, which would have allowed driverless testing and deployment permits to issue as early as April 2 of this year. The DMV’s action was big news when it broke at the end of February; it meant that AVs could be deployed without any human in the vehicle. Now, the CPUC has proposed a pilot to allow the use of driverless test vehicles with passengers inside as soon as this summer.

While shared and electric mobility has already been deployed at scale, the road ahead for autonomy is still evolving. California is working to tackle this third pillar, and prior to the CPUC’s Proposed Decision, companies like Uber and GM Cruise had urged the Commission to move forward to enable the use of AVs for passenger transportation under existing regulatory frameworks. Lyft encouraged the Commission to address AVs in a rulemaking, noting that it “ma[de] little sense” to wait for Congress to act, or to “scramble” to regulate after AVs are already deployed en masse.

But now that the Proposed Decision has been published, stakeholders need to make sense of it.

Continue Reading

Covington IoT Update: U.S. Legislative Roundup on IoT

As policymakers weigh the many policy implications associated with the Internet of Things (“IoT”), U.S. lawmakers have put forward a variety of proposals for studying—and regulating—IoT devices. Although the likelihood of current proposals becoming law this term remain uncertain at best, existing legislative proposals provide important context and insight into the ways that lawmakers view IoT and the government’s role in fostering and regulating the technology.

Below, we summarize five draft bills in the U.S. that approach IoT from different perspectives—including seeking to develop IoT technologies, imposing contractual requirements on companies that provide IoT devices to the government, regulating specific security standards, and creating new resources for consumers to better understand the security and reliability of their IoT devices.

Developing Innovation and Growing the Internet of Things (“DIGIT”) Act

The DIGIT Act was introduced in the Senate (S. 88) and the House (H.R. 686) in January 2017 to foster the development of IoT technologies. The Act was passed by the Senate in August 2017 on a voice vote, but has stalled in the House. The measure would direct the Secretary of Commerce to convene a “working group of Federal stakeholders” to create recommendations and a report to Congress on IoT. The working group would:

  • Identify any federal regulations, statutes, grant practices, budgetary or jurisdiction challenges, and other sector-specific policies that are inhibiting or could inhibit the development of IoT;
  • Consider policies or programs to improve federal agency coordination on IoT;
  • Consider any findings or recommendations made by a new steering committee (described below) and act to implement those recommendations where appropriate; and
  • Examine how federal agencies can benefit from, currently use, and are prepared to adopt IoT, including any additional security measures that may be needed for IoT adoption by the federal government.
  • The Act would also create a new steering committee of non-federal-government representatives, tasked with advising the working group about issues including the availability of adequate spectrum, international proceedings relating to IoT, and policies and programs affecting individual privacy and critical infrastructure protection.

The DIGIT Act also would require the Federal Communications Commission (“FCC”), in consultation with the National Telecommunications and Information Administration (“NTIA”), to issue a notice of inquiry seeking public comment on current and future spectrum needs relating to the IoT, including regulatory barriers to necessary spectrum, the role of licensed and unlicensed spectrum in the IoT, and whether adequate spectrum is currently available.

Internet of Things Cybersecurity Improvement Act of 2017

This bill focuses on IoT devices purchased by the U.S. Government—and mandates specific contractual provisions agencies are to include in any contract for such devices. It was introduced in the Senate (S. 1691) in August 2017.

The measure requires the Director of the Office of Management and Budget (“OMB”) to issue guidelines with specific contractual clauses for each executive agency to require in contracts for the acquisition of internet-connected devices. These contractual provisions would require:

  • Written certification by the contractor that the device:
    • does not contain any known security vulnerability or defect;
    • relies on software capable of being updated by the vendor;
    • uses only non-deprecated industry standard protocols for communication, encryption, and internet connection; and
    • does not contain fixed or hard-coded credentials used for remote administration.
  • Notification by the contractor to the purchasing agency of any known vulnerabilities or defects subsequently disclosed or discovered;
  • The device to be updated or replaced to allow for patches or repair;
  • The provision of repair or a replacement device in a timely manner with respect to any new vulnerability discovered (if it cannot be patched or remediated); and
  • The provision of information about how the device receives security updates, the timeline for ending security support, formal notice when security support has ceased, and other information recommended by the NTIA.

The bill provides exceptions for devices with limited data processing and functionality where security would be “unfeasible” or “economically impractical.” In certain cases, it also allows agencies to rely on compliance with existing third-party or agency security standards in lieu of these requirements, when the other standards provide an equivalent level of security.

Securing the IoT Act of 2017

This measure, introduced in the House in March 2017 (H.R. 1324), is a targeted bill that would require the FCC to establish cybersecurity standards that radio frequency equipment must meet throughout its lifecycle (design, installation, and retirement) in order to be certified under the FCC’s technical standards for equipment authorization.

Cyber Shield Act of 2017

This consumer-focused bill, introduced in the House (H.R. 4163) and Senate (S. 2020) in October 2017, would create a voluntary labeling and “grading” system for IoT devices. Specifically, it directs the Secretary of Commerce to establish a voluntary program to “identify and certify covered products with superior cybersecurity and data security through voluntary certification and labeling.” Under this program, products may be given grades that “display the extent to which a product meets the industry-leading cybersecurity and data security benchmarks.”

As part of the program, the Secretary of Commerce is also directed to establish and maintain cybersecurity and data security benchmarks, by convening and consulting interested parties and federal agencies.

The IOT Consumer Tips to Improve Personal Security Act of 2017

This consumer-focused measure, introduced in the Senate in December 2017 (S. 2234) would require the Federal Trade Commission to develop cybersecurity resources for consumer education and awareness regarding the purchase and use of IoT devices. These resources are to be technology-neutral and are to include guidance, best practices, and advice for consumers to protect against, mitigate, and recover from cybersecurity threats or security vulnerabilities.

Covington Artificial Intelligence Update: European Commission Publishes Communication on Artificial Intelligence for Europe

On April 25, 2018, the European Commission (EC) published its “Artificial Intelligence for Europe” communication (the Communication), in which it sets out a roadmap for its AI initiatives. Having acknowledged the crucial need for a boost of AI in the EU, the EC commits to supporting investment, (re)considering legislation and soft law initiatives, and coordinating Member States’ efforts. This blog post highlights some of the EC’s initiatives. Continue Reading

Covington IoT Update: Mobile Phone Manufacturer Settles with FTC Over Allegations that Its Vendor Collected Personal Data without Consent

Mobile phone manufacturer BLU Products, Inc. entered into a settlement agreement with the FTC last week to resolve allegations that one of BLU’s China-based vendors collected personal information about its consumers without proper consent.

The settlement agreement, which took the form of a consent order, applies not only to BLU but also to its CEO and any other companies he owns and controls.  It requires that the company clarify its disclosures regarding customer Continue Reading

U.S. Patent and Trademark Office Releases Memorandum on Recent Subject Matter Eligibility Decisions

On April 2, 2018, the U.S. Patent and Trademark Office released a memorandum to the Patent Examining Corps regarding recent subject matter eligibility decisions issued by the Federal Circuit. The memorandum discusses two recent decisions that found claims that improve computer technology are directed to patent-eligible subject matter rather than to an ineligible abstract idea. The memorandum and decisions are instructive for practitioners who draft patent applications, confront subject matter eligibility challenges or respond to USPTO rejections under 35 U.S.C. § 101.

In Finjan, Inc. v. Blue Coat Systems, Inc., 879 F.3d 1299 (Fed. Cir. 2018), the Court (Dyk, Linn, Hughes) found no error in the district court’s subject matter eligibility determination and unanimously held that the claims were patent-eligible under § 101 because they improved computer technology by protecting users against previously unknown viruses and enabled more flexible virus filtering. The invention recited specific steps to accomplish the desired result, and was a non-abstract improvement over traditional computer functionality and virus scanning techniques which only recognized the presence of previously-identified viruses.

Relying on recent Federal Circuit precedent, the Court stated that in cases involving software inventions, the inquiry into whether the claims are directed to an abstract idea often turns on whether the claims focus on a specific asserted improvement in computer capabilities. The claims at issue in Finjan are directed to a method of providing computer security by scanning a downloadable program for suspicious code such as viruses, and attaching the results of the scan to the downloadable program in the form of a security profile. The Court adopted a district court claim construction in finding that the behavior-based virus scan approach improved computer functionality because it determines whether the program performs hostile or potentially hostile operations.

Continue Reading

Covington Artificial Intelligence Update: House of Lords Select Committee publishes report on the future of AI in the UK

Reflecting evidence from 280 witnesses from the government, academia and industry, and nine months of investigation, the UK House of Lords Select Committee on Artificial Intelligence published its report “AI in the UK: ready, willing and able?” on April 16, 2018 (the Report). The Report considers the future of AI in the UK, from perceived opportunities to risks and challenges. In addition to scoping the legal and regulatory landscape, the Report considers the role of AI in a social and economic context, and proposes a set of ethical guidelines. This blog post sets out those ethical guidelines and summarises some of the key features of the Report. Continue Reading

Covington Internet of Things Update: CPSC to Consider Safety of IoT Products

Recently, the U.S. Consumer Product Safety Commission (“CPSC”) issued a Public Notice announcing that it will be conducting a hearing on May 16, 2018 to receive information from all interested parties about potential safety issues and hazards associated with Internet-connected consumer products.

Continue Reading

Covington Internet of Things Update: The FCC Gets Ready for 5G Spectrum Auctions

As we explained in a prior post, 5G deployment will be a critical component to the ever-evolving Internet of Things (IoT). On April 17, the Federal Communications Commission (FCC) adopted a Public Notice seeking comment on the competitive bidding procedures for auctions involving spectrum in the 28GHz and 24 GHz bands. The auction of 28 GHz spectrum will begin on November 14, with the 24 GHz auction following after that. But what does this mean, and why is it important?

For those new to the world of FCC Auctions, a Comment Public Notice, such as the one just released, seeks input on the application process for the auctions and the procedures to be used while bidding. It is similar in form to a Notice of Proposed Rulemaking, in which the FCC seeks comments on a proposal and asks a variety of questions. After the comment and reply comment deadlines pass (May 9 and May 23, respectively), the FCC will take into consideration the input on the record. Next, the FCC will release a Procedures Public Notice, akin to an Order, that will lay out the rules that will be in force for the auction. The FCC will also announce the application windows to participate in the auction, and interested parties will apply to participate. This will all take place before the start of bidding in November. Continue Reading

LexBlog