The Internet of Things Likely Triggers NJ Privacy Violations
The Internet of Things Likely Triggers NJ Privacy Violations
December 12, 2022 New Jersey Law Journal
Jonathan Bick is counsel at Brach Eichler in Roseland, and chairman of the firm’s patent, intellectual property and information technology group. He is also an adjunct professor at Pace and Rutgers law schools.
The Internet of Things (IoT) describes the networks of physical objects that are capable of communicating and sharing information via the internet. These devices include refrigerators, cars, home security devices to mention a few. Such internet-connected device are likely to violate New Jersey privacy law.
New Jersey law does not consolidate residents’ privacy rights as does the California Consumer Privacy Act of 2018 (CCPA) or the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR). Rather New Jersey recognizes four related invasion of privacy torts. The common law of privacy in New Jersey is widely understood to comprise four distinct kinds of invasion of four different interests of a plaintiff, tied together by a common name, but otherwise having almost nothing in common. These include unreasonable intrusion (Hennessey v. Coastal Eagle Point Oil, 609 A.2d 11 (1992)); appropriation of the others’ name or likeness (Faber v. Condecor, 477 A.2d 1289 (1984)); unreasonable publicity given to one’s private life (Smith v. Dalta, 164 A.3d 1110 (2017)); and publicity that normally places the other in a false light (Swan v. Boardwalk Regency, 407 N.J. Super. 108 (2009).
New Jersey courts have relied on the restatement for interpreting the elements necessary to give rise to an intrusion upon seclusion type of privacy claim. Normally, a violation of privacy claim requires a showing that someone intentionally intruded, upon the seclusion of another, where the intrusion would be highly offensive to a reasonable person.
New Jersey statutes also give rise to privacy rights protection. New Jersey courts have interpreted the New Jersey State Constitution Article I, Paragraphs 1 and 7 to provide a right to privacy. As noted in State v. Reid, 945 A.2d 26 (2008) this right is broader than the Fourth Amendment of the U.S. Constitution. More on point, internet-connected devices may violate the New Jersey invasion of privacy statute (N.J.S.A. 2C:14-9 e) specifically, and federal privacy protections generally.
Search engines have been recently enabled to access information concerning devices that are connected to the internet. More precisely, internet search engines may now access data from large port scanners and integrate that data with data to enabling them to detect devices that are connected to the internet at any given time, the locations of those devices and their current users.
This internet device information in combination with a nominal level of computer programing to enable unauthorized access to IoT devices. The two most common ways are the use of default login credentials and brute-force attacks of easy-to-guess password combinations. If successful, bad actors are able to take over vulnerable IoT devices to create a botnet to commit further attacks, such as distributed denial-of-service (DDOS) attacks and identity thief.
Additionally, the internet device information has been used to re-route images and data from IoT home users that involve the use of vulnerable and insecure security cameras and video doorbells, such as Google Nest and Amazon Ring. Security cameras are typically installed on the outside of homes and are increasingly being installed inside homes, including bedrooms. Re-routed images from home security cameras are used for sextortion. In such a case, emails purportedly having compromising footage of victims are used to extort money with the threat to release the private video or nude photos to the public if payment is not made.
Parents with small children often use IoT cameras as nanny cams to observe activity in nurseries and playrooms. Internet device information may allow bad actors to infiltrate these devices to spy on and harass children and their families.
Medical devices are often connected to the internet and thus become IoT devices. Smartwatches featuring ECG sensors are now commonplace, as are wearable and in-home sensors to enable health care professionals to monitor the condition of patients.
IoT privacy claims will likely rise as a result of applying §2C:14-9 of Title 2C of the N.J. Stat. Ann. which makes an invasion of privacy a criminal act where the actor exposes the intimate parts of an individual or images of a person in the act of sexual contact without ‘license … or privilege[… to do so’ (N.J. Stat. Ann. §2C:14-9(b)(1)). This is particularly true because it is a further invasion of privacy and a criminal act to film, record, or otherwise reproduce an image of a person in undergarments without consent (N.J. Stat. Ann. §2C:14-9(c)).
Furthermore, the recording of a person engaged in sexual contact without consent is also criminal conduct under the statute (N.J. Stat. Ann. §2C:14-9(d)). The law was, in part, targeted to unauthorized viewing or photographing persons in dressing rooms (see generally N.J. Stat. Ann §2C:14-9). All of which is likely to result from IoT.
New Jersey statutes also target criminal computer activity (see §2C:20-25 of Title 2C of the N.J. Stat. Ann.). A person is guilty of computer criminal activity if the person purposely or knowingly and without authorization, or in excess of authorization.
Additionally, the application of federal law will likely result in a privacy violation by IoT. More specifically, existing federal privacy legislation is applicable to the IoT, including the Fair Crediting Report Act, 15 U.S.C. § 1681 et seq. (2012). the Children’s Online Privacy Protection Act, 15 U.S.C.A. § 6502 (2012) and the Health Insurance Portability and Accountability Act, 42 U.S.C. § 300gg (2012). Each statute governs privacy in a separate category.
For example, Children’s Online Privacy Protection Act applies to the collection of information from children using the internet. It states in part that it is unlawful for an operator of a website or online service directed to children, or any operator that has actual knowledge that it is collecting personal information from a child, to collect personal information from a child in a manner that violates the regulations prescribed. Child internet camera programs associated with IoT may already have violated New Jersey and federal law.