TABLE OF CONTENTS INTRODUCTION 81 I. THE INTERNET OF (HUMAN) THINGS: DEFINING THE "INTERNET OF 89 BODIES" A. Three Generations of IoB 91 1. First-Generation IoB: Body External 94 2. Second-Generation IoB: Body Internal 103 3. Third-Generation IoB: Body Melded 112 B. The "Legacy Code" of IoT 115 1. The Better with Bacon Problem: Gratuitous Internet 116 Connectivity 2. The Magic Gadget Problem: Failing to Anticipate Failure 118 3. The Builder Bias Problem: Shipping Without Securing 121 4. The Mandatory Soup Problem: Diminishing Market Choice and 124 Obsolescence Through Adhesion C. The Future of Corporate Software Liability and IoB 129 1. Regulatory Agencies 130 a. FDA 130 b. FTC 133 c. CPSC 135 d. CFPB 136 e. FCC 137 2. Tort 138 3. Contracts 143 a. EULAs 144 b. Criminal Law and the Third-Party Doctrine 147 4. Intellectual Property 148 a. Patent 148 b. Copyright 151 5. Secured Transactions and Bankruptcy 153 II. KANTIAN HEAUTONOMY 156 A. Why Autonomy Fails with IoB 156 1. Owned Bodies Versus Pwned Bodies 157 2. Autonomy Versus Heautonomy 159 B. Humanity--Bug or Feature? 165 CONCLUSION: THE (CYBER)PANCREAS AND THE PANOPTICON 167 INTRODUCTION
"[F]reedom of thought... is the matrix, the indispensable condition, of nearly every other form of freedom." --J. Benjamin Cardozo. (1) "This is your last chance. After this, there is no turning back. You take the blue pill--the story ends, you wake up in your bed and believe whatever you want to believe. You take the red pill--you stay in Wonderland and I show you how deep the rabbit-hole goes.... Remember... all I'm offering is the truth. Nothing more." --Morpheus, The Matrix. (2) We are building an "Internet of Bodies"--a hybrid society where computer code and human corpora blend and where the human body is the new technology platform. In November 2017, the Federal Drug Administration (FDA) approved the first use of a "digital pill" (3) that communicates from inside the patient's stomach through sensors, (4) a smartphone, (5) and the Internet. (6) A year earlier, the FDA approved the first artificial pancreas--a device for Type 1 diabetics that is hard-wired into patients' bodies and relies on software to calibrate insulin levels on an ongoing basis. (7)
These FDA approvals are a harbinger of the next generation of innovation, one that merges the Internet of Things (8) and artificial intelligence with the human body. This "platformization" of the body holds great promise: it is already leading to groundbreaking changes in healthcare and in lifestyle convenience. (9) However, using the human body as a platform also introduces new categories of possible harm to the confidentiality, integrity, and availability of the bodies used as part of the hardware. (10)
Three months prior to the digital pill's approval, in August 2017, the FDA issued a safety communication warning patients with a particular implanted pacemaker that they should visit their doctors immediately for a firmware (11) update. (12) The notice warned patients that a potentially serious security vulnerability in the code of their embedded medical device might enable a third-party attacker to compromise their pacemaker system and potentially physically harm them. (13) This communication marked a critical moment in the history of innovation: it was the first FDA recall of a device solely for an information security issue. (14)
The August 2017 pacemaker security recall was not, however, the first time that computer code put human bodies at risk of physical harm and death. (15) Indeed, a year prior, a patient's heart surgery had been unexpectedly interrupted"' for five minutes (17) when one of the Internet-enabled machines attached to the patient's body crashed. (18) The machine had unexpectedly performed an anti-malware scan in the middle of the operation (19) and locked up the human interface--the interface upon which the surgeons were relying to keep the patient alive. (20)
This creeping merger of bodies with bits and bytes is also not limited to medical contexts. Employers are throwing "chip[ping] part[ies]," (21) embedding their employees' bodies with chips (22) that connect with other devices (23) and transmit information (24) from employees' bodies. (25) Trucking companies sometimes now expect their drivers to wear clothing or devices that monitor location and alertness (26) and (ostensibly) "improve" (27) job performance. (28) Manufacturers of "brain sensing" (29) Internet-enabled headbands (30) encourage "professionals" to use the device to monitor a "client's" (31) brain sensations (32) in real time. (33) Simultaneously, these same companies might encourage consumers to use the headbands (34) to facilitate "meditation," (35) and developers to build out games and other applications incorporating brain data. (36) Other brain sensing headbands are appearing in classrooms, signaling to teachers and remote parents when children are (allegedly) paying attention in class. (37) Meanwhile, consumers are donning augmented reality devices in gaming, (38) and they are purchasing clothes (39) and accessories (40) that connect their bodies to the Internet, sharing corporeal information about themselves in real time. (41) Some consumers are even recreationally implanting chips into their bodies for the sake of convenience, (42) allowing their bodies to perform some of the tasks their phones do now. (43) In short, we are experiencing a creeping transformation where human bodies themselves are becoming connected to and sometimes reliant upon software, hardware, and the Internet for portions of their "default" functionality. This is the Internet of Bodies.
In addition to transforming individual bodies, (44) these Internet of Bodies devices also introduce a new level of peril for society in the aggregate. For the first time in our civilization, computer code will be able to physically damage (civilian) human bodies at scale. In other words, particularly as artificial intelligence becomes incorporated into the Internet of Bodies, the confidentiality, integrity, and availability of some human bodies will inevitably become compromised due to flawed and vulnerable software, either individually or en masse: the security compromises that plague our networks, devices, and databases today will shift inside (and physically damage) the human body tomorrow. Yet, the law is currently unprepared to address these harms and the social transformation that the Internet of Bodies will occasion.
This Article introduces and explains this (already happening) progression of the Internet of Things or "IoT" into the Internet of Bodies or "IoB." (45) As the "meatware" (46) of human bodies blends with software, hardware, and related technologies (47) in the Internet of Bodies era, jurists, legislators, and scholars will be faced with a dual IoB legal challenge. First, they will need to address the unresolved policy and legal quandaries presented by the Internet of Things. Second, they will face a formidable challenge in addressing what a programmer might call the legal "legacy code" (48) problem of software liability more broadly. Just as companies struggle to address the "technical debt" (49) of their systems, the law now faces a somewhat parallel "legal technical debt" challenge. Multiple traditional bodies of law have failed to meaningfully update themselves across time to effectively address changing technology circumstances. As a consequence, resolving this "legal technical debt" will be doctrinally buggy as courts and regulators seek to redress and mitigate bodily harms caused by computer code: crafting suitable methods of redress for both physical and economic IoB harms will implicate a series of sometimes conflicting policy concerns.
Part I introduces the progression of IoT into IoB. Explaining three discrete generations of IoB--body external, body internal, and body melded--Part I locates our current social reality in this progression at stage two--body internal. Yet, using patent filings to reveal expected innovation, Part I argues that late second-generation body internal and early third-generation body melded technologies are already being actively developed. Next, Part I articulates four legacy problems of IoT that will impact the nature of future harms caused by IoB--the "better with bacon" problem of gratuitous Internet reliance and connection, the "builder bias" problem of extreme levels of known (but uncorrected) security vulnerability, the "magic gadget" problem of failing to anticipate failure, and the "mandatory soup" problem of diminishing consumer options for self-help. Part I then presents five areas of law where conflicts over IoB will be most pronounced--guidance from regulatory agencies, contracts, tort, intellectual property, and secured transactions and bankruptcy. Finally, Part I offers concrete approaches for building short term innovation-sensitive legal structures of IoB consumer protection.
Part II then expands on the critical difference between IoB and IoT: IoB's propensity to physically damage human bodies and minds. IoB presents the specter not only of negative consequences with respect to physical and psychological autonomy--in a Kantian sense--but also, even more fundamentally, third-generation IoB threatens to potentially erode Kantian heautonomy--the necessary precursor to autonomy. For these reasons, Part II argues that the touchstone for all regulation of IoB must be the safeguarding of heautonomy. Part II concludes by asking an uncomfortable theoretical question about our underlying assumptions regarding the human body: should the law assume the body to be a "bug" or a "feature"? The companion essay to this Article, The Internet of Latour's Things, grapples with the question of whether future law will view the corporeality of the human body as worthy of preservation (or elimination) in a society full of IoB bodies. Part III concludes.
THE INTERNET OF (HUMAN) THINGS: DEFINING THE "INTERNET OF...