The Internet of Things (IoT) describes networks of physical objects that can transmit and share information over the internet. These devices include refrigerators, cars, home security devices. Such an Internet-connected device is likely to violate New Jersey privacy law.
New Jersey law does not incorporate resident privacy rights such as the California Consumer Privacy Act of 2018 (CCPA) or the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR). By contrast, New Jersey recognizes four related invasion of privacy torts. Common law privity in New Jersey is widely understood to cover four different types of plaintiff’s interests, bound together by a common name but having almost nothing in common. These include unreasonable interference (Hennessey Coastal v. Eagle Point Oil, 609 A.2d 11 (1992); misappropriation of another’s name or likeness (Faber v. Condo decor, 477 A.2d 1289 (1984); unwarranted advertising to private life (Smith v. Dalta, 164 A.3d 1110 (2017); and advertising that normally puts the other in the wrong light (Swan v. Boardwalk Regency, 407 N.J. Super. 108 (2009).
New Jersey courts have relied on the Restatement to interpret the elements necessary to give rise to the tortious type of invasion of privacy claim. Normally, a breach of privacy claim requires a showing that someone intentionally intruded on another’s privacy, where the intrusion would be highly offensive to a reasonable person.
New Jersey law also gives rise to protection of privacy rights. New Jersey courts have interpreted Article I, Sections 1 and 7 of the New Jersey State Constitution to provide for the right to privacy. As mentioned in State v. Reid, 945 A.2d 26 (2008), this right is broader than the Fourth Amendment of the United States Constitution. Additionally, Internet-connected devices may violate New Jersey privacy law (NJSA 2C:14-9 e) and federal privacy protections generally.
Search engines have recently been enabled to access information about internet-connected devices. More specifically, web search engines can now access data from large port scanners and integrate that data with data to allow them to discover devices connected to the internet, their locations, and their current users at any given time.
This internet device information combined with a nominal level of computer programming to enable unauthorized access to IoT devices. The two most common ways are using standard login credentials and brute force attacks of easily guessed password combinations. If successful, bad actors can hijack vulnerable IoT devices to create botnets to launch further attacks such as distributed denial of service (DDOS) attacks and identity theft.
In addition, internet device information has been used to redirect images and data of IoT home users, which involves the use of sensitive and untrusted security cameras and video doorbells such as Google Nest and Amazon Ring. Security cameras are typically installed on the outside of homes and are increasingly being installed inside homes, including bedrooms. Redirected images from home security cameras are used for sextortion. In such cases, emails purporting to contain compromising images of victims are used to extort money by threatening to publicly release private videos or nude photos if payment is not made.
Parents with young children often use IoT cameras as nanny cams to monitor activity in nurseries and playrooms. Internet device information can allow bad actors to infiltrate these devices to spy on and stalk children and their families.
Medical devices are often connected to the internet, thus becoming IoT devices. Smart watches with ECG sensors are now commonplace, as are wearable and at-home sensors that allow healthcare providers to monitor patients.
IoT privacy claims will increase as a result of the implementation of §2C:14-9 of Title 2C, NJ Stat. Ann. it makes it a crime to invade privacy when an actor exposes an individual’s private parts or images of an individual in the act of intercourse “without license … or privilege” (NJ Stat. Ann. §2C) :14-9(b)(1) )). This is especially true because taping, recording, or otherwise reproducing a photograph of a person in their underwear without consent is a further invasion of privacy and a criminal offense (NJ Stat. Ann. §2C:14-9(c)).[…todoso'(NJStatAnn§2C:14-9(b)(1))Thisisparticularlytruebecauseitisafurtherinvasionofprivacyandacriminalacttofilmrecordorotherwisereproduceanimageofapersoninundergarmentswithoutconsent(NJStatAnn§2C:14-9(c))[…todoso’(NJStatAnn§2C:14-9(b)(1))Thisisparticularlytruebecauseitisafurtherinvasionofprivacyandacriminalacttofilmrecordorotherwisereproduceanimageofapersoninundergarmentswithoutconsent(NJStatAnn§2C:14-9(c))
Additionally, recording a person having sex without consent is also a crime under the statute (NJ Stat. Ann. §2C:14-9(d)). The law was intended, in part, to prevent unauthorized viewing or photographing of individuals in locker rooms (see generally, NJ Stat. Ann §2C:14-9). All of these could be the result of IoT.
New Jersey statutes also target criminal computer activity (see §2C:20-25 of NJ Stat. Ann. Title 2C). A person is guilty of computer criminal activity intentionally or knowingly and without authorization or in excess of authorization.
In addition, enforcement of federal law will likely result in privacy violations by the IoT. More specifically, existing federal privacy legislation regarding the Internet of Things, including the Fair Credit Reporting Act, 15 USC § 1681 et seq. (2012). Children’s Online Privacy Protection Act, 15 USCA § 6502 (2012) and the Health Insurance Portability and Accountability Act, 42 USC § 300gg (2012). Each law regulates privacy in a separate category.
For example, the Children’s Online Privacy Protection Act applies to the collection of information from children using the Internet. It states, in part, that it is unlawful for the operator of a website or online service directed at children, or any operator who has actual knowledge that it is collecting personal information from a child, to unlawfully collect personal information from a child. established rules. IoT-related child webcam apps may already be in violation of New Jersey and federal law.
Jonathan Bick Brach is of counsel at Eichler in Roseland and chair of the firm’s patent, intellectual property and information technology group. He is also an adjunct professor at Pace and Rutgers law schools.