Rebooting Cybertorts For The Internet of Things

Harvard Law School has a proud history of being at the forefront of progressive tort law. Chief Justice Lemuel Shaw, who studied law at Harvard College, authored the landmark decision of Brown v. Kendall in 1850, the first judicial opinion to recognize negligence.

Oliver Wendell Holmes Jr. studied law at Harvard at a time when tort law was an incoherent ragbag of miscellaneous wrongs still shaped by the writ of trespass. Holmes’ 1873 book, The Theory of Torts, revolutionized tort law by breaking civil wrongs into the triad of negligence, strict liability, and intentional torts. This division is now taught in every law school in the country.

Louis Brandeis, who was first in his class at Harvard Law School, along with his law partner Samuel Warren, who ranked second, fashioned the privacy-based torts in their famous 1890 Harvard Law Review article, “The Right to Privacy.”

Ralph Nader published the first article about designed-in dangers of automobiles in the Harvard Law Record, drawing upon a paper he had written for a law and medicine seminar. A few years later, Nader’s book Unsafe at Any Speed jump-started the field of strict products liability.

Today, we need a new generation of civil justice architects to reboot cybertort law for the Internet of Things.

When we were growing up in the late 1950s and early 1960s, radio announcers predicted the number of crash fatalities before each Labor Day and Memorial Day weekend. Americans were told to “drive carefully,” to “look out for the other guy,” and to avoid “the nut behind the wheel.” The focus of accident prevention was on the drunk or distracted driver rather than on defective cars or badly designed highways. We were deeply impressed by the dark magic used by statisticians to accurately predict the number of fatalities. It never occurred to us, or to the radio announcers, that cars and highways had designed-in dangers.

Fifty-one years ago, Ralph Nader documented that GMC and other companies did not include safety features, such as seat belts, shatterproof windshields, and breakaway steering columns, because the manufacturers believed that consumers did not care about crashworthiness. Nader exposed the fact that American automobiles contained hidden hazards, such as the lightweight, rear-engineered Corvair automobile that “would suddenly lurch off the road” because of its defective swing-axle suspension.

Before Nader raised public awareness that much of the highway carnage was unnecessary, the American automobile industry was not held legally accountable for the costs of excessive preventable danger in their vehicles. Manufacturers disclaimed warranties and hid behind the harsh privity doctrine. The field of strict products liability gave consumers the right to recover for injuries caused by dangerously defective automobiles, such as the American Motor’s CJ-7 Jeeps, the rollover prone Ford Explorers, and the notoriously flammable Ford Pintos.

In our 2002 book, In Defense of Tort Law, we made the rosy prediction that new Internet torts to protect consumers in cyberspace were on the horizon. We were mistaken. Today, the field of cybertorts is largely limited to intentional torts without negligence or strict liability causes of action. Cybertorts have been blocked by Section 230 of the Communications Decency Act, which gives websites a liability shield against torts that arise out of third party postings. Contract law is cannibalizing cybertort remedies for consumers whose privacy is often invaded by inadequate Internet or computer security. The software industry uses one-sided license agreements to reallocate the cost of defectively designed code to end users.

Consumers seeking redress for cyberspace harms are stymied by the U.S. Supreme Court’s validation of excessively pro-provider terms of use (TOU) that mandate predispute arbitration and anti-class action waivers. Online businesses routinely employ TOU to redirect consumer lawsuits away from state and federal courts into non-public tribunals, in which privately hired judges decide cases without precedents and with almost no grounds for appeal.

Under predispute forced arbitration, the website owner determines the arbitral provider and selects the rules that govern disputes with consumers. Liability limiting clauses are located deep within TOU “agreements” so users almost never notice them. Even if they are read, the TOU are composed of unnecessarily complex terminology, which is often drafted at the comprehension level of a typical college graduate.

In this dystopian legal world, consumers must waive their constitutional right to a jury trial and the right of appeal by clicking “yes” to these “take-it-or-leave it” terms of use. The users of social networking websites commonly acquiesce to anti-class action waivers, damage caps, shortened statutes of limitations, “loser pays” rules, and choice-of-forum clauses that are buried thousands of words deep in a poorly indexed boilerplate. American users of social networks are astonished to learn that they may have agreed to litigate in Mumbai, Hong Kong, or the People’s Republic of China.

In his 1936 book, Ideology and Utopia, sociologist Karl Mannheim argues that thoughts and beliefs, including judicial ideologies, derive from differences in social location.  The social location for most Supreme Court justices reflects their judicial decisions favoring corporate elites. Chief Justice Roberts represented a who’s who of corporate America when he served as a partner in D.C.’s Hogan and Hartson. Senator Elizabeth Warren, who taught at Harvard, cites a study by Epstein, Posner and Landes which found that five of the current Justices sitting on the Supreme Court are in the top ten of the most pro-corporate justices since 1946. Justices Alito and Roberts, appointed by George W. Bush, ranked number one and two as the most anti-consumer justices.

The Roberts Court has been the driving force behind creating this alternative legal universe through their decisions upholding anti-class action waivers and predispute mandatory arbitration. The Court has allowed service providers to cripple tort rights by upholding even the most one-sided predispute clauses and anti-class action waivers. In a 5-4 decision, AT&T Mobility v. Concepcion, the Supreme Court held that the Federal Arbitration Act (FAA) preempts the use of state unconscionability law. Courts had turned to unconscionability to declare some class action waivers unenforceable. In the 2013 case of American Express v. Italian Colors Restaurant, the Supreme Court rejected another challenge to the enforceability of arbitration agreements under the FAA, holding that a contractual waiver of class arbitration is enforceable even if the cost of arbitration exceeds the potential recovery.

This unbalanced cybertort jurisprudence has the effect of padlocking the courthouse door to most Internet-related injuries. After Concepcion and Italian Colors, expect even more one-sided consumer arbitration agreements. Such TOU would be rejected in the European Union, which gives consumers the right to pursue justice in their home courts.[1] These mandatory arbitration agreements are essentially an anti-remedy for Internet users because the cost of arbitration will almost always exceed the monetary amount that is at stake. Plus, with class action waivers, there is no aggregation of claims.[2]

It is time for Congress to step in and protect consumers in cyberspace from a new generation of defective products—driverless cars and other connected devices that are part of the Internet of Things.

Cybertort remedies need to evolve further to provide consumers remedies for runaway cars, inadequate security, and misuses of big data. Driverless cars have the potential to all but eliminate driver error.  However, connected cars also raise numerous privacy and security concerns. If a car manufacturer assembles massive amounts of data, there is an increased risk that this big data may be misused, compromising the privacy of consumers. Security vulnerabilities in autonomous cars may enable attacks on sensors that notify drivers of dangerous road conditions or could be used to disable the vehicles’ steering and brakes. A compromised vehicle could be used to launch denial of service attacks on other vehicles.

These are not far-fetched professors’ hypotheticals. A Federal Trade Commission Workshop participant, for example, recently demonstrated that a hacker could gain “access to the car’s internal computer network without ever physically touching the car.” This legal dystopia will arrive soon unless far-sighted legal crusaders raise consciousness about these perils, much like Ralph Nader did for products liability. Car companies are far more likely to continue to monitor their vehicles throughout the life cycle and patch known vulnerabilities if failure to adequately protect consumers could result in compensatory and punitive damages.

Cyber products liability creates a necessary incentive to ensure that security measures are tested on driverless cars and are perfected before these vehicles are marketed. A strong products liability regime ensures that not even multibillion-dollar IoT manufacturing corporations, such as Google, Apple, Ford or Mercedes, operate beyond the reach of the law. The public interest is best served by extending the well-established principles of tort law to driverless vehicles and other potentially hazardous Internet-connected devices. Tort law must resume its long-standing role as a flexible and forward-looking set of remedies that can evolve to deal with emergent wrongs.


[1] See Michael Rustad and Thomas Koenig, Wolves of the World Wide Web: Reforming Social Networks’ Contracting Practices, 49 Wake Forest L. Rev. 1431 (2014).

[2] See Thomas Koenig and Michael Rustad, Fundamentally Unfair: An Empirical Analysis of Social Media Arbitration Clauses, 65 Case W. Res. L. Rev. 341 (2014-2015).


Michael L. Rustad is a professor of law at Suffolk University Law School. Thomas H. Koenig is a professor of sociology and anthropology at Northeastern University.

Comments