[This two-part essay has been authored by Amishi Aggarwal, a 2nd year student at NALSAR University of Law, Hyderabad. Part II is available here.]
With the advancement of new forms of technology, new kinds of contractual relationships are being formed. Contract law, especially in India where it was codified more than a century ago, is not equipped to deal with new relationships which have emerged due to modern technology like Artificial Intelligence (AI). A glaring example of these new contractual relationships are those entered into by Internet of Things (IoT) on behalf of the users.
IoT is a system of interlinked computing devices that have the ability to transfer data over a network without requiring human-to-human or human-to-computer interaction. This data can be used to perform various tasks on behalf of the user such as controlling lighting and appliances, monitor windows, doors, water leaks, smoke and even notifying family about a car crash. An example of an IoT device would be a smart fridge that monitors your daily consumption of eggs, and orders them a day before they get used up, in order to ensure that the house never runs out of eggs. The fridge need not be instructed to order the goods; it does so automatically on the basis of the information given to it using machine learning to calculate the user’s daily consumption and stock of goods. Thus, this fridge enters into a contract with the grocery store to deliver certain goods, by a certain date, on its own, without an explicit order from its human user.
The question which arises here is about the legal relationship between the fridge, the user and the grocery store. The fridge can bind its user to the contract entered into by it if it were an agent of the user. The Indian Contract Act defines an ‘agent’ as “a person deployed to do an act for the principal or to represent him in dealings with third persons”. In autonomous IoT products, AI is used to carry out acts on behalf of the user. In the fridge example used above, it is the AI which monitors the daily consumption of eggs, the availability of eggs at the store, and then places the order accordingly to ensure that the delivery is made before the user consumes all of their eggs. Hence, the nature of the relationship between the user and the fridge resembles that of agency. However, most jurisdictions explicitly require the agent to have a legal personality. Therefore, IoT cannot possibly be an agent as it has not been given the status of a legal person yet. However, several countries have considered conferring AI with the status of a legal person, so that liability can be attributed to it when it causes injuries without any human interference or negligence.[1]
For the purpose of this essay, it shall be assumed that AI has legal personality, which allows for ana analysis of the other aspects of the relationship between the IoT device and the user. The question of imposing direct liability on the IoT device becomes important because it acts autonomously, based on the principles of machine learning. This makes the actions of the device unpredictable. Without this assumption, the liability is likely to be decided in accordance with the Terms and Conditions of the seller, which may not be fair to either the seller or the user given the autonomous functioning of the AI.
The author’s aim through this essay is to answer the question of whether an IoT device can be an agent of its user in light of the general principles of contract law in common law jurisprudence. First, the essay analyses the question of consent from both the user and the IoT device to the relationship of agency. Second, the issue of whether the IoT device demonstrates the requisite fiduciary characteristics to be an agent will be scrutinized. Certain aspects of the tri-partite relationship between the IoT device, the user and the seller suggest that there may be a conflict of interest faced by the IoT device while discharging its duties as an agent. This conflict of interest raises the question of whether the IoT device is indeed an agent of the user or of the seller. Additionally, it is difficult to reconcile the concept of apparent authority in the context of an IoT device. Considering these factors, it is examined whether an IoT device should be classified as an agent of the user.
Is an IoT Device an Agent of the User?
Consent
For any principal-agent relationship to be formed, consent is a necessity (unless the person is an agent by the operation of law or a court order).[2] When the users pre-programme the device or create accounts to operate the device, it can be assumed that they authorize the device to enter into contracts wherever necessary. Similarly, the IoT device consents to this relationship by actually ordering the goods and working in accordance with the user’s guidelines. It enters into contracts on behalf of the user and derives the authority to do so from them. This is how the IoT device can be said to have representative character and derivative authority. Even where the device malfunctions (by ordering the required item in excess or by ordering a completely different item), the contract may still be binding on the user through the principle of apparent authority. In principle, this resembles the common principal-agent relationship. However, there are some inherent problems with classifying this relationship as one of agency.
Fiduciary Obligations
First, the relationship of agency has a fiduciary character,[3] and the IoT device’s ability to understand the same is questionable. Agents are required to act in the best interest of the principal in the course of agency.[4] While IoT devices are equipped to think on their own through AI, the scope of the same is generally very limited. For instance, smart fridges are generally restricted to measuring the user’s usage and determining the time at which new orders should be placed. Hence, while entering into contracts they may not understand other requirements of the agency relationship such as acting loyally and actively protecting the interests of the principal wherever possible. Thus, they might be unable to act the way a fiduciary (agent) would.[5] One aspect of this fiduciary duty is to maintain the privacy of the user. However, data calculated and stored by IoT devices about users is mechanically provided to retailers and manufacturers, which jeopardizes the agent’s obligation to act in the best interest of the principal. Generally, retailers and manufacturers can even sell this data to third parties who may use the same in any manner.
Conflict of Interest
In fact, there is an intrinsic conflict of interest faced by the IoT device, which further jeopardizes its nature as a fiduciary (and by extension as an agent). IoT devices are generally manufactured by big companies like Amazon who seek to maximise their interest by enabling the transfer of a user’s data to third parties who then advertise their products. These data transfers can even be used to the detriment of the user himself, as his activities, lifestyle and behaviour perpetually are being tracked.[6] This poses a huge risk of privacy breach. There have been cases where the data of the user was unintentionally leaked by the companies. Such leakage, apart from constituting a violation of the fundamental existential rights of the user, may then be used against the user by private investigators and law enforcement. Further implications of such privacy risk include micro-targeting the individual to swing elections and put certain people in positions of power, lobbying with the government and the police etc. Hence, there is a very fundamental conflict of interest where the IoT follows the instructions of the user while also generating data about the user that is provided to the manufacturer and possibly sold to third parties.
While conflicts of interest are not entirely forbidden, full disclosure of the same to the principal is required, along with his subsequent consent.[7] Part II will analyse the adequacy of this disclosure made to the user. Further, it delineates two other problems in classifying an IoT device as an agent of the user – namely, the determination of who the device acts as an agent for and the problem of reconciling apparent authority with the working of IoT devices.
[1]John P. Fischer, Computers as Agents: A Proposed Approach to Revised U.C.C. Article, 72 Ind. Law Journal 545, 559, 568-573 (2014).
[2]Carr v. Hunt, 651 S.W. 875 (Tex. App. Dallas), 1983.
[3] De Bueshe v. Alt (1878).
[4]Avatar Singh, Contract & Specific Relief, 12thedn Eastern Book Company 764 (2016); Pollock & Mulla, The Indian Contract Act, 1872, 15the edn LexisNexis 543 (2018).
[5] Dave Wrong, The Emerging Law of Electronic Agents: E-Commerce and Beyond, 33 Suffolk Uni. Law Review 84 (1998).
[6] Scoth R. Puppet, Regulating the IoT: First Steps Towards managing Privacy, Security and Consent, 93 Tex. law review 85, 127-140 (2014).
[7]De Bueshe v. Alt (1878); Sec 8.06, RESTATEMENT (THIRD) OF AGENCY.