In recent years, the phrase “Internet of Things,” or IoT, has appeared more and more frequently in the press discussing the latest consumer products, wearable devices, children’s toys, kitchen appliances, home security devices, medical technology, industrial equipment, and technologically advanced cars. IoT basically refers to any connected device that collects and transmits data over the Internet.
Many IoT articles have discussed privacy and ownership—of the data, of the devices—but not necessarily ownership in the sense of “copyright ownership.” This article addresses the potential sources of copyright rights in (1) the data collected by software embedded in IoT devices, and (2) the embedded software itself.
Data Collected by Software Embedded in IoT Devices
A common myth involving IoT devices is that the owner of the device (in other words, the consumer or the end user who installs the device in their home or wears the device around) also owns the data. After all, the data were collected from him/her/them—isn’t it obvious that “they” own the data?
Copyright Protection for “Original Works of Authorship”
Copyright protection in the United States extends to certain creative works that fall within the definition of “original works of authorship.”1 Notably, the statute specifically excludes from protection any ideas, facts, or other noncopyrightable elements that may also be embodied in the “work”: “In no case does copyright protection for an original work of authorship extend to any idea, procedure, process, system, method of operation, concept, principle, or discovery, regardless of the form in which it is described, explained, illustrated, or embodied in such work.”2 In order for a work to be copyrightable, therefore, it must have a modicum of creativity.3 The level of originality required is not significant, but the underlying idea and the expression of that idea cannot merge—or copyright will not attach to the work.4
The statute does not provide a definition for the term “author,” but clearly natural persons and business entities (in the case of “works made for hire”) can qualify.5 A “work made for hire” is:
(1) a work prepared by an employee within the scope of his or her employment; or (2) a work specially ordered or commissioned for use as a contribution to a collective work, as a part of a motion picture or other audiovisual work, as a translation, as a supplementary work, as a compilation, as an instructional text, as a test, as answer material for a test, or as an atlas, if the parties expressly agree in a written instrument signed by them that the work shall be considered a work made for hire.6
A company that commissions a work but does not obtain a signed, written agreement that confirms that the parties mutually intended the work to be considered “made for hire” will not own the exclusive copyrights in the work. Instead, copyright ownership will remain with the contractor who created the work in the first instance.
Facts Are Not Copyrightable
It is black letter law that the Copyright Act does not protect facts against copying by others.7 Instead, the Copyright Act prohibits a later author from copying outright the original expression of a prior author, in whole or substantial part.8 The Copyright Act does not prevent others from discussing the same set of facts in differing ways, or from providing different written treatments of the same general concepts.9 For instance, the facts underlying a particular news event are not copyrightable—each newspaper is free to publish a different article about the same event and will not tread on the others’ copyrights, provided that the newspapers do not use the same words to describe the same events.10 Copyright protection only applies to the expressive aspects of the work.
Similarly, the person who collected names and addresses of every resident of a particular geographic area for use in a telephone book is not an author for purposes of copyright law.11 Considering whether to prevent the publication of a competing telephone book that borrowed substantial text from a previously published telephone book, the Supreme Court concluded that “facts do not owe their origin to an act of authorship. . . . The first person to find and report a particular fact has not created the fact; he or she has merely discovered its existence.”12 Thus, the person who merely collected the facts does not have a copyright claim.
The plaintiff in the Feist case argued based on prior law that because it had undertaken the time-consuming effort of collecting the data for white page phone listings, it could prevent others from compiling the data into a different collection.13 The Court concluded that this theory (i.e., the “sweat of the brow” doctrine) “had numerous flaws, the most glaring being that it extended copyright protection in a compilation beyond selection and arrangement—the compiler’s original contributions—to the facts themselves.”14 Notably, however, the prior version of the Copyright Act under which this doctrine developed defined copyrighted works not as “original works of authorship” but as “all the writings of an author.”15 The Court concluded that Congress’s intentional revision in 1976 to the nature of works that could be copyrighted explained “with painstaking clarity that copyright requires originality; that facts are never original; that the copyright in a compilation does not extend to the facts it contains; and that a compilation is copyrightable only to the extent that it features an original selection, coordination, or arrangement.”16 Hence, multiple authors can create different compilations involving the same underlying pool of facts, provided that each compilation embodies a different “selection, coordination, or arrangement” of those facts.17
More recently, even the Copyright Office has acknowledged that data collected by IoT devices are not independently copyrightable.18 By necessary implication, the source of the underlying facts—for instance, a person involved in the news event or who is discussed in the various articles—is not an author for purposes of copyright law. He or she merely “discovered” the facts.
Taking this analogy one step further, a consumer whose data are collected by an IoT device is not an author, made no protectable compilation of facts, and thus cannot claim copyright ownership in the data. Instead, the device manufacturer who assembled the data, made a thoughtful selection of which data to publish, and compiled the data into a new work could claim copyright in the compilation. It is possible, depending on the nature of the data, that the consumer could prevent publication or further dissemination of the data because of a right of publicity claim, or a right of privacy claim, or a prohibition of disclosure under HIPAA or HITECH. But he or she could not prevent the data from being disseminated on copyright grounds.
Compilations Have Limited Copyright Protection
While the Feist Court concluded that compilations can be protected under copyright law, it is clear that this protection is limited to those that result from “choices as to selection and arrangement [of the data], so long as they are made independently by the compiler and entail a minimal degree of creativity.”19 In addition, the Feist Court explained that the copyrightability of a compilation has a very narrow scope: “The mere fact that a work is copyrighted does not mean that every element of the work may be protected.”20 As a result, a device manufacturer’s copyright is not unlimited and only extends to the unique selection and compilation of the underlying facts into a creative work.
Embedded Software Controlling Device or Data Collection by Device
In general, copyrights in software are owned by its developers (or, in the case of works “made for hire,” by their employers if the creation of the software at issue was within the scope of their employment) unless the rights have been otherwise assigned.21 IoT devices typically include embedded software to control device functionality, including collection, storage, and dissemination of data from the subject consumer. If the developer is not the same entity as the manufacturer of the device, the manufacturer will need a license before distribution of the device can begin.
The Copyright Act prohibits circumvention of “technological measure[s] that effectively control access to a [protected] work.”22 Technological measures are those that require “the application of information, or a process or a treatment, with the authority of the copyright owner, to gain access to the work,” when used in the “ordinary course of operation” of the device.23 Circumventing such measures includes descrambling, decrypting, or otherwise avoiding, bypassing, removing, deactivating, or impairing a technological measure without permission from the copyright owner.24
There are notable exceptions to these prohibitions built into the Copyright Act, such as:
- a nonprofit library, archive, or educational institution reviewing a “commercially exploited copyrighted work” for the sole purpose of deciding whether to acquire a copy;
- certain law enforcement officers acting pursuant to a government contract;
- certain reverse engineering for purposes of determining interoperability;
- certain encryption research;
- certain efforts to prevent the access of minors to the Internet;
- certain circumvention targeted to a work that collects personal information and with the sole purpose of locating the mechanisms that collect the information and disabling them; and
- certain types of security testing, with the permission of the copyright owner, provided that the purpose is to test, investigate, or correct security flaws or vulnerabilities in the computer, computer system, or computer network.25
Each of these exceptions requires the application of multiple conditions, which collectively significantly limit their application, such that none of these exceptions is particularly broad.
These exceptions also do not apply to the manufacturing, importing, offering to the public, providing, or otherwise trafficking in any technology, product, service, device, component, or part thereof that is “primarily designed” to circumvent the access controls, or that has “only limited commercially significant purpose” other than circumvention.26 As a result, the trafficking in tools or devices to enable circumvention of access controls remains prohibited by the Copyright Act, even if certain categories of users may have been exempted from liability for undertaking the actual circumvention.
Librarian of Congress’s Recent Exemptions
The anti-circumvention rules only apply to copyrighted works.27 In a recent report, the Librarian of Congress confirmed that “in many cases, data outputs generated by devices would likely be uncopyrightable, and . . . in such cases, [17 U.S.C.] section 1201(a)(1) . . . would not apply.”28
On October 28, 2015, the Librarian, following the recommendations of the Register of Copyrights, approved several exemptions to the anti-circumvention rules, basically concluding that the potentially adverse effects of applying the rules to certain classes of noninfringing users outweighed the need for enforcement of these particular violations.29 The exemptions include those relating to circumvention of the technological protection measures (TPMs) embodied in the following types of works: (1) computer programs in certain vehicles, (2) computer programs used in implantable medical devices or personal monitoring systems that will not be used for patient care, and (3) compilations of data collected by implantable medical devices that could be used for patient care.30
Motorized Land Vehicles: Diagnosis, Repair, or Lawful Modification
A limited exception to the anti-circumvention rules was granted for circumvention of the TPMs in computer programs installed in “motorized land vehicle[s]” (including cars, commercial vehicles, and agricultural vehicles) “when circumvention is a necessary step” taken by the owner “to allow the diagnosis, repair or lawful modification of a vehicle’s function.”31 Such repair functions might include, for instance, “enhancing a vehicle’s suspension or installing a gear with a different radius.”32 In their submissions requesting an exemption, proponents argued that “absent an exemption, vehicle owners must take their cars to authorized repair shops, or purchase expensive manufacturer-authorized tools, to diagnose and repair their vehicles.”33
In granting the exemption, the Librarian clarified that computer programs used to operate vehicle entertainment systems and telematic systems (such as navigation systems or emergency crash response systems) were not part of the exemption, and circumvention of these systems would continue to violate section 1201. The Librarian also agreed to delay implementation of this exemption until October 2016 in order to allow various government agencies time to consider and prepare for the new rule.34 Circumvention of even the exempted systems occurring before October 2016 would continue to violate section 1201.
Consumer Devices, Motorized Land Vehicles, Implantable Medical Devices, and Associated Monitoring Systems: Security Research
An exemption was also granted for circumvention of TPMs in computer programs embedded in “lawfully acquired device[s] or machine[s],” provided that the circumvention was undertaken “solely for the purposes of good-faith security research and does not violate any applicable laws,” such as the Computer Fraud and Abuse Act (CFAA).35 This exemption includes devices “primarily designed” for use by individual consumers (including voting machines), motorized land vehicles, medical devices designed for attachment or implantation, and their associated personal monitoring systems “that [are] not and will not be used by patients or for patient care.”36 Note that the Food and Drug Administration (FDA) had objected to an exemption for circumvention of TPMs on medical devices used for patient care—and the Librarian adopted this objection.37 As a result, circumvention of TPMs on medical devices used for patient care, such as glucose monitoring devices, insulin delivery systems, and pacemakers, even for the purposes of bona fide security research, would still violate section 1201.
The Librarian also agreed to delay the implementation of this exemption with respect to the motor vehicles, medical devices, and monitoring systems until October 2016 to allow the software developer or device manufacturer “sufficient time to correct any flaw before its existence becomes more widely known and thus more susceptible to exploitation by malicious actors.”38 The exemption for circumvention of voting machines was not delayed because there “was no public safety issue or other proffered justification for delay of this aspect of the exemption.”39
Data Generated by Patient’s Networked Medical Devices
An exemption to the anti-circumvention rules was also granted to patients who circumvent the TPMs protecting data compilations (“literary works”) “generated by medical devices that are wholly or partially implanted in the body” for the “sole purpose of lawfully accessing the data generated by his or her own device,” provided the circumvention does not violate other laws (including HIPAA, CFAA, or FDA rules and regulations).40 Opponents of this exemption conceded that patients had an “‘inherent right’ to access their own medical data,” but argued that the right is satisfied by the requirement to obtain the data from an authorized source, such as their healthcare provider.41 Opponents also argued that requiring a second data transmission stream to be delivered to a different recipient would potentially drain the battery life of the implanted device, and thus cause an independent health risk.42
The Register recommended granting the exemption, agreeing that allowing patients to access their health data in real time could provide lifesaving benefits, provided that the data were transmitted to patients at the same time they were uploaded generally so that there was no requirement for a separate feed.43 In this case, the Librarian did not require any delay in implementation because the potential health benefit was not outweighed by any countervailing risk.44 Note also that this exemption only allows patients to access their own data, not others acting on a patient’s behalf.45
Some Categories Rejected for Exemptions
The Librarian also denied some exceptions, including those for jailbreaking of dedicated e-book readers and video game consoles.46
Copyright law is not the only legal regime governing the use and accessibility of IoT devices, but it can easily be overlooked among the sea of others. Many devices now offer customizations based on data collection and connectivity to transmit the data back to the central database. Many devices consumers used to have serviced by providers other than the dealer or manufacturer now have restrictions that limit repair choices. These devices also may embody security risks that did not exist before the connectivity was introduced. Device manufacturers should take care to provide an appropriately secure environment for the use of their devices, but should also permit modest security risk assessments, whether by third parties or conducted internally, to ensure that potential risks are identified and addressed for the safety of all concerned.
Developments in this area of technology will continue to thrive, and ever-increasing challenges will emerge requiring protection of the developer’s intellectual property on the one hand and consumers’ personal information on the other. Proper notice and disclosure of these collection practices is necessary—as is an ability to opt out from the data collection requirements of a particular device, under appropriate circumstances. u
1. 17 U.S.C. § 102(a) (“Copyright protection subsists . . . in original works of authorship fixed in any tangible medium of expression, now known or later developed, from which they can be perceived, reproduced, or otherwise communicated, either directly or with the aid of a machine or device.” (emphasis added)).
2. Id. § 102(b) (emphasis added).
3. Home Legend, LLC v. Mannington Mills, Inc., 784 F.3d 1404, 1409 (11th Cir. 2015) (“Originality is not novelty. . . . In other words, the originality requirement is a low bar.” (citing Feist Publ’ns, Inc. v. Rural Tel. Serv. Co., 499 U.S. 340, 358 (1991))).
4. See, e.g., Nat’l Nonwovens, Inc. v. Consumer Prods. Enters., Inc., 397 F. Supp. 2d 245, 255 (D. Mass. 2005) (“Because certain ideas can be expressed in only a limited number of ways, in some cases the idea and its expression are inseparable.”); U.S. Copyright Office, Compendium of U.S. Copyright Office Practices § 313.3(B) (3d ed. 2014) [hereinafter Compendium] (confirming that registration will be refused when the idea and the expression of the idea in the proposed work have merged).
5. Compendium, supra note 4, § 405 (“An author is either (i) the person or persons who created the work, or (ii) the employer or other person for whom the work was prepared, if the work was created during the course of employment or commissioned as a work made for hire.”); see also id. § 306 (providing that only human beings qualify as “authors” of copyrighted works).
6. 17 U.S.C. § 101 (emphasis added).
7. Id. § 102(b).
8. Id. § 501; Hoehling v. Universal City Studios, Inc., 618 F.2d 972, 980 (2d Cir. 1980) (“A verbatim reproduction of another work, of course, even in the realm of nonfiction, is actionable as copyright infringement.”).
9. Feist Publ’ns, Inc. v. Rural Tel. Serv. Co., 499 U.S. 340, 348 (1991) (“The same is true of all facts—scientific, historical, biographical, and the news of the day. ‘[T]hey may not be copyrighted and are part of the public domain available to every person.’”); Zalewski v. Cicero Builder Dev., Inc., 754 F.3d 95, 102 (2d Cir. 2014) (“Everything else in the work, the history it describes, the facts it mentions, and the ideas it embraces, are in the public domain free for others to draw upon. It is the peculiar expressions of that history, those facts, and those ideas that belong exclusively to their author.”).
10. See, e.g., Int’l News Serv. v. Associated Press, 248 U.S. 215, 234 (1918) (“It is not to be supposed that the framers of the Constitution . . . intended to confer upon one who might happen to be the first to report a historic event the exclusive right for any period to spread the knowledge of it.”).
11. See Feist, 499 U.S. at 340.
12. Id. at 347.
13. Id. at 344.
14. Id. at 353.
15. Id. at 355.
16. Id. at 360 (emphasis added) (citations omitted).
17. Id. at 349 (finding that a subsequent compiler of the data is “free to use the facts contained in another’s publication . . . so long as the competing work does not feature the same selection and arrangement”); Hoehling v. Universal City Studios, Inc., 618 F.2d 972, 980 (2d Cir. 1980) (“In works devoted to historical subjects, it is our view that a second author may make significant use of prior work, so long as he does not bodily appropriate the expression of another.”).
18. Exemption to Prohibition on Circumvention of Copyright Protection Systems for Access Control Technologies, 80 Fed. Reg. 65,944, 65,959 (Oct. 28, 2015) (to be codified at 37 C.F.R. pt. 201) (“[I]n many cases, data outputs generated by devices would likely be uncopyrightable[.]”).
19. Feist, 499 U.S. at 348.
21. 17 U.S.C. §§ 101 et seq.
22. Id. § 1201(a)(1)(A).
23. Id. § 1201(a)(3)(B).
24. Id. § 1201(a)(3)(A).
25. Id. § 1201(d)–(j).
26. Id. § 1201(a)(2), (b); 80 Fed. Reg. at 65,945 (confirming that the “Librarian of Congress has no authority to adopt exemptions for the anti-trafficking prohibitions contained in section 1201(a)(2) or (b)”).
27. 17 U.S.C. § 1201(a)(1)(A).
28. 80 Fed. Reg. at 65,959.
29. See generally 80 Fed. Reg. 65,944; 17 U.S.C. § 1201(a)(1)(B) (“The prohibition . . . shall not apply to persons who are users of a copyrighted work which is in a particular class of works, if such persons are, or are likely to be in the succeeding 3-year period, adversely affected by virtue of such prohibition in their ability to make noninfringing uses of that particular class of works[.]”).
30. See 80 Fed. Reg. at 65,961–64 (summarizing all of the exemptions).
31. Id. at 65,963 (emphasis added); see also id. at 65,953.
32. Id. at 65,954.
35. Id. at 65,963 (emphasis added); see also id. at 65,955.
36. Id. at 65,956.
38. Id. at 65,955–56.
39. Id. at 65,956.
40. Id. at 65,963–64 (emphasis added); see also id. at 65,959.
41. Id. at 65,959.
46. Id. at 65,960–61.