Blog Posts

Biology and technology coming together
  • JAC

The Cyborg-Technology Provider Relationship, Part II

Updated: Sep 24, 2018

Continued from Part I

IV. Defining The Harm

Despite the existence of radical technologies signifying the approach of the singularity, American law continues to perpetuate a largely caveat-emptor approach when analyzing both consumers’ relative power to contract with technology providers and remedies for harms against the technological-person. Once the singularity does arrive, these legal doctrines will be inadequate to address the real harms suffered by those in Adam’s position.

Certainly, many statutory and regulatory frameworks currently exist that have the potential to affect the rights and liabilities of cyborgs and their technology providers. For example, it is an open question on whether cerebral processors in wide use will be regulated as class III medical devices by the United States Food and Drug Administration.[1] This question is important because consumers cannot sue product manufacturers for product liability for class III medical devices.[2] Another open question is whether the information contained within cerebral processors constitute “protected health information” as defined by the Health Insurance Portability and Accountability Act (HIPAA).[3] If so, cerebral processors may be regulated by HIPAA’s security rule.[4]

However, the uncertain applicability of various statutes and regulations make it necessary to consider a cyborg’s rights under the common law. As currently conceived in the common law, cyborgs in Adam’s position would look to data breach law and contract law—both of which would offer them no relief.

A. Federal Data Breach Law Is Insufficient For Adam

Many civil claims alleging a company’s negligence in allowing a data breach to occur are dismissed for failure to allege damages. This is a function of the standing doctrine.

The standing doctrine is a judicial creation that determines whether a particular claim is considered a “case” or “controversy” giving the court jurisdiction.[5] Standing is composed of three “irreducible constitutional minimum” elements.[6] The first of these elements is that the plaintiff must have suffered an injury in fact, which is defined as an invasion of a legally protected interest that is concrete, particularized, actual or imminent, and not conjectural or hypothetical.[7] The second element is that there must be a causal connection that fairly traces the conduct of the defendant to the injury suffered by the plaintiff.[8] Finally, it must be “likely” instead of “speculative” that the plaintiff’s injury will be redressed by a favorable decision by the court.[9]

If the plaintiff fails to provide factual allegations supporting these three standing elements at the pleading stage, the court will dispose of the case on motion to dismiss for lack of subject-matter jurisdiction.[10] And this is generally the case for data breach claims, as the courts tend to hold that the plaintiffs cannot satisfy the standing element of injury in fact.

For example, this was the case in Reilly v. Credian Corp., 664 F.3d 38 (3d Cir. 2011). In Reilly, the defendant was a payroll company that collected information about its customer’s employees, including names, addresses, social security numbers, dates of birth, and bank account information.[11] At some point, an unknown hacker breached the defendant’s systems and gained access to the personal information of roughly 27,000 individuals.[12] After the breach occurred, however, it was “not known whether the hacker read, copied, or understood the data.”[13] Regardless, the individuals who had their information accessed filed a negligence suit against the defendant alleging, in part, that the hack increased their risk of identity theft.[14] However, the district court dismissed the plaintiffs’ suit for a lack of standing and the court of appeals agreed.[15]

The court of appeals held that the plaintiffs did not have standing because they only claimed a possible future injury, not a “concrete [injury] in both a qualitative and temporal sense.”[16] Specifically, the court of appeals stated that the claim of an increased risk of identity theft was only speculation based on the “future actions of an unknown third-party.”[17]

Therefore, Reilly indicates that the mere taking of personal information from a third-party custodian is no injury and cannot establish standing in a suit against that custodian. At a minimum, courts require at least an attempted misuse of the stolen data, as was the case in Krottner v. Starbucks Corp., 628 F.3d 1139 (2010). In Krottner, an unsecured computer belonging to the defendant was stolen, which contained the “names, addresses, and social security numbers” of the plaintiffs.[18] For one of the plaintiffs, there was a failed attempt to open a bank account in his name using his social security number, but this did not result in any financial harm to that plaintiff.[19] There was no alleged attempt to use the stolen information of any of the other plaintiffs.[20] In the end, the court of appeals held that all of the plaintiffs had standing—that they alleged a sufficient injury—relying on the fact that the attempted use of one of the plaintiff’s information demonstrated a credible threat of future harm.[21]

For Adam, a strict analogy to these cases would result in any negligence suit brought by him against IB-X for the data breach would be dismissed for lack of standing. Just like the plaintiffs in Reilly, Adam has no evidence that his stolen information has been misused in a manner that could cause him injury. As such, an injury alleged by Adam would be merely speculative.

However, a significant factual distinction between Adam’s situation and the breaches in both Reilly and Krottner begs a different analysis. This distinction is in where the data breach occurred. In Reilly and Krottner, the data breach occurred in a remote computer system. In contrast, the data breach against Adam occurred within his body. While the type of information in all cases may be the same, the fact that Adam’s data breach compromised his bodily integrity shows that a viable argument exists that data breaches against cyborgs are different in kind from how we understand data breaches now.

B. Conceiving Adam’s Harm As A Battery

Adam’s cerebral processor was hacked. Put another way, an unknown evildoer reached into Adam’s brain without authorization. The hack into Adam’s brain, therefore, looks like a battery. Conceiving Adam’s injury as a battery, a claim against IB-X would be for negligently allowing a battery, not merely negligently allowing a data breach as described in Reilly and Krottner. As such, Adam would be able to demonstrate standing without having to allege an actual misuse of his stolen information. The fact that a battery occurred is sufficient.

Defining battery, the Restatement (Third) of Torts states that

An actor is subject to liability to another for battery if

(a) the actor intends to cause contact with the person of the other;

(b) the actor’s conduct causes such a contact;

(c) the contact (i) is offensive or (ii) causes bodily harm to the other; and

(d) the other does not actually consent to the contact [or to the conduct that causes the contact].[22]

The restatement continues to describe an “offensive contact” as a contact that “offends a reasonable sense of personal dignity” or when the tortfeasor “knows that the contact seriously offends the other’s sense of personal dignity, and it is not unduly burdensome for the actor to refrain from causing the contact.”[23] Moreover, the restatement notes that many states include the contact with something closely associated with a person as also qualifying as battery.[24]

Under these elements, the hack of Adams cerebral processor was a battery. The hacker certainly intended to hack into Adam and did so without Adam’s consent. At a minimum, the hack would be viewed as offensive because it would “offend[] a reasonable sense of personal dignity.”

Perhaps the only conceptual problem that Adam would face in demonstrating that a battery occurred is whether a digital intrusion into a cerebral processor constitutes a physical contact. However, an analogy to “computer trespass” and a consideration of what constitutes a cyborg’s “brain” lead to a conclusion that a battery did occur.

Although an earlier section of this article raised and dismissed the questionable applicability of existing statutes and regulations to cyborgs, analogy to Computer Fraud and Abuse Act (CFAA) as currently enacted provides a basis for acknowledging a hack as a physical action. Specifically, the CFAA prohibits the intentional access to a protected computer[25] without authorization or exceeding authorization and thereby obtaining information from that computer.[26] Some scholars describe the CFAA as “principal[ly] . . . confer[ring] on computer owners the right to regulate who may access their computer, and what those accessers may do to it . . .” and that the CFAA’s rules “are best understood as creating rights to exclude that are akin . . . to comparable rights in property regimes.”[27]

Important to Adam, the CFAA treats unauthorized access to computers as a physical action. This is because it separates as two distinct elements (1) gaining access to a computer and then (2) obtaining data from that computer. This is different from crimes/torts that only look to whether information was wrongfully obtained regardless of method. An example of this is the tort of intrusion upon seclusion, which solely looks at whether an individual intrudes upon the private affairs of another, “physical or otherwise,” in a manner that would be highly offensive to a reasonable person.[28] Therefore, Adam may argue that the hack into his cerebral processor was the electronic equivalent to the hacker physically entering his brain.

In this, Adam may also have to persuade the court that his cerebral processor is part-and-parcel with his brain. Note that it is likely that Adam can rest his battery claim on an argument that the cerebral processor was closely associated with his person—indeed, it is implanted in his brain. But that argument is not available in all states, and Adams argument would be stronger if he could persuade the court that the cerebral processor was part of his anatomy.

Even if a court finds these arguments by analogy unpersuasive, there is good reason for the court to hold that the hacking of a cyborg’s cerebral processor is a battery sua sponte. That reason is that after the singularity and the emergence of “transhumans,” there will be no more meaningful distinction between the biological body and the technological body. Beyond the fact that in time mechanical limbs will have all the same functionality as organic limbs, including the ability for sensation, human intelligence will be greatly and irreversibly enhanced by objects such as cerebral processors.[29] It is irreversible because of the nature of society; as seen in the story of Adam, without his cerebral processor he is unable to participate in the economy, which requires more than the capabilities of an ordinary human. Plainly stated, the law should evolve as what it means to be “human” evolves.

The law’s expansion following the recognition of new human dignities is not a new concept. This idea was the central thesis of Justices Warren and Brandeis in their famous article, The Right to Privacy.[30] In their article the justices argued for judicial recognition of a tort that they call “the right to be let alone.”[31] Specifically, they were concerned about how the tabloids could leverage the Eastman Kodak Company’s new “snap camera,” having the revolutionary ability to take instantaneous pictures capable of routinely invade others’ privacy.[32] As the story goes, Chief Justice Warren was particularly enraged when a tabloid used this new privacy-infringing technology to publish a picture of his daughter’s wedding without permission.[33]

Just like Adam’s argument, the justices were driven by a new technology that impacted individuals differently than previous technologies. Before instantaneous photography, people did not have to worry about intimate pictures being revealed to the public; before cerebral processors, people did not have to worry about hacks of their brains.

Also important to Adam is how the justices went about advocating for the extension of the common law. Specifically, they focused on how society evolved in its understanding of what is necessary to protect personal dignity and rights:

THAT [sic] the individual shall have full protection in person and in property is a principle as old as the common law; but it has been found necessary from time to time to define anew the exact nature and extent of such protection. Political, social, and economic changes entail the recognition of new rights, and the common law, in its eternal youth, grows to meet the demands of society.[34]

In the beginning, they assert, the law began with the “right to life” as society recognized that individuals had a right to be free from physical battery and actual restraint—this was the first meaning of “liberty.”[35] Thereafter, society acknowledged that individuals had a right to be free from interference with their land and chattel, thus giving rise to the “right to property.”[36] Ultimately, up until Warren and Brandeis’s time, this process continued with society and the law recognizing individuals’ rights in intangible property—“in the products and processes of the mind, [such] as works of literature and art, goodwill, trade secrets, and trademarks.”[37] Through all of this, Warren and Brandies saw the law’s evolution of personal protections through the common law as the natural counterpart to social evolution:

This development of the law was inevitable. The intense intellectual and emotional life, and the heightening of sensations which came with the advance of civilization, made it clear to men that only a part of the pain, pleasure, and profit of life lay in physical things. Thoughts, emotions, and sensations demanded legal recognition, and the beautiful capacity for growth which characterizes the common law enabled the judges to afford the requisite protection, without the interposition of the legislature.[38]

For Adam, the event of the singularity and the rise of cyborgs is another time in human history where it is necessary to advance the common law. In particular, the law should make no distinction between the electronic portions of a cyborg’s body and the organic portions. Both are what make the cyborg whole. Further, the electronic portions are, again, necessary. For Adam, without the adequate functioning of his cerebral processor, he was effectively excluded from meaningful participation in a society where the economy is built upon the enhanced capabilities of cyborgs.

In the end, Adam should be able to persuade a court that the hack was a battery against his person. Assuming that a battery of this nature deserves a remedy, the next question is against whom? Certainly, Adam would have a claim against the hacker, but the hacker is unknown, and if history is any indicator, the hacker is unlikely to be identified and hauled into court. That leaves IB-X as the only other involved party. Since IB-X was in the important and unique position of preventing the battery against Adam, it should be held liable for not just traditional negligence but for breach of a fiduciary duty.

Article continued in blog-post part III.

[1] 21 U.S.C. § 301 et seq.

[2] Id.

[3] Codified at 42 U.S.C. § 300gg, 29 U.S.C § 1181 et seq. and 42 USC 1320d et seq.

[4] 45 C.F.R. Part 160.

[5] Lujan v. Defenders of Wildlife, 504 U.S. 555, 559-60 (1992).

[6] Id. at 560.

[7] Id.

[8] Id.

[9] Id. at 561.