Regulation through “bricking”: private ordering in the “Internet of Things”

Internet-enabled “smart products” operate through networked software that links the devices to their manufacturers’ servers to enable the collection and distribution of data, and, as a result, these products are vulnerable to software disruption. This article examines “regulation by bricking”, which refers to the deliberate impairment or destruction of software with the intention of negatively affecting product functionality. The article argues that companies are employing bricking within a system of private ordering that is reshaping the governance of physical objects, as companies can arbitrarily and remotely affect the functionality of any software-enabled device and even determine product’s lifespan. Further, the article contends that through companies’ post-purchase regulation of internet-connected goods, “Internet of Things” (IoT) firms have an unfair capacity to impose their preferred policies unilaterally, automatically, and remotely. Control over software thus enables control over hardware. This private ordering occurs within a regulatory framework in which IoT companies use restrictive licensing agreements to govern the use of the products’ software. With a focus on the governance of consumer-oriented IoT goods within the United States, the article draws upon the law and technology literature to explain bricking as a form of techno-regulation, which is the deliberate use of technology as a regulatory instrument (Brownsword, 2005), through an analysis of manufacturers’ licensing agreements for smart products.


INTRODUCTION
With the rapid expansion of internet-connected physical products with embedded software known as the "Internet of Things" (IoT), once-ordinary goods like watches or televisions have become what is colloquially termed "smart" devices. The IoT can be commonly understood as networks of always-on, internet-connected and software-enabled devices that collect, distribute, and act upon data through embedded sensors (see Meola, 2016). As smart goods rely upon their embedded software that regularly communicates with the manufacturers' servers for instructions, a manufacturer-dependent relationship that some scholars characterise as "tethered" (Zittrain, 2008), these products are vulnerable to any interruption or manipulation to their software.
The susceptibility of smart products to disruption in the provision of software became widely apparent in 2016 when customers of the Revolv smart home system learned their products would suddenly become inoperable. The problem started in 2014 when Google's sister company Nest, which sells smart home systems, purchased the Revolv smart home hub that enabled communication among light switches, garage door openers, motion sensors, and thermostats, and allowed users to program these devices and operate them remotely. In 2016, Nest decided to discontinue the Revolv hub in a blunt announcement: "As of May 16, Revolv service will no longer be available" (Lawson, 2016). All Revolv data was deleted and the one-year warranty expired for all Revolv products. A Revolv user described the consequences: "My landscape lighting will stop turning on and off, my security lights will stop reacting to motion, and my home-made vacation burglar deterrent will stop working" (Gilbert, 2016). Although the company offered its customers refunds, Nest remotely destroyed functional services without their customers' consent by withdrawing access to the software services that enabled the hub to operate normally.
Nest's actions demonstrate the vulnerability of internet-connected, software-enabled products to any interruption to the manufacturers' provision of software updates. Through their software, IoT products remain connected or "tethered" (Zittrain, 2008) to their manufacturers, a characteristic that enables companies to wield significant post-purchase control over the software. The most extreme form of post-purchase control is "bricking". Bricking typically describes an electronic device's loss of functionality in which it is rendered permanently inoperable (see e.g., Technopedia, n.d.). In this article, bricking refers more narrowly to manufacturer-pushed software interruption or impairment that has the intention of negatively affecting product functionality. The Revolv case, an example of bricking, shows that those who control the products' software can determine how their customers use the goods and even the products' lifespan. By discontinuing software updates, which also contain essential security patches, or by pushing software updates that negatively affect product functionality, IoT manufacturers can cause IoT products to cease functioning properly, either immediately or over time. Control over software thus enables control over hardware.
This article argues that IoT companies, particularly within the United States, are using bricking within a system of private ordering that is reshaping the governance of physical objects, as companies can alter the functionality of or brick any software-enabled, internet-connected device, typically without the consent or knowledge of their customers. The private ordering emerges from a distinctive legal and regulatory framework in which IoT companies use restrictive licensing agreements to govern the software within smart goods. There are clear benefits to the tethered relationship between IoT companies and smart goods as manufacturer-Regulation through "bricking": private ordering in the "Internet of Things" pushed software updates can be convenient for consumers and an efficient way to provide security patches and software upgrades to IoT goods. However, through companies' postpurchase control over smart goods, IoT firms have an unfair capacity to impose their preferred policies unilaterally, automatically, and remotely.
To make its argument, the article draws upon the law and technology literature to explain bricking as a form of techno-regulation, which is the deliberate use of technology as a regulatory instrument (Brownsword, 2005; see also Hildebrandt, 2008) and an analysis of manufacturers' licensing agreements for consumer-oriented smart products, particularly Nest, the fitness wearable Fitbit, and Samsung's smart television. By interrupting or manipulating the provision of software to smart goods, IoT companies are regulating through "code" (Lessig, 2006; see Reidenberg, 1997).
With the incorporation of software into all manner of consumer-oriented objects 1  to real-world objects embedded in the urban environment that enable real-time data collection, streaming, and analysis to deliver services, and integrate information and physical infrastructure (Edwards, 2016, p. 31; see also Kitchin, 2014). Although this article examines the governance of IoT products as a form of private ordering with a focus on consumer-oriented smart products, its argument has broader relevance to the control that manufacturers can impose over all manner of internet-connected, software-enabled goods. As well, the dataintensive nature of the IoT raises serious challenges in terms of consumers' privacy, a problem that is further exacerbated by companies' post-purchase control of internet-connected goods.
While there is a growing scholarly literature on the Internet of Things, particularly examining security and privacy risks (see e.g., DeNardis & Raymond, 2017;Friedland, 2017), few studies consider the ways that IoT manufacturers employ their newly expanded capacity to set rules governing the use and lifespan of these products, even after purchase (notable exceptions are Fairfield, 2017;Perzanowski & Schultz, 2016). Bricking, moreover, is critically under-examined in the scholarly literature, despite multiple cases documented in technology-focused news websites like TechDirt and Wired (see e.g., Wiens, 2016).
The rest of this article is organised as follows. First, it establishes bricking as a type of technoregulation and sets out how IoT companies' regulatory efforts operate as private ordering. Next, the article explains the governance of the Internet of Things through licensing agreements. The article then explores how IoT companies exert post-purchase control over their smart goods with bricking as the paradigmatic example, and considers the implications of post-purchase control on consumer consent and privacy. The article then provides a conclusion.

REGULATING THROUGH TECHNOLOGY
This article understands technology as being imbued by its creators with particular norms, rules and values (Brey, 2005;Franklin, 1995), a socially constructed view of technology that aligns with the law and technology literature (see Brownsword, 2005). Technology, from this perspective, may be designed to facilitate certain types of use, and, inadvertently or deliberately, Regulation through "bricking": private ordering in the "Internet of Things" Internet Policy Review | http://policyreview.info 4 June 2019 | Volume 8 | Issue 2 discourage or prevent others (Brey, 2005;Hildebrandt, 2008). Rules are designed and implemented through architecture or code (see Lessig, 2006;Reidenberg, 1997), such as manufacturers' deliberate changes to the smart goods' software. Techno-regulation, a concept rooted in the law and technology literature, explains how technology can be employed as a regulatory instrument. Techno-regulation refers to the "deliberate employment of technology to regulate human behaviour" (Leenes, 2011, p. 149;see Brownsword, 2005). It is a type of designbased regulation in which "technology with intentionally built-in mechanisms" shapes behaviour (Koops et al., 2006, p. 158, as cited in Leenes, 2011. Designers may incorporate features into the technologies that encourage compliance (termed "regulative" rules) or that force compliance ("constitutive" rules) (Hildebrandt, 2008 Manufacturers' governance of consumer-oriented IoT goods constitutes a system of private ordering (see Schwarcz, 2002) that relies upon privately drafted licensing agreements. By granting themselves the latitude to restrict or terminate service at any time to the devices' software, IoT companies have a quasi-legislative power to set and enforce rules over their users and a quasi-executive power to enforce those rules through technical means (Belli & Venturini, 2016, p. 4;see Langenderfer, 2009).
Unlike the interpretive nature of law, rules embedded within and enforced using technology are less transparent and often more rigid (Koops, 2011, p. 4;Brownsword, 2008). Technologyembedded rules can force individuals to comply with the rules, effectively designing "out any option of non-conforming behaviour" (Brownsword, 2008, p. 247; see Koops, 2011, p. 4).
Consumers can either choose to accept the rules set out or decide not to use the IoT products.
IoT companies' licensing agreements should therefore be understood as the "law of the platform" (Belli et al., 2017, p. 44), according the company the sole regulatory capacity to set, interpret, and enforce its rules. Once companies decide to downgrade or destroy device functionality, consumers may have few avenues for resistance beyond purchasing nonconnected goods where similar goods are available (see e.g., Helberger, 2016).
Regulation through constitutive rules embedded within technology evokes scholarship comparing governance through law and "code" (Lessig, 2006; see Reidenberg, 1997). Schulz and Dankert (2016) contend that the software driving smart goods' operation that can shape or Regulation through "bricking": private ordering in the "Internet of Things" Internet Policy Review | http://policyreview.info 5 June 2019 | Volume 8 | Issue 2 direct human behaviour is a form of constitutive regulation they term "Governance by Things".
While their focus is on rules embedded within software that ensure normal product functioning, this article's focus on bricking investigates IoT companies' efforts to further their post-purchase control over smart goods by manipulating the provision of software. In doing so, companies can force customers accept certain product features, determine how goods are used, and even determine products' lifespan. Italy's competition authority, for example, fined Apple and Samsung each €5 million in 2018 after ruling that the companies deliberately reduced the speed of their phone operating system, which constituted "dishonest commercial practices" (Gibbs, 2018). While planned obsolescence is not unique to the Internet of Things, the tethered nature of IoT goods to their manufacturers facilitates companies' control over product functionality (see Aladeojebi, 2013).
As the next section explores, consumers' interaction with smart goods depends upon "rules established by an external authority" (Perzanowski & Schultz, 2016, p. 122), namely IoT makers.
By embedding their rules and policies within technology -in this case, the product's software, companies can restrict how consumers may use smart goods.

GOVERNING THE INTERNET OF THINGS
The legal authority by which IoT companies regulate their software-enabled goods is through agreements attached to each product that governs the embedded software. End-user licensing agreements (EULAs), often called software licenses, are legal contracts that set out the conditions under which users can use the software and outline penalties for violation (see Langenderfer, 2009;Perzanowski & Schultz, 2016). 2 Some EULAs also set out terms governing issues like copyright ownership and penalties for violation, and the collection and use of customers' data. In the United States, IoT companies have particular latitude to set rules restricting consumers' use of smart goods within EULAs (see Langenderfer, 2009), whereas other jurisdictions may place limitations on the scope or use of EULAs.
A traditional understanding of contracts refers to an agreed-upon transaction between two consenting parties, but modern contracts depart from this conception with the increasing use of "click-wrap" contracts on websites to which users indicate their adherence by clicking "I agree" (Radin, 2012, pp. 3 & 11). Users may have to click through multiple webpages to review all the terms or, in some jurisdictions, may only be able to review conditions after purchase.
Consumers need not even signal assent, as companies often include a clause that continued use of the product constitutes acceptance of the agreement. "Your continued use of the Product," Nest tells its customers, "is your agreement to this EULA" (Nest, n.d.). Consumers' bargaining power is therefore limited, and companies' capacity to set and interpret rules unilaterally means that the rules set within those agreements become the "law of the platform" (Belli et al., 2017, p. 44). In its EULA, Nest informs its customers that software updates are automatically installed without notice: "You consent to this automatic update. If you do not want such Updates, your remedy is to stop using the Product" (Nest, n.d.).
Even when users have the option of either clicking "I accept" or "I do not accept," the assumption is that individuals are providing informed consent to the agreement. However, people tend not to read corporate policies (Obar & Oeldorf-Hirsch, 2018) and may not even be aware of the rules that govern their use of IoT products (see Helberger, 2016;Manwaring, 2017).
Further, companies have considerable latitude in crafting their policies and reserve the right to change the terms of their licensing agreements without notice to the user (see Tusikov, 2016).
Within their EULAs, companies grant themselves the right to restrict and sanction unwanted behaviour regarding their products and services. IoT manufacturers typically include a clause that gives them the right to terminate users' access to or disable the product itself. Fitbit tells users: "We reserve the right (but are not required) to remove or disable access to the Fitbit Service, any Fitbit Content, or Your Content at any time and without notice, and at our sole discretion" (Fitbit, 2018). Even if the behaviour in question is legal, companies have the discretion to terminate users' access to or disable the product.

POST-PURCHASE REGULATION
IoT companies' private ordering relies upon pervasive surveillance because, for manufacturers of IoT goods, surveillance is a business model (Schneier, 2013) and a regulatory mechanism (see Tusikov, 2019). Monitoring performs two interrelated functions: data collection and processing to enable the operation of IoT products, and customer/device monitoring to detect violations of the licensing agreements.
Smart goods' proper functioning depends on their continual monitoring of their users and environments (see Farkas, 2017). Data-intensive products are features of the "sensor society" in which corporate infrastructures facilitate the mass-scale collection, storage, and processing of sensor-generated data from interactive, networked devices (Andrejevic & Burdon, 2015, p. 21).
The sensor society, or what others term "data capitalism" (West, 2017), "surveillance capitalism" (Zuboff, 2015(Zuboff, , 2019 and "platform capitalism" (Srnicek, 2017), accords importance to the control over information, particularly the mass accumulation, storage and processing of data with the goal of sorting populations and discerning patterns in data (Zuboff, 2015(Zuboff, , 2019. Implicit within the IoT, then, is the normalisation of pervasive corporate surveillance of smart products and their users (see Andrejevic & Burdon, 2015;Friedland, 2017). An important aspect of IoT surveillance is the intensity of IoT devices' communication with their servers: products can communicate daily or multiple times a day even when the products are not in use (Hill & Mattu, 2018).
The second aspect of surveillance is monitoring technologies that track and control how individuals use certain products to identify unwanted behaviour, which are common features of techno-regulation (see Brownsword, 2008 Zittrain (2008, p. 136) terms "perfect enforcement". For example, when someone uses an internet-connected product, depending on the product type, the software may collect information to authenticate the user or activity, or may scan the device for potential violations to the licensing agreement (see Perzanowski & Schultz, 2016). Samsung, for example, informs its customers that it may "monitor your use of the Samsung+ Service" and "your accounts, content, and communications" to identify any violations of its policies regarding its smart television services (Samsung, 2018).

BRICKING
IoT companies have the capacity to change products' functionality as these companies can install software updates automatically without users' consent or notification. According to Regulation through "bricking": private ordering in the "Internet of Things" Internet Policy Review | http://policyreview.info 7 June 2019 | Volume 8 | Issue 2 Fitbit: "We reserve the right to determine the timing and content of software updates, which may be automatically downloaded and installed by Fitbit products without prior notice to you" (Fitbit, 2018). Customers can agree to the manufacturers' terms, discontinue use of the product or, in some cases, accept decreased device functionality. For instance, the smart-speaker company Sonos announced in 2017 that if users declined to accept an updated privacy policy, their smart sound systems may "cease to function" (Whittaker, 2017 (Samsung, 2016). Once the phones received this update, they ceased to function.
While bricking dangerously substandard or harmful products can be a useful regulatory practice, it is problematic for companies to disable still-functional devices, especially when it is done to further business interests by changing a business model or product line. Traditionally, when a company discontinued a product, consumers could still use functional goods. With smart products, however, when companies cancel a product line or merge business divisions, they may brick existing devices. After Fitbit acquired the Pebble smart watch in December 2016, for example, it announced that it would cease providing software updates to Pebble, a case similar to Nest's bricking of the Revolv smart home system. After a transition period, Fitbit officially ended its software support for Pebble in June 2018 and encouraged Pebble users to adopt Fitbit products and operating system (Fitbit, 2018a).
The cases of bricked devices discussed above underscore the intertwined nature of hardware and software components within the IoT and, particularly, the reliance upon cloud software (see Gürses & van Hoboken, 2018). Smart products' dependence on cloud software services for software updates, as well as data storage, transmission, and analytics means that they are highly susceptible to any software disruption and thus highly regulable by IoT manufacturers. Further, as IoT devices can be networked with each other, such as smart home hubs that bring together home security systems, thermostats, door locks, lights and carbon monoxide detectors, one bricked product can "become a missing link in a larger system" (Lawson, 2016

ASSESSING POST-PURCHASE REGULATION
Smart goods' continual linkage to their manufacturers can provide benefits to both consumers and companies. Easily programmable IoT products can enable consumers to remotely operate certain devices, such as controlling security systems or door locks to permit deliveries or monitor the comings and goings of household inhabitants. A particular advantage is security as automatic software updates can be a convenient, efficient way to ensure that products receive necessary security upgrades as customers may not reliably install updates (see e.g., Gürses & van Hoboken, 2018). Tethered relationships can also function as "trusted systems" in which "authenticated devices and platforms" deliver particular content or services to users (Graber, 2015, p. 391). Trusted systems, such as Amazon's Echo product line sell the promise of interoperability and safety to consumers, while enabling companies to retain tight control over the software and hardware (Graber, 2015, p. 391). From a manufacturers' perspective, monitoring how customers use IoT goods is necessary, for example, to ensure the products' software is not infected with malware or verify that only authorised service providers repair the products (see Brass et al., 2017).
Unlike traditional unconnected products, IoT companies may have the capacity to improve smart goods' functionality rapidly and remotely in ways that can benefit their customers. For example, with the approach of Hurricane Irma to the United States in 2017, Tesla remotely upgraded the battery capacity of Tesla vehicles in Florida, without cost to the owners, in order to enable the vehicles to travel greater distances without recharging as part of evacuation efforts (Westbrook, 2017). This free extended battery capacity expired several weeks later unless customers purchased the upgrade.
While these benefits are important, the drawbacks to IoT manufacturers' post-purchase control can be significant as IoT firms can exploit the tethered nature of IoT goods to unilaterally impose their preferred policies without the consent or knowledge of their customers.
Companies' EULAs describe how customers may access and use IoT goods, as well as how the goods may collect and distribute data from customers. IoT companies characterise this data collection as voluntary since users consent, expressly or implicitly, to the monitoring (Friedland, 2017, p. 898). Consumers, however, may not understand the nature or extent of the data collection (see Obar & Oeldorf-Hirsch, 2018). Further, people may not feel that they have a choice in opting out of certain services or products because in order to "access essential technologies, relinquishing control over their personal data is the price they must pay" (Crawford et al., 2014(Crawford et al., , p. 1670. For example, if landlords install and require tenants to use smart locks, as was the case with a New York City apartment manager, landlords can monitor tenants' visitors and household comings and goings (Ng, 2019).
One of the most serious drawbacks for consumers in regards to post-purchase regulation is manufacturer-imposed restrictions on modifying, refurbishing, or repairing IoT products in what has become known as the "right-to-repair" movement. The right to repair is the "freedom to understand, discuss, repair, and modify the technological devices you own" (Felton, 2013, cited in Samuelson, 2016). In the United States, where the right to repair debate is prominent, 20 states have bills before state legislatures for a broad range of goods with embedded software, from cell phones and common household appliances to farm equipment (Proctor, 2019). The right-to-repair movement argues that consumers should have access to manufacturers' diagnostic software, repair manuals, and service parts, and the ability to choose whether they patronise independent repair shops or those authorised by the IoT company.
Many farmers in the United States are vocal proponents for repairing their tractors themselves or patronising independent repair shops because of the high cost of hauling tractors from rural Regulation through "bricking": private ordering in the "Internet of Things" Internet Policy Review | http://policyreview.info 9 June 2019 | Volume 8 | Issue 2 properties to manufacturer-authorised repair shops (see, e.g., Carolan, 2017). The agricultural equipment manufacturer John Deere and other companies like Apple have been active opponents of the right to repair in the United States, where they have restricted access to product service manuals and diagnostic software, which are essential items for fixing oftencomplex software-enabled, internet-connected goods (see Raymond, 2014).
Like other US companies, John Deere's licensing agreements prohibit its customers from any modification or repair that copies or alters the product's software (see John Deere, 2016, p. 1).
In addition to the legal authority of EULAs, IoT companies can also draw upon copyright law that protects the software embedded within smart goods, and grants copyright owners, typically the IoT manufacturers, the right to set rules relating to the use of software, such as whether the software can be copied or modified (see Perzanowski & Schultz, 2016). IoT companies in the United States employ a particular feature of copyright law, digital rights management, which is a broad set of policies that, among other things, establish the terms of use for the copyrighted content (Kerr, 2007, p. 6). Repair work that violates a manufacturer's prohibition set within digital rights management policies on modifying the smart product's software could constitute copyright infringement in the United States (see Perzanowski & Schultz, 2016). While John Deere may not prosecute farmers for copyright infringement for repairs that alter the tractors' software systems, that possibility, along with the potential loss of the tractor's warranty for violating the company's licensing agreement enable the company to impose significant postpurchase restrictions.
Through post-purchase control of software-enabled goods, IoT manufacturers can impose their preferred policies that push their customers to purchase the company's branded supplies over the often-cheaper alternatives provided by third parties. Companies have long encouraged or pressured customers to purchase their branded parts or patronise certain authorised suppliers prior to tethered goods. However, through the software linkage between manufacturer and IoT product, IoT companies can "hardwir[e] restrictions on consumer behaviour into our devices" (Perzanowski & Schultz, 2016, p. 123). The coffee maker Keurig, for example, has instituted digital locks, a form of digital rights management, into its branded coffee pods that the Keurig machines authenticate as genuine while rejecting third-party coffee pods (Barrett, 2015). From coffee makers, juicers, and cat litter trays to printer cartridges, a broad range of companies use digital rights management, paired with restrictive licensing agreements to pressure their customers to purchase authorised supplies. Consumers purchasing smart goods thus risk being locked into a manufacturer's proprietary ecosystem where they can find it difficult "to switch to alternative platforms, equipment or services" (Graber, 2015, p. 391). Such anti-competitive practices, which companies reinforce with a threat that non-authorised parts may violate the licensing agreements, raise concerns of monopolistic behaviour that can negatively affect consumers and harm businesses (see Samuelson, 2016).
Corporate surveillance is an integral feature of IoT companies' post-purchase regulation of smart goods. Purchasing a software-enabled product can be "only the beginning of an intimate and potentially long and dynamic relationship" with the IoT company, along with a potential network of third-party software suppliers, "that profile consumers' behaviour and target them with personalised services" (Helberger, 2016, p. 5; see also Gürses & van Hoboken, 2018 and believe" (Irion & Helberger, 2017, p. 170). Further, given the complexity of some IoT devices, more than one corporate actor may be involved in the collection or processing of data, but consumers may be unaware of their involvement or data flows between companies (see Helberger, 2016;Keymolen & Van der Hof, 2019). In order to operate Mattel's interactive Hello Barbie toy, for example, parents must download an app and set up an account from the company ToyTalk that developed the doll's speech-recognition technology (Keymolen & Van der Hof, 2019, p. 7).
IoT devices are designed to accumulate, process, and distribute data as they operate through "always-on, ubiquitous, opportunistic ever-expanding forms of data capture" (Andrejevic & Burdon, 2015, p. 19). IoT companies employ expansive data collection practices in order to operate existing IoT products and develop new products or services. Data collection is thus a speculative activity as the value or use of some data only becomes clear in the future, which poses significant challenges to people's capacity to provide consent to specific data collection practices. Additional challenges are that IoT companies may change their data collection practices without advance notice to users and people may not always be aware of the devices collecting their data (see DeNardis & Raymond, 2017). For example, one individual may install IoT products in the home without informing other family members in order to exert control and intimidate, a common practice in cases of technologically facilitated domestic violence (see Douglas et al., 2019). People can choose not to purchase IoT goods or, where possible, to turn off smart features if these are not integral to the product's functionality. However, in certain industry sectors there is an "increasing 'erosion of choice'" for individuals who prefer non-smart goods as these objects may not be available in the marketplace (Office of the Privacy Commissioner of Canada, 2016, p. 21; see also Manwaring, 2017).
With the increase of smart devices in urban environments, such as those tracking commuters through transit systems, people are also monitored as they move through cities, although these surveillance systems are often largely invisible (see Urquhart & Luger, 2015). Given the pervasiveness of these sensors within many urban environments, people concerned about surveillance may not be able to avoid tracking or opt out of essential services like transportation (see Edwards, 2016;Monahan, 2017).

CONCLUSION
IoT companies' use of licensing agreements constitutes a form of private ordering in which the companies exercise power through their control over software. The tethered nature of these goods makes them highly regulable (Zittrain, 2008), and enables companies to change the terms of use after purchase, or even alter product functionality, which constitutes a powerful form of post-purchase constitutive regulation. Control over smart goods rests with those who control the products' all-important software. Companies can remotely interrupt or manipulate the provision of software updates to IoT goods in order to affect product functionality, and they can do so without the consent or knowledge of their customers. In doing so, IoT companies are fundamentally changing the governance of software-enabled physical objects.
Tethered goods subject to manufacturer-pushed software changes may provide certain benefits.
Companies may be able to address security vulnerabilities, software problems, or even device malfunction remotely and rapidly. Consumers may decide that manufacturer-imposed restrictions set within licensing agreements like those prohibit unauthorised individuals from repairing the goods are acceptable. In contrast to farmers fighting for the right to repair their Regulation through "bricking": private ordering in the "Internet of Things" Internet Policy Review | http://policyreview.info 11 June 2019 | Volume 8 | Issue 2 tractors, not everyone has the drive, ability, or interest to tinker with or repair IoT devices. In short, some consumers may decide that for certain products, a licensing model is acceptable in that it provides consumers the ability to use the product under specific conditions set by the manufacturer. Under a licensing model, instead of buying a smart television or smart home security system outright, consumers purchase the use of the television and security system as software-enabled services (see Perzanowski & Schultz, 2016).
A key problem with the licensing model is that consumers do not fully understand the differences between smart and traditionally unconnected products, or the effects of manufacturer-imposed restrictions on IoT products (see Consumers International, 2017; Perzanowski & Schultz, 2016). The US Federal Trade Commission, commenting on consumer misunderstanding in this area, reported that it is unclear whether IoT manufacturers are selling hardware (device), software (service), or both, and it is also unclear whether consumers understand what they are purchasing (Rich, 2016). When hardware and software are interconnected, as they are in IoT devices, consumers are essentially purchasing the hardware outright, but only buying access to the use of the software as defined by the licensing agreement that sets out the manufacturers' restrictions. Software is integral to the full functionality of IoT goods, although some products may still operate, albeit without their smart features, if their software is damaged or disabled. As consumers purchase only the product hardware, while product software remains under the control of manufacturers, ownership of IoT goods can thus be understood as "hybrid" (Keymolen & Van der Hof, 2019, p. 8). Consumers' purchase of IoT goods is a "precarious" form of ownership subject to the discretion of IoT makers who can arbitrarily change conditions after purchase (Tusikov, 2019).
IoT companies' capacity to monitor their users and control the provision of software means that they can enforce their rules at a scale and speed that was previously unfeasible. Bricking, the most extreme form of post-purchase control, underscores companies' capacity to impose their preferred policies unilaterally, automatically, and remotely. Bricking can be an appropriately rapid and effective regulatory practice in cases where products pose significant health and safety risks. However, companies' use of bricking to facilitate commercial interests, such as acquiring or discontinuing a product line, or instituting rules that preference the company's supplies or repair services over those of competitors, raises concerns of anti-competitive behaviour.
While the US Federal Trade Commission did not recommend enforcement action against Nest relating to the bricking of the Revolv hub, the agency warned Nest that its "unilaterally rendering the devices inoperable" could have constituted an "unjustified, substantial consumer injury" that consumers could not "reasonably avoid" (Engle, 2016). IoT companies' practice of deliberately rendering functional IoT devices inoperable without the consent of their customers would appear to violate consumer protection principles regarding the misleading marketing practices, unfair contract terms, and denying consumers access to sufficient information for making informed choices about IoT goods (see Manwaring, 2017, p. 268; see also Helberger, 2016). Companies' post-purchase control over IoT goods raises particular challenges in relation to consumer choice as, for example, companies can unilaterally impose restrictions on consumers' use of the product, modify the products' software after sale, and require customers to purchase cloud processing services in order to operate the goods without providing consumers sufficient information about these conditions beforehand (see Manwaring, 2017).
This article's examination of post-purchase regulation highlights the need for further research exploring varieties of post-purchase control across different countries and legal jurisdictions, and examining the diverse array of consumer-oriented IoT products. As well, the benefits and