Pervasive legal problems of the Internet of Things and the limits of Law: Russian perspective Текст научной статьи по специальности «СМИ (медиа) и массовые коммуникации»

ПРАВО И СОВРЕМЕННЫЕ ИНФОРМАЦИОННЫЕ ТЕХНОЛОГИИ

VICTOR B. NAUMOV

Institute of State and Law, Russian Academy of Sciences 10, Znamenka str., Moscow 119019, Russian Federation E-mail: nau@russianlaw.net ORCID: 0000-0003-3453-6703

VLADISLAV V. ARKHIPOV

Saint Petersburg State University

7/9, Universitetskaya embankment, Saint Petersburg 199034, Russian Federation E-mail: vladislav.arkhipov@gmail.com ORCID: 0000-0003-4566-1454

PERVASIVE LEGAL PROBLEMS OF THE INTERNET OF THINGS AND THE LIMITS OF LAW: RUSSIAN PERSPECTIVE*

This research has been performed with financial assistance of the Russian Fund for Fundamental Research within the research project No. 18-29-16015 "Complex Research of Legal and Ethical Aspects Connected to the Development and Application of the Artificial Intelligence Systems and Robotics".

The authors give credit to certain core ideas crafted together and express gratitude to G. Pchelintsev, Ya. Chirko and Dentons' team for fruitful

* The research includes certain ideas and provisions reflected in practice-oriented text "Open concept: "Internet of Things: Legal Aspects (Russian Federation") and provides further development of them. See.: (2016). Dentons Develops Russia's First-Ever Whitepaper on the Legal Aspects of the Internet of Things. DENTONS, [online]. Available at: https://www.dentons.com/en/whats-different-about-dentons/connecting-you-to-talented-lawyers-around-the-globe/news/2016/june/ dentons-develops-russias-first-ever-whitepaper-on-the-legal-aspects-of-the-internet-of-things [Accessed 26 December 2018].

discussions related to the topic of this article and kind assistance in refining

certain parts of the wording.

Abstract. The dawn of the era of the Internet of Things (hereinafter, loT) is the perfect time to improve the quality of legal regulation. On the one hand, the development of such regulatory framework is at the start, on the other — as a new "version" of the Internet, it inherits, but reconsiders issues of principles and pervasive problems.

Regulation of the Internet of Things (hereinafter, loT) should evolve, at a minimum, in due regard to the principles of user awareness and freedom of participation in the Internet of Things ecosystem. That being said, further development in this respect would flow through the following "pain points" which can be considered as pervasive problems of the Internet of Things: information as commodity, personal data and privacy, net neutrality, cybersecurity, compatibility and competition, artificial intelligence (hereinafter, AI) and smart contracts, decentralized networks.

In this paper, the IoT is considered as a phenomenon that, overall, is expanding the information space to the world of physical objects, serving as a "bridge" between the different stages of human progress in information society. The IoT is creating new and fundamentally-complex "rules of the game" for the legal system. Technological progress always outpaces the law, yet the law remains one of the most important instruments for the organization of social and economic life, and reasonable compromises are essential. In the future "IoT world" the legal system must provide the basic prerequisites for self-regulation and dispute resolution.

In this regard, while assessing the approaches to regulating the IoT relationships, the authors connect the practical pervasive problems to a broader theoretic context of semantic limits of law in relation to the technological development. The paper suggests dividing the technologies into those of immediate impact that already have convertible social, economic or political value (an approach broadly inspired by T. Parsons), and those that only strive for it, on a case-to-case basis. The former allow reasonable development of law now, while the latter may reasonably allow that in mid- or long-term perspective which could allow flexibility between regulation and incentives for development.

Keywords: Internet of Things, Russian law, information, big data, personal data, privacy, cybersecurity, net neutrality, compatibility, competition, artificial intelligence, smart contracts, peer-to-peer, semantic limits of law, generalized symbolic media

ВИКТОР БОРИСОВИЧ НАУМОВ

Институт государства и права Российской академии наук 119019, Российская Федерация, Москва, ул. Знаменка, д. 10 E-mail: nau@russianlaw.net SPIN-код: 5729-5413 ORCID: 0000-0003-3453-6703

ВЛАДИСЛАВ ВЛАДИМИРОВИЧ АРХИПОВ

Санкт-Петербургский государственный университет 199034, Российская Федерация, Санкт-Петербург, Университетская наб., д. 7/9

E-mail: vladislav.arkhipov@gmail.com SPIN-код: 1715-5893 ORCID: 0000-0003-4566-1454

СКВОЗНЫЕ ПРАВОВЫЕ ПРОБЛЕМЫ ИНТЕРНЕТА ВЕЩЕЙ И ПРЕДЕЛЫ ПРАВА: РОССИЙСКАЯ ПЕРСПЕКТИВА*

Исследование выполнено при финансовой поддержке РФФИ в рамках научного проекта № 18-29-16015 «Комплексное исследование правовых и этических аспектов, связанных с разработкой и применением систем искусственного интеллекта и робототехники».

Авторы отдают должное совместной разработке отдельных ключевых идей и выражают благодарность Г. Пчелинцеву, Я. Чирко и команде Dentons за плодотворные дискуссии, связанные с темой настоящей работы, и любезную помощь в поиске отдельных формулировок.

Аннотация. Начало развития Интернета вещей представляет собой наилучшее время для совершенствования правового регулирования. С одной стороны, развитие такого правового регулирования только начинается, с другой — Ин-

* Исследование включает в себя отдельные идеи и положения, отраженные в ориентированном на практику тексте «Открытая концепция: "Интернет вещей: правовые аспекты (Российская Федерация)"», и основано на их последующем развитии. См.: Dentons разработала первую в России открытую концепцию по правовым аспектам Интернета вещей // Интернет-сайт международной юридической фирмы Dentons. URL: https://www.dentons.com/ru/whats-different-about-dentons/ connecting-you-to-talented-lawyers-around-the-globe/news/2016/june/ dentons-develops-russias-first-ever-whitepaper-on-the-legal-aspects-of-the-internet-of-things (дата о бращения: 24.12.2018).

тернет вещей как новая «версия» Интернета наследует, но переосмысливает известные принципы и сквозные проблемы.

Регулирование Интернета вещей, как минимум, должно развиваться с учетом принципов информированности пользователей и свободного участия в экосистеме Интернета вещей. При этом последующее его развитие будет проходить через следующие «болевые точки», которые могут быть рассмотрены как сквозные проблемы Интернета вещей: информация как товар, персональные данные и неприкосновенность частной жизни, сетевая нейтральность, кибер-безопасность, совместимость и защита конкуренции, искусственный интеллект и смарт-контракты, распределенные сети.

Интернет вещей рассматривается как феномен, который в целом расширяет информационное пространство до мира физических объектов, выступая в качестве «моста» между различными ступенями человеческого развития в информационном обществе. Интернет вещей создает новые и сложные «правила игры» для правовой системы. Технологический прогресс всегда находится на шаг впереди права, однако право остается одним из наиболее важных инструментов организации общественной и экономической жизни. В будущем «мира Интернета вещей» правовая система должна предоставлять базовые условия для саморегулирования и разрешения споров.

Оценивая подходы к регулированию отношений в условиях Интернета вещей, авторы рассматривают сквозные правовые проблемы в более широком теоретическом контексте смысловых (семантических) пределов права в связи с технологическим развитием. В каждом конкретном случае технологии следует разделять на оказывающие непосредственное воздействие на социальные отношения в силу уже имеющейся конвертируемой социальной, экономической и (или) политической ценности (подход, вдохновленный трудами Т. Парсонса) и на те, которые только стремятся к этому. Развитие правового регулирования в первом случае разумно и целесообразно, а во втором остается пространство для гибкого соотношения между регулированием и свободой развития.

Ключевые слова: Интернет вещей, российское право, информация, большие данные, персональные данные, неприкосновенность частной жизни, кибербезопасность, сетевая нейтральность, совместимость, конкуренция, искусственный интеллект, смарт-контракты, пиринговые технологии, смысловые пределы права, обобщенные символические посредники

1. Introduction

The Internet of Things is a phenomenon of modern informational society which has deep impact on how social and economic relationships are structured and, therefore, on the relevant models of legal regulation. Information becomes a commodity, personal data and privacy threats alter, net neutrality obtains new facets, cybersecurity standards are modified, compatibility and competition receive new implications. Legal regulation of informational relationships, being already a difficult matter to tackle, faces challenges of AI and smart

contract implementation. Decentralized networks contest a traditional model of regulatory framework that implies one main player to be regulated. Furthermore, the whole environment of the Internet of Things varies from the preceding context, and shapes ecosystem of user interaction in a way that questions that are more general appear, in particular whether a user shall have certain freedom to avoid participating in transparent technology-driven system of relationships. In this paper we would like to provide a view on high-level legal problems appearing (or re-appearing) in the context of Internet of Things from a perspective of the Russian legal system. After providing a set of tentative definitions, we are going to justify why the problems of jurisprudence are not less relevant to the subject matter and consider new legal challenges one by one.

2. Tentative Definition of the Internet of Things

The term "Internet of Things" has had various definitions. The following general approaches can be taken as examples. First, the IoT may be described as a "global infrastructure for information society providing modern services by way of connecting things (both physically and virtually) on the basis of existing and emerging functionally-compatible information-communication technologies" 1. Second, the IoT can be considered as a "long-term technology and the market development trend based on connecting everyday objects to the Internet. The connected objects share information on their physical surroundings, accumulating and processing this data in order to add value to the services provided to end-users — from private individuals to companies and society as a whole"2. Third, an interpretation is possible where "the Internet of Things means "things" such as devices or sensors, other than computers, tablets or smartphones, which connect, interact or share information with each other or from each other via the Internet"3. Or,

1 See: International Telecommunications Union Recommendation ITU-T Y.2069 (07/2012) Series Y: Global Information Infrastructure, Internet Protocol Aspects and Next-Generation Networks. Next Generation Networks — Framework and Functional Architecture Models. Terms and Definitions for the Internet of Things. Available at: https://www.itu.int/rec/T-REC-Y.2060-201206-I [Accessed 26 December 2018].

2 See: European Commission. Directorate-General for Communications Networks, Content and Technology. Report on the Public Consultation on IoT Governance. 16.01.2013. Available at: https://ec.europa.eu/digital-single-market/en/news/conclusions-internet-things-public-consultation [Accessed 26 December 2018].

3 See: Internet of Things. Privacy & Security in a Connected World. FTC Staff Report. January 2015. Available at: https://www.ftc.gov/system/files/documents/reports/ federal-trade-commission-staff-report-november- 2013-workshop-entitled-internet-things-privacy/150127iotrpt.pdf [Accessed 26 December 2018].

just, fourth, in a way that "the Internet of Things is the informatization of various objects and their inclusion into a single network of networks"4.

The aforesaid list can be continued and supplemented with various other positions. However, let us try to define the necessary minimum of the IoT which would be especially relevant to the aspects of legal regulation. Within the framework of the suggested approach this list would include the following: (a) existence of a wide pool of devices (including, incidentally, more than just the "usual" Internet terminals — personal computers, smartphones, etc.) connected to the Internet, (b) collecting a significant array of data about surrounding environment (including both personal data and other information), as well as the sharing of this information amongst the aforementioned devices, and (c) capability for the automated (without direct human intervention) execution by IoT devices of functions that could have legal implications and consequences for people. Furthermore, the IoT-related "Big Data" category is worth of special mention. Widely-recognized as one of the first sources to describe the unique features of Big Data is the analytical material published by META Group5, in which the authors identified the three key attributes of Big Data: data volume, data processing speed, and data diversity. These attributes were reflected in the definition of Big Data proposed by the European regulatory authority in the area of personal data: "An exponential increase — both at the level of information availability, as well as at the level of information-use automation. In particular, Big Data should be understood to mean gigantic databases controlled by corporations, governments or other large organizations. The information contained in these databases is minutely analyzed with the use of computer algorithms and can be used both for the purposes of identifying general trends and interconnections, as well as for the purposes of influencing the individual subject"6. Therefore, Big Data is one of the factors impacting the legal aspects of the IoT.

4 See: Outlook for the Long-Term Socio-Economic Development of the Russian Federation for the Period Through 2030, drafted by the RF Ministry of Economic Development. The text of the document is available at: http://www.economy.gov.ru [Accessed 26 December 2018].

5 In: Laney, D. (2001). 3D Data Management: Controlling Data Volume, Velocity and Variety. META Group Research Note, 6 [online]. Available at: http://blogs.gartner. com/doug-laney/files/2012/01/ad949-3D-Data-Management-Controlling-Data-Volume-Velocity-and-Variety.pdf [Accessed 26 December 2018].

6 See: European Data Protection Supervisor. Opinion 7/2015 Meeting the Challenges of Big Data. A Call for Transperancy, User Control, Data Protection by Design and Accountability. 19 November 2015. Available at: https://secure.edps.europa.eu/EDPSWEB/ webdav/site/mySite/ shared/Documents/Consultation/0pinions/2015/15-11-19_Big_ Data_EN.pdf [Accessed 26 December 2018].

3. Why Legal Aspects of IoT Are Important?

We suppose that the legal aspects are worth to be considered, and today is the right time to do this. Various aspects of the IoT (just as with the Internet as a whole) can be regulated in a number of ways, with the law representing but one of them. In terms of methodology, the approach suggested is not aimed at providing an analysis of the technical and other non-legal means of IoT regulation; rather it focuses specifically on legal means of regulation, as well as on the identification and demonstration of existing problems and contradictions in the legal sphere. Needless to say, as the IoT continues to spread, the legal shortcomings of existing regulation will become increasingly apparent and conflicts and disputes will begin to emerge. The IoT development will entail the adoption of special, general norms aimed at its regulation. The question remains open as to the degree of detail to which IoT relations should be legally regulated — are pinpoint amendments to existing legislation sufficient, or should applicable law be substantially overhauled? We have to note that, while the IoT matters have not yet received proper legislative attention in Russia, the situation is thus not the same for the Western countries. Discussions on these issues are being held at different levels at different agencies, including the European Commission and the U.S. Federal Trade Commission. However, the limitations of this paper do not allow to provide a more detailed account. Nevertheless, we would like to state that known legislative efforts are more aimed towards regulating particular fragments of the IoT landscape, such as self-driving cars or privacy aspects.

In our opinion, the IoT legal regulation should not only (a) establish binding requirements on technologies that could potentially cause harm to human health and safety or be of significance to ensuring the public interest, but also (b) create the necessary prerequisites for self-regulation and the promotion of "best practices". That said, the following legally-significant IoT architectural aspects underpinning the problematics currently under consideration are particularly striking: (1) the IoT entails a sharp increase in the volume and content of technical information that ceases to have predominately-technical significance and allows for the generation of information about actual subjects (identification of subjects); that is, the line between technical information and personal data is being blurred; (2) in the IoT format, the things themselves not only perform their main functions but also automatically accumulate a significant volume of external information — from other Internet-connected things and from the surrounding environment. As a consequence, the gathering of information

rises to a qualitatively-new level; (3) the IoT is changing existing approaches to connectivity between objects and subjects. A new relationship format is emerging: users (organizations) are using more than just computer technologies to interact. The full cycle of relations can be implemented at the IoT-device level without the direct participation of their owners. Further significant changes in the IoT technologies and social relations should be expected in connection with the development of computer intelligence and related technologies; (4) the spread and scaling of IoT-based solutions is creating new challenges and risks associated with unscrupulous and unlawful activity of varying scope, entailing unauthorized access to devices, altering the algorithms of their operation, or the gathering of confidential information about IoT-network subjects. The widespread integration of the IoT devices is increasing these risks by virtue of the growing scale of the possible consequences; (5) with the spread of the IoT-connected devices, problems associated with limited resources in the shaping of an integrated, universal environment for the provision of telecommunications services (inter alia, radio-frequency spectrum), compounded by the connection to this environment of a vast number of the IoT devices, are becoming more pressing. On the whole, the IoT is expanding the information space to the world of physical objects, serving as a "bridge" between the different stages of human progress in information society.

4. Legal Challenges of the IoT

The development of the Internet regulation (prior to the advent of the IoT) has been the consequence of a number of issues that repeatedly come to the fore at different levels of network architecture and in different legal relations. These issues include, inter alia, identifying users, determining jurisdiction, and establishing the liability of information intermediaries (which may have different functions — from ensuring that the Internet infrastructure works properly to distributing copyright objects). These issues rise to a new level in the context of the IoT. For example, while we use the term "information intermediary" as a specific legal term implied in the statutes, we have to admit that implementation of AI in the corresponding technologies affects legal qualification of the corresponding relationships. The problematic of automated actions, distributed networks and processing of intangibles are being updated. The formulation of concepts for IoT regulation, as well as the elaboration of approaches aimed at resolving specific conflicts of law, must be undertaken in due consideration of the following issues (some of which are closely intertwined with existing legal problems

of the regulation of the Internet and information technologies): (1) legal treatment of information, (2) personal data and privacy, (3) neutrality of the Internet of Things, (4) information security, (5) compatibility and fair competition, (6) automated actions, and (7) decentralized networks. This list is not exhaustive, and the authors anticipate its expansion as a result of public discussion. Needless to say, rapid technological development will give rise to new issues — including those that would be impossible to predict today. Nevertheless, the list reflects the authors' opinion as to certain issues that can already be identified in view of today's legal environment.

Worthy of separate mention is the fact that in terms of the regulation of informational relations, the quality of legal engineering is currently substandard. This problem pertains to more than just the IoT and has been widely recognized for quite some time. Nevertheless, it could have a serious impact on both the development of the IoT industry, as well as on the expansion of IoT-related legal issues. The absence of clearly-defined terminology (reflecting the specifics of IoT technologies, the degree to which certain technologies influence private and public interests, the extent of environmental impact) makes it impossible to apply legal norms uniformly, which could violate the rights and legal interests of IoT-system participants.

4.1. Revisiting Legal Principles of the IoT. It would be important to touch base of the fundamental principles of legal regulation. We would like to suggest two of such principles. First, the "principle of awareness". The IoT-service users should be provided with information (be made aware) about what data is being gathered by which devices, how this data is being collected and in what volume, and how and where this data is being stored. In practice, this principle can be implemented using IoT technologies themselves, allowing users, for example, to receive and update such information quickly using QR-codes and similar tools. One potential option entails considering the question of creating an open register of IoT devices and solutions, organized according to the principle of voluntary declaration. The register could contain information about the capabilities of various devices in terms of information gathering and automated connectivity with other devices. Such a register could include elements of self-regulation — for instance, a rating by users and (or) industry representatives of such devices and solutions from the standpoint of their various aspects (for example, information security or the protection of personal data) by way of the reactions of authorized participants, analogous to the well-known "likes" on social media. Another option would be to consider the formation of a system of legally-binding principles that manufacturers would be compelled to observe, and a business environment based on a balance of interests among all the

IoT participants. Both of the aforementioned positions (as well as other possible stances) are subject to further discussion. Furthermore, there can be an option for a system of voluntary certification or accreditation of the IoT devices to increase the degree of confidence in them and their manufacturers. Hereinafter, we have to emphasize that due to the limitations of this paper we have to confine ourselves to consideration of this principles and other aspects at a very high level and mostly in relation to current Russian regulatory landscape. In particular, the principle of awareness is considered more in view of exiting personal data protection legislation. However, the implied problems themselves are much deeper and are connected to more intricate policy considerations.

The second suggested principle is the "principle of free participation in the IoT". We have to emphasize that this principle does not mean freedom to use IoT devices, but rather a right to object to mandatory use of them, or mandatory inclusion into the IoT ecosystem. Despite the fact that the IoT is an objective trend in the development of information society, discrimination cannot be a factor for individuals and organizations if they do not want to immerse themselves fully in the IoT system. It should be acknowledged that de facto, the IoT lowers the level of protection of privacy rights and (or) information confidentiality by virtue of the penetration into many spheres of material life and digitalization of a high volume of data. It would seem that, above and beyond awareness, subjects should be given a real choice as to their participation or non-participation in informational connectivity when using the IoT devices (one assumes that IoT devices will soon become extremely widespread and start to crowd out "unconnected" devices). Aside from the traditional solutions associated with equipment and program settings, this principle could also be implemented by way of innovative IoT solutions preventing, on a legal and anonymous basis, the gathering of information or enabling the flexible, secure and simple control of their functionality. Needless to say, the composition of these principles of the regulation of the IoT-based legal relations is subject to augmentation, in due consideration of public discussion.

Below we would like to provide a brief legal analysis of certain applied legal issues of the IoT as they are perceived from the perspective of the Russian law and general regulatory environment.

4.2. Legal Regime of Information. While the importance and value of information as a commodity is growing (information is bought and sold, there is an information market — including, but not limited to, Big Data), the issue of its legal treatment remains undetermined. While information is already becoming an item of economic turnover, there are currently no adequate

and fully-fledged legal instruments to deal with it. In the first version of the Russian Federation Civil Code of 30 November 1994, information is referenced in Art. 128 as an object of civil-law rights. Thereafter, under Federal Law of 18 December 2006 № 231-FZ "On Putting of the Part Fourth of the Civil Code of the Russian Federation Into Operation", information was stricken from the number of objects of civil-law rights listed in Art. 128 of the RF Civil Code. In its present version, Federal Law of 27 July 2006 № 149-FZ "On Information, Information Technologies and Protection of Information" regulates relations whose subject matter is information and contains a number of dispositive norms that, while generally making it possible to establish rules of information access, are used in real-world transactions (for instance, the provisions of Art. 6 on information owners). That said, from the standpoint of civil law, such relations are viewed, as a rule, either as services or as relations associated with the results of intellectual activity, including databases and know-how. Neither construction, however, conveys the specifics of informational relations, whether in the context of the IoT or in terms of Big Data. In this respect we would like to emphasize that the time has come for the elaboration of an approach envisioning a direct legal construction that would make it possible to define information as the subject matter of civil-legal transactions which comes quite in line with current discussions on returning to the previous approach implying consideration of information as an object of civil rights again.

4.3. Personal Data and Privacy. The context of Big Data itself changes approaches to many principles pertaining to "classic" paradigm of personal data processing, including consent requirements, proportionality and depersonalization7. New technical appliances being developed in the context of the IoT challenge this paradigm as well — from wearable health trackers to "black boxes" in some of the modern cars8. Furthermore, the distinction between personal and technical data is becoming blurred — any device can be linked to its owner and his Internet profile; even if data anonymization

7 The following discussion could be a good example of the topic: Savel'ev, A.I. (2015). Problemy priminenya zakonodatelstva o personalnykh dannykh v epokhu "Bolshykh dannykh" [The Issues of Implementing Legislation on Personal Data in the Era of Big Data]. Pravo. Zhurnal Vyschey Shkoly Ekonomiki [Law. Journal of the Higher School of Economics], (1), pp. 43-66; Arkhipov, V.V. and Naumov, V.B. (2016). The Legal Definition of Personal Data in the Regulatory Environment of the Russian Federation: Between Formal Certainty and Technological Development. Computer Law & Security Review, 32(6), pp. 868-887.

8 In: Peppet, S.R. (2014). Regulating the Internet of Things: First Steps Toward Managing Discrimination, Privacy, Security, and Consent. Texas Law Review, 93(1), pp. 85-178.

is declared, in many cases, previously-accumulated information can be used to re-identify the subject. In addition, the need is emerging for the formulation of new principles governing the obtainment by device (application) developers (vendors) of the personal-data subject's consent to the use (processing) of his personal data, inter alia, by all IoT-network participants mediating the functioning of the given user device (application) so that the procedure has no significant impact on the development of IoT technologies. Furthermore, the need is emerging for a new evaluation of existing approaches to the ability of law enforcement agencies and IoT-device manufacturers to engage in the gathering and interception of information on social media, as well as the remote control of IoT devices. On the one hand, under the connectivity of devices on the IoT, the volume of personal data and its sensitivity for private individuals is steadily growing9, on the other — using an additional volume of generated data on the IoT is poised to become a valuable source of information. The capability for the remote control of devices creates separate risks for private individuals, just as for other IoT users. Finally, a market is forming for Big Data, which is essentially serving as the subject matter of transactions. Aside from the issue of the legal treatment of information as an object of legal relations, the extent to which Big Data can be viewed as a commodity in general must be determined.

The Federal Law of 27 July 2006 № 152-FZ "On Personal Data" provides a broad definition of the concept of "personal data" ("any information pertaining, whether directly or indirectly, to an identified of identifiable person," Clause 1, Art. 3). Moreover, it establishes a series of legal requirements governing the processing of personal data, including the need to obtain the consent of the personal data subject aside from a number of exceptions, not all of which are applicable to real-world relations in the IoT context, and also imposes on operators a set of obligations in terms of personal data protection. In this case, IoT issues intersect with Big Data issues. There are well-founded doubts, for example, as to whether in such conditions the principle of personal data processing on the basis of specific and predetermined objectives can be observed, and, objectively speaking, the opportunity to obtain the personal data subject's consent simply does not exist in all cases. The value of personal data anonymization diminishes in situations where it is statistically possible to obtain other "auxiliary" data from numerous additional sources, whose number is steadily growing.

9 In: Savel'ev, A.I. (2015). Problemy priminenya zakonodatelstva o personalnykh dannykh v epokhu "Bolshykh dannykh" [The Issues of Implementing Legislation on Personal Data in the Era of Big Data], pp. 43-66.

Furthermore, the existing regulation of generally-accessible personal data may also be insufficient to meet current requirements. This may sound surprising, but the new EU General Data Protection Regulation (GDPR)10 provides for a quite similar regulatory framework and, therefore, irrespective of intents, seems not to actually reach a goal of reconciling existing privacy approaches with the IoT environment. On a side note, by the way, it would not be correct to assume that GDPR shifts the burden of data protection from the individual subject to the data processors, as the approaches similar to GDPR existed before, at least in some jurisdictions, for instance United Kingdom11. However, it would be correct to say that GDPR raises the role of law enforcement agencies within the European Economic Area and provides a unified regulatory ecosystem for that.

What can be seen as directions to find adequate legal solutions? The development at the official level of an approach based on a balance of interests between the protection of personal data and need for technological progress. Such an approach must be grounded in the principle of the formal certainty of legal norms (currently in question within the framework of personal-data legislation) and reasonable restriction of the concept of personal data in such a way that allows for the consistent and predictable application of applicable norms while protecting the "minimum threshold of privacy rights"12. Interpretation could be built around the idea of positive identification based on the array of data currently at the operator's disposal (partially supported by case law). In the context of the IoT and Big Data, the question is becoming not whether or not to transfer data to a particular operator (Internet resource), but whether or not to transfer data to the Internet as a whole — after such a transfer, data begins to "live its own life," inter alia, via its full or partial accumulation and processing by an indefinite range of devices and systems. The subject's consent can be expressed to the fact of such transfer in general. At the same time, additional workup entails the issue of what to do with data on a specific subject that can be gathered independently of his will (for example, via the placement in public places of

10 See: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation). OJ. L 119. Vol. 59. 4 May 2016. P. 1-88.

11 See: UK Data Protection Act 1998. The text of the document is available at: https://www.legislation.gov.uk/ukpga/1998/29/contents [Accessed: 26 December 2018].

12 Arkhipov, V.V. and Naumov, V.B. (2016). The Legal Definition of Personal Data in the Regulatory Environment of the Russian Federation: Between Formal Certainty and Technological Development, pp. 868-887.

sensors that collect information on all of the subjects in the area). Concerning additional capabilities for law enforcement agencies and manufacturers to gain access to user devices for the purposes of information-gathering or remote control (including "backdoors"), opinions are polarized — from "crypto-anarchism" to an ultra-conservative state-oriented approach. In this context, all solution options require an open search for compromise between various pressure groups and the "weighing" of constitutional principles. Taking the public interest into account is an objective necessity, insofar as the expansion of technological capabilities means the emergence of new opportunities for their abuse. It would be worthwhile to consider the issue of the delineation, aside from personal data, of an additional category of information, the urgent nature of whose protection comes to the fore at the intersection of the IoT and Big Data. At issue is data that is not "personal" in the strict sense of the word, but which — even without identification of the subject — violate privacy rights and (or) other rights and legal interests. Moreover, on the whole, it is impossible to agree with any approach that assumes the total rejection of anonymity in information-telecommunication networks, now encompassing the IoT as well.

4.4. Neutrality of the IoT. The well-known principle of network neutrality assumes that communications networks are open for the exchange of information without discrimination in terms of type and (or) source of traffic. In terms of the "regular" Internet, where the potential for discriminatory preferences in favor of certain content providers depending on the volume of paid services is at issue, such a principle may be justified. In the IoT context, however, there is the issue of particularly "socially-significant" or "economically-significant" traffic associated with "critical" elements (for example, wearable technologies monitoring health status or critically-important industrial Internet). Against this backdrop, it would seem prudent to suggest that exceptions from the principle of neutrality (whose emergence can be logically predicted at this stage) should be both transparent and reasonable. That said, a balance must be observed between the public interest, associated with the functioning of critical elements, and the assurance of fair competition and prevention of abuse. As it pertains to the IoT, this principle could be formulated more broadly — as IoT neutrality and non-discrimination among various IoT devices, as opposed to merely the neutrality of the Internet as a network built on the TCP/IP protocol. in the Russian Federation today, the principle of [network] neutrality is not explicitly regulated. At the same time, this principle is implied by the general norms of current legislation, which also envisions certain restrictions: i.e., the restriction by a communications provider of a subscriber's actions in

the event that said actions pose a threat to the normal functioning of the communications network (Para. 2, Clause 27 of the Rules Governing the Provision of Telematic Communications Services approved by the Decree of the Russian Government of 10 September 2007 No. 575), or the priority use of communications networks by the state authorities in the event of emergencies (Art. 66 of the Federal Law of 7 July 2003 No. 126-FZ "On Telecommunications"). Also worthy of note is the brief Core Document on network neutrality drafted by members of the working group on network neutrality at the RF Federal Anti-Monopoly Service (RF FAS)13. One of the potential directions for legal solution here would be formulation of a principle of the IoT neutrality which, while assuming that exceptions from the principle be reasonable and fair, guards against the possible abuse of such exceptions.

4.5. Information Security. As others mention, "the explosion in the number of smart, connected, and inherently insecure devices is shifting the security paradigm"14. By virtue of its very essence, IoT software necessarily entails certain vulnerabilities that cannot be eliminated in view of economic realities and the level of technical sophistication of the concerned devices. Moreover, there is often no automatic-update function available for the software installed on IoT devices. On the other hand, the availability of such an automatic-update function assumes the capability for the remote control of devices, including by unauthorized parties, which could also lead to serious consequences. This gives rise to the general problem of the quality of devices and related services, as well as the issue of manufacturer liability in this regard. Comprehensive regulation of the information-security system has been evolving in Russia over the past several years. At the same time, it should be noted that the norms of Russian legislation in the area of information security do not as yet contain the comprehensive solutions required in view of the anticipated widespread expansion of the IoT and its significance 15. Most of the regulatory acts in this sphere have differing

13 Available at: http: //fas.gov.ru/documents/documentdetails.html?id=14145 [Accessed 26 December 2018].

14 In: Weber, R.H. and Studer, E. (2016). Cybersecurity in the Internet of Things: Legal Aspects. Computer Law & Security Review, 32(5), pp. 715—728.

15 See, for example: RF Government Regulation of 26 June 1995 № 608 "On the Certification of Information-Security Tools"; FSTEC of Russia Order of 14 March 2014 № 31 "On Approval of the Requirements for Ensuring Information Security in Systems for the Automated Control of Production and Technological Processes at Critically-important Facilities, Potentially Hazardous Facilities, and Facilities Posing an Elevated Level of Danger to Public Health and Safety and Environmental Safety"; RF Government

areas of focus and scopes of regulation. They reflect approaches to ensuring information security that are largely tailored to regulation of the Internet in its present-day form. There are serious doubts as to whether they fully meet the specifications and intended purpose of IoT technologies and devices (in particular, "wearable technologies," self-driving vehicles, other devices designed for personal use) or factor in the unique aspects of the threat to information security posed by IoT software.

Concerning potential directions to elaborate a solution in this regard: amendments should likely be made in cybersecurity legislation which is at the moment aimed at the comprehensive regulation of information-security issues, including devices intended for personal use, in order to determine what should be classified as "critical infrastructure" for IoT purposes within the legal context, and provided that it is compiled in due consideration of international standards and practices in terms of establishing the rights and responsibilities of critical-infrastructure operators, procedures for confirming the compatibility of front-end applications (devices) associated with critical infrastructure, information-security requirements, etc. Furthermore, requirements should be formulated for IoT, API operating systems, other tools for connectivity with the software of IoT devices and user applications, in terms of mandating that such software supports certain information-security standards that ensure the security of information exchange and meets the applicable requirements governing user-authentication procedures. An additional measure might involve a mechanism allowing for device manufacturers to alert users of critical device failures having an impact on their overall level of information security, as well as the responsibility of IoT device manufacturers (application developers) to arrange for the monitoring and support of their products (at least in terms of the elimination of critical faults) throughout the entire lifecycle of the respective products.

4.6. Compatibility and Fair Competition. There is no single standard or well-developed practice for the unrestricted and stable connectivity of various devices. This complicates interaction among IoT subjects which, among other things, has a negative impact on security. A related issue deserving of separate attention is the matter of intellectual-property rights to solutions and protocols pertaining to IoT devices, as is the task of ensuring fair competition in the given field. As of today, coordinated efforts in this area are being made at the level of the International Telecommunications Union (ITU).

Regulation of 16 November 2015 № 1236 "On Establishing a Ban on the Clearance of Software Originating from Foreign States for the Purposes of Engaging in Procurements Intended for the Satisfaction of State and Municipal Needs".

The general provisions of the Law on Fair Competition could potentially be interpreted in the context of this aspect of the IoT (collusion among business entities, prohibition against the abuse of dominant position, etc.). In our view, minimum criteria must be formulated and utilized for the connectivity (compatibility) of devices and applications made by different manufacturers, inter alia, for the purposes of preventing anti-competition practices, encouraging technological progress and guarding against fragmentation. Another option might be to consider compelling manufacturers to provide any third-parties' access to the API of devices and applications, which could also be problematic in terms of ensuring the privacy rights of technology users. It might also be appropriate to propose measures for the presales expert examination of devices in terms of their compatibility (on the basis of minimum requirements governing the compatibility of the IoT devices). Worthy of separate attention in the context of ensuring fair completion is the issue of proprietary technologies.

4.7. Automated Actions and Automated Agreements. Or, in other words, "robots and smart contracts". In the context of the IoT, the issue of the legal qualification of legally-significant automated actions is coming to the fore. The number of interactions among devices occurring without the direct participation of humans is growing, thereby complicating the resolution of issues pertaining to liability for the potential harm and damage caused by such devices. Transactions executed in electronic form or via electronic interaction among devices are expected to become widespread. The blanket nature of device connectivity, coupled with its varying forms of application, requires the expansion and adaptation of rules governing the conclusion of agreements and allowable forms of agreements (human-readable agreements, machine-readable agreements, blocking of the unilateral waiver or modification of obligations, prevention of misleading terms and conditions, protection of the weaker party and adhesion agreements). Fundamental changes will be caused by the advancement of artificial-intelligence (AI) technologies, which elevate the level of autonomy of controlling-software modifications. Here it would be hard to omit the discussions at the European Parliament concerning Civil Law Rules for Robotics16 and recent development on this topic in Russia, including those made by the authors, which are quite in line with theories developed for other jurisdictions based on close principles which imply, for

16 See: European Parliament. Committee on Legal Affairs. Draft Report with recommendations to the Commission on Civil Law on Robotics (2015/2013(INL). Available at: http://www.europarl.europa.eu/sides/getDoc.do?pubRef=//EP//NONSG ML%2BCOMPARL%2BPE-582.443%2B01%2BDOC%2BPDF%2BV0//EN [Accessed 26 December 2018].

example, application of civil doctrine concepts related to declarations of intent in the area of "electronic agents"17. Blockchain technology18 is poised to play a key role in the conclusion and performance of agreements executed in electronic form, insofar as it creates a trusted execution environment (TEE) for the consolidation of contractual terms, recording of obligation performance and indexing of rights (both to electronic items, as well as to physical objects). The conclusion of transactions and transfer of ownership rights under their execution, inter alia — to physical objects, could be performed by algorithms constructed by humans but with a minimum of their direct participation or without such direct participation at all. Furthermore, TEE creates an environment where next level of cybersecurity and privacy protection is apparently possible19.

Existing law contains certain special constructions aimed, to a certain extent, at automated actions, such as Art. 498 of the RF Civil Code on the retail sale of goods via the use of automated terminals. The number of such norms is critically low. Separate norms are only indirectly associated with automated actions, such as the norms envisioned by the Law on Information and the RF Civil Code which, whether explicitly or implicitly, regulate legal relations featuring the participation of information intermediaries. At the same time, within the IoT, automated actions are rising to a new level where, among other things, the format for interaction between subjects and objects is changing. A sizeable share of legal relations in this area are fundamentally beyond the scope of even the most general norms of existing legislation, which could lead to unpredictable regulatory enforcement. In the sphere of consumer relations, it is impossible to exclude significant conflicts between real-world practice and the requirements of the Law on Consumer Protection. The situation is made all the more complicated by the fact that jurisdictional issues are gaining newfound prominence against the backdrop of the IoT, which calls into question the possibility of their resolution on

17 In: Wettig, S. and Zehender, E. (2004). A Legal Analysis of Human and Electronic Agents. Artificial Intelligence and Law, 12(1—2), pp. 111—135.

18 As it becomes now a common knowledge, in broad strokes, the term "Blockchain" is currently used to denote a distributed database that contains a history of entries on all manner of transactions in the broadest sense of the word and which, by virtue of its architecture, includes "natural protection" against fraud and abuse. One example of Blockchain use — crypto-currency. Over the long-term, discussions are centering on the use of this technology in a wide array of fields, from jurisprudence to management, and the topic merits separate analysis.

19 In: Kshetri, N. (2017). Blockchain's Roles in Strengthening Cybersecurity and Protecting Privacy. Telecommunications Policy, 41(10), pp. 1027—1038.

the basis of classical approaches (including concepts of the operation of law in space and in terms of the range of concerned parties, determination of applicable law and location of action execution, determination of disputeresolution venue). Existing legal instruments aimed at the conclusion of transactions in electronic form were developed, in the best-case scenario, in the context of Internet format Web 1.0, with minor adaptations for Web 2.0. Direct regulation is limited to the provisions of the RF Civil Code on transactions and agreements. To a significant extent, a number of the general norms envisioned by the Law on Electronic Signature allow for the possibility of self-regulation, but nevertheless fail to exclude the necessity of seeking recourse to real-world and direct contact among subjects at certain stages, which could hinder the development of the automated-agreement system. For the purposes of this discussion we intentionally exclude consideration of "using" of electronic signatures by "robots" because this matter heavily depends on whether a "robot" is considered as legal subject or not (if not, then "robot" is not "using" electronic signature, but human or legal entity in the background do). Equally, at this stage we do not believe that smart-contracts are "contracts" in legal meaning, but rather a method of executing contracts in the latter sense which are more logical concepts than facts. In any case, this discussion goes far beyond the purposes of this paper and its limitations.

As regards directions for solutions which could be suggested, it is necessary to determine the jurisdiction applicable to the activities (legal relations) of IoT participants (in all senses, including the operation of law in space and in terms of the range of concerned parties, determination of applicable law, determination of dispute-resolution venue). Moreover, it is essential to determine the legal status and provide a clear definition of IoT operators (in view of the fact that the majority of IoT operators will in some capacity serve as information intermediaries), as well as to analyze existing legislation on information intermediaries in order to formulate a reasonable and balanced approach to the thresholds of their liability within the context of the IoT. Then, the popularization and broad application of automated agreements will rest on the formulation of the formal languages capable of describing such agreements. On the one hand, this task is closely aligned with self-regulation, while on the other, in view of the weighty role played by the state in the economy, it could reasonably be assumed that the state might be interested in standardizing approaches to the description of automated agreements (to formal languages). The use of formal languages requires a review of existing approaches to norms governing the form of agreements, interpretation of agreements, and the regulation of fraud and error issues in

the course of agreement conclusion, as well as to the contesting of agreement forms — clearly, rules will be required that clarify a person's ability to reliably familiarize themselves with the texts of the documents and conduct negotiations. Case law, or the regulator, will need to formulate approaches to distinguishing between the identity of programming codes and agreements. Ensuring the opportunity for IoT development will require the clarification of key institutions of civil law, including the concept of obligation, the securing of obligation performance, as well as the definition of fault and liability for breach of performance. These institutions will need to be adjusted in order to ensure party balance in terms of obligations, as well as for the purposes of protecting the weaker party. Excessive regulation of substantive issues will slow commerce and impede growth in the accessibility of the resources, services and benefits offered by the IoT. Automated agreements will clearly feature the broad use of Blockchain technology. In this respect, legislators will need to resolve the issues associated with the use of private Blockchain and validity of agreements, especially in view of existing principles of civil law such as principle of freedom of agreement and that of the choice of contractual form. This aspect also calls for re-consideration of electronic data interchange from the standpoint of genuine legal doctrine. Moreover, it would be prudent to expect the expansion of private registers of various types of property based on Blockchain technology — as well as the attempt by legislators to regulate the activities of such registers for the purposes of preventing abuse. This aspect would likely have more implications than expected, and they would closely intertwine with other challenges. Apparently, Blockchain technology makes it difficult to comply with the data subject rights (including the "right to be forgotten") as envisaged by privacy laws20. Discussions on smart contracts develop rapidly giving rise to very brave, but potentially correct, projections of the future21.

4.8. Decentralized Networks. Decentralized (peer-to-peer, single-rank) networks are already a well-known technology, one whose significance is steadily climbing in the contemplated IoT realities. A prime example of this technology is Blockchain. The urgency of information-security issues is prompting the need for a modification of existing regulation in terms of

20 In: Meyer, D. (2018). Blockchain Technology is on a Collision Course with EU Privacy Law. The Privacy Advisor. [online]. Available at: https://iapp.org/news/a/ blockchain-technology-is-on-a-collision-course-with-eu-privacy-law/ [Accessed 26 December 2018].

21 In: Savelyev, A. (2017). Contract Law 2.0: 'Smart' Contracts as the Beginning of the End of Classic Contract Law. Information & Communications Technology Law, 26(2), pp. 116-134.

the creation, use and (or) export/import of devices into the IoT, insofar as this will entail the expanded use of encryption tools. Existing legislation and current approaches to its interpretation scarcely allow for the consistent application of legal norms to any legal relations evolving within the scope of decentralized networks. From the legal standpoint, the issue boils down to the particularities of the functions performed by the various nodes of such networks. While the technical side of legal relations might be clear, for legal purposes, a picture of participants is emerging in which each plays an active role, and frequently — a picture assuming one form of regulation or the other. Some well-known examples: torrent trackers, in which each "sharing" participant is automatically viewed as a content distributor, with all of the ensuing consequences; in the case of crypto-currency22 like Bitcoin, each operator of a network node — from the standpoint of classical legal approaches — can be viewed as an "issuer." Anticipated growth in the use of decentralized networks, in both the private and public sectors, requires changing approaches to existing legislation which, in the majority of today's cases, has no capacity, a priori, for consistent application to distributed networks. As a suggested direction for solution, what can be suggested is formulation of a new legal approach tailored to the structure of distributed networks and reflecting its decentralized nature, assuming the absence of any set "decision-making center" on which liability could be imposed in the event of a bad-case scenario. The key task — avoiding a situation in which a comprehensive set of obligations could be imposed on each of the independent and inter-coordinating network nodes as if it were the sole "decision-making center," insofar as such a situation would be absurd and render regulatory-enforcement decisions impossible to execute. The need is emerging for the establishment (under self-regulation or at the standards level) of general rules that would broadly cover all participants of the respective legal relations within the scope of a decentralized network.

5. Semantic Limits of Law as the Basis for Methodology of Development

The text above provides a comprehensive overview of multi-faceted legal aspects of the IoT, and it well can be argued that there is much more problems rather than solutions at the current stage of development. A large number of

22 For an up-to-date doctrinal analysis of the cryptocurrencies qualification see e.g.: Savelyev, A.I. (2017). Kryptovalyuty v systeme obyektov grazhdanskikh prav [Cryptocurrencies in the System of Civil Law Objects]. Zakon [Law], (8), pp. 136-153.

approaches that are directly or indirectly relevant to the issue of amending of the legislation to cope with the legal problems of digital environment are being developed in the course of implementation of the Programme "Digital Economy of the Russian Federation" approved by the Decree of the RF Government of 28 July 2017 No. 1632-p. Yet, these discussions have a pervasive problem of its own: whether certain areas of relationships in innovative technical area do indeed require regulation at this stage, or it is too soon and additional regulations may negatively affect technical progress based on freedom of experiment and development (within the limits of common sense, of course). We believe that a new broad theoretical approach based on the concept of semantic limits of law that have certain grain of fundamental sociology, would be of particular relevance to this issue23.

The core idea of the theory of semantic limits of law is based on an assumption that at the current stage of development of information society it is especially sensitive to draw a separation line between the area where it is reasonable to apply existing laws and regulations, or develop the new ones, and the area where it is [yet] absurd. This idea has been developed based on emerging phenomena of modern information society, such as quality changes in the information relationships between human beings, which challenge more and more common sense of legal interpretation (in case of application of law) and legislative drafting (in case of development of regulatory models). By way of example, the legislators recently faced necessity to introduce exclusions from application of the norms aimed to restrict dissemination of certain kinds of information in the Internet by the criterion of artistic fiction24. The same relates to the discussions and cases relevant to the issue of

23 The interdisciplinary concept and theory of semantic (logical) limits of law is being currently developed by V.V. Arkhipov as a part of his doctoral research, and, in addition to earlier development, has been recently shared in a high-level yet comprehensive way at the Conference of Saint Petersburg State University "Creative Heritage of Leon Petrazycki: History and Modernity (to the 150th Anniversary)" in December 2017, the Conference of the Institute of State and Law of the Russian Academy of Sciences "Informational Space: Ensuring of Informational Security and Law" in February 2018, and the Conference of the Institute of Sociology of the Russian Academy of Sciences "Computer Games: Cultural Interfaces and Social Interactions" in October 2018. The comprehensive outline of the general provisions describing the methodology and implementation of this approach are expected to be published in 2019. For the avoidance of doubt, this Section 5 of the paper is developed and prepared by V.V. Arkhipov as his exclusive contribution to the paper in continuation of creative discussions with V.B. Naumov on various ways to apply the concept in practice.

24 E.g. the Order of Roskomnadzor No. 83, MVD RF No. 292, Rospotrebnadzor No. 351 and FNS RF No. MMB-7-2/461 of 18 May 2017 makes this kind of exclusion in several instances, e.g. in respect of such restricted kind of the information as the

applicability of "real" property laws to "virtual" environment of multiplayer games, possibility of raising legal claims by individuals who have unwillingly acted as prototypes for fictional characters in creative works, and may other cases where, metaphorically speaking, the realms of imagination and hard reality collide. What is worth noting in this context, it that these realms collide not only in rather narrow albeit important area of art and culture, but in any case where something new and creative is developed in quite a "serious" context — even the theory of inventive problems solving, so relevant to the IoT solutions, is heavily based on creative imagination. Now, this problem area can equally be attributed to the challenging question of developing new laws and regulations, since here we face the same question of whether it is yet appropriate to regulate innovative things such as smart robots with quasi-legal capacity, or piloted flights to Mars or something which can be seen as absurd at the moment, but then can become quite real. What law requires is more or less definite and quantifiable criterion to identify whether it is time to regulate something.

In this regard, the theory of semantic limits of law (where "semantic" implies the limits drawn not by territory or subjects, or even by morality 25,but by common sense constituting shared social reality in terminology of social constructivism26), suggests two fundamental criteria. The first one is structural adequacy of the object to be regulated to the core meaning of a legal norm, or would-be legal norm. This approach is consonant to the theory of isomorphic truth in logic27 with a reservation that such theory retains applicability even in post-classic scientific paradigm because we now speak just of artificially closed universum of meanings relevant to conventional legal reality and not to reality in general. In order to satisfy this first requirement, there initially should be something to regulate, however apparent this may sound. I.e. it would be absurd to regulate smart contracts before any smart contracts exist. However, even if there are some

information which portrays those who develop illegal drugs in a positive way (see Item 2.1.6 of the Order), presumably taking into an account fictional "Breaking Bad" film series.

25 This is what is mostly understood at the moment by the concept of the "limits of law". In: Stanton-Ife, J. (2016). The Limits of Law. In: E.N. Zalta, ed. The Stanford Encyclopedia of Philosophy. [online]. Available at: https://plato.stanford.edu/entries/law-limits/ [Accessed 26 December 2018].

26 In: Berger, P.L. and Luckmann, T. (1966). The Social Construction of Reality: A Treatise in the Sociology of Knowledge. London: Penguin Books.

27 In: Marian, D. (2016). The Correspondence Theory of Truth. In: E.N. Zalta, ed. The Stanford Encyclopedia ofPhilosophy. [online]. Available at: https://plato.stanford.edu/ entries/truth-correspondence/#6 [Accessed 26 December 2018].

smart contracts, it may still not be the proper time to develop any new legislation. Here the second criterion comes in play which can roughly be described in a way that certain relationships became so "serious" that they could reasonably be regulated (from common sense perspective, law does not deal with the "unserious"). This requires additional clarification, because it is now needed to explain what may be "serious" for the purposes of existing and would-be legal regulation. In order to resolve this issue, the concept of semantic limits of law has to call for certain ideas from theoretic sociology.

As the basic idea to explain what is worthy of legal regulation and what is not, we can refer to the concept of "generalized symbolic medium" initially suggested by one of the key authors in sociology T. Parsons and further developed by N. Luhmann and J. Habermas 28. "Generalized symbolic medium" is a term referring to any token that has certain value in terms of social, economic, political and/or legal impact. According to T. Parsons, the general social system comprises of four sub-systems which may roughly be labelled as political (the function of defining purposes), economic (the function of adaptation), legal (the function of integration) and cultural (the function of reproduction). Each of these sub-systems has its own "generalized symbolic medium". Such media are "generalized" and "symbolic" for the reason that they are detached from real and tangible value, but are perceived as a token of such value right in the same manner as a token in cryptocurrency system represents monetary value. The history of their development implies the way from hard reality to high abstractions. E.g. in economic subsystem, at first, there was barter, then there was exchange of some tangible representation of value, then gold or similar coins, then the banknotes and, in course of further development, we have arrived to highly abstract yet tradable financial commitments. In a similar way, political power can now be seen a generalized symbolic medium of monopoly on physical violence, and it has also come a long way from direct coercion to highly abstract democratic institution29. So is true for influence as a third

28 For more detailed account please refer to: Johnson, H.M. (1973). The Generalized Symbolic Media in Parsons' Theory. Sociology & Social Research, 57(2), pp. 208—221; Chernilo, D. (2002). The Theorization of Social Co-Ordinations in Differentiated Societies: The Theory of Generalized Symbolic Media in Parsons, Luhmann and Habermas. British Journal of Sociology, 53(3), pp. 431—449; Turner, T.S. (1968). Parsons' Concept of "Generalized Media of Social Interaction" and its Relevance for Social Anthropology. Sociological Inquiry, 38(2), pp. 121—134.

29 In: Turner, B.S. (1991). Preface to the New Edition. In: Parsons, T. The Social System. London: Routledge, p. xix.

possible generalized symbolic medium identified in the relevant papers so far. However, Parsons' approach can be elaborated even further, since the core idea of the generalized symbolic media is that they are convertible into each other in sociological sense — e.g. money can be converted into power, influence can be converted into money and so on — just as various types of monetary currency can be converted into each other30.However, how this can be related to the second requirement for logical applicability or development of laws and regulations? The conclusion is that if the object of certain social relationship is not only "real" (first criterion of structural adequacy), but also represents a convertible social value, whether it refers, directly or indirectly, to monetary value, political power or influence, it is reasonable to apply legal norms to it, or to shape new norms with such object of relationships to be regulated.

There can be borderline cases, but this approach already provides us with a quantifiable instrument to assess the reasonableness of developing new regulatory framework in many areas, and the IoT is not an exclusion. Based in the theory of semantic limits of law that operates with two of the previously mentioned requirements, it is possible to assess what can already be included into the scope of new regulation and what should wait. Of course, this would require economic and/or other empirical research to make grounded conclusions in each particular area. However, we already can suggest a few hypotheses in the area of the IoT, and now such hypotheses would have rational explanation in view of the methodology described above. In particular, the IoT environment itself (as interconnected ecosystem deeply and in a comprehensive way dispersed through common social reality) as a potential object of regulation as a whole seems to be slightly out of context at the moment because it does not yet constitute. At the same time, the principles of IoT may already be subject to regulation because, even though the IoT has not yet shaped universal ecosystem, particular devices and structures of interaction become more and more common (and therefore they start to attain the value of social, economic or political capital). Legal regime of information and personal data are very likely impactful enough to be regulated now because they refer to quite recognizable values, whether from economic or other perspective. So is true for the IoT neutrality aspects, informational security, compatibility

30 For a good and concise description of it see e.g. Shmachkova, T.V., ed. (2008). Politologiya [Political Science]. Moscow: Moskovskii gosudarstvennyi institut mezhdunarodnykh otnoshenii (Universitet) MID Rossii; TK Velby; Prospekt Publ., pp. 75-77.

and fair competition. Automated actions, automated agreements and decentralized networks shall be considered on a case-to-case basis, depending on particular technology or practice in question. For instance, it would be reasonable to consider developments in regulation of particular aspects of civil law liability, but it is yet too early to develop regulatory framework for legally capable smart robots. This hypothetical assessment may vary depending on the jurisdiction and specific status of technological development. One of the benefits of this methodology is that it could allow finding proper argumentation to argue grounds for areas that do not yet require imposing of particular restrictions so that development incentives could be appropriately supported.

6. Conclusion

In this paper the IoT has been considered as a phenomenon which, on the whole, is expanding the information space to the world of physical objects, serving as a "bridge" between the different stages of human progress in information society. This shapes the landscape of legal challenges perceived from the perspective of the Russian law as discussed in the corresponding sections of the paper above. In conclusion of this high-level analysis of the legal issues, we would like to note that the IoT is creating new and fundamentally-complex "rules of the game" for the legal system. The classical and as-yet unresolved legal issues of the Internet (including user identification, the legal status of information intermediaries, and issues associated with the determination of jurisdiction) are evolving and intensifying at this stage in the development of information society. Gaining particular urgency are issues related to the legal treatment of information, the processing of personal data and privacy rights, network neutrality and information security. A new area is emerging for the discussion of device compatibility — an issue whose social and economic importance is gaining a new dimension. Problems of automated actions and distributed networks are becoming more pronounced. Automated agreements are making it necessary to take a fresh look at classical legal institutions of contract law. This is but one aspect of the legal issues coming to the fore in the context of the IoT (as well as in the era of Big Data). Considerable overlap between the law and technical regulation exists in other areas as well (although this largely pertains to the determination of substantive technological requirements), including the distribution of radio-frequency spectrum and technological regulation as a whole. Technological progress always outpaces the law, yet the law remains one of the most important instruments for the organization

of social and economic life, and reasonable compromises are essential. In the future "IoT world" the legal system must provide the basic prerequisites for self-regulation and dispute resolution.

REFERENCES

Arkhipov, V.V. and Naumov, V.B. (2016). The Legal Definition of Personal Data in the Regulatory Environment of the Russian Federation: Between Formal Certainty and Technological Development. Computer Law & Security Review, 32(6), pp. 868—887. DOI: 10.1016/j.clsr.2016.07.009

Berger, P.L. and Luckmann, T. (1966). The Social Construction of Reality: A Treatise in the Sociology of Knowledge. London: Penguin Books.

Chernilo, D. (2002). The Theorization of Social Co-Ordinations in Differentiated Societies: The Theory of Generalized Symbolic Media in Parsons, Luh-mann and Habermas. British Journal of Sociology, 53(3), pp. 431—449. DOI: 10.1080/0007131022000000581

Johnson, H.M. (1973). The Generalized Symbolic Media in Parsons' Theory. Sociology & Social Research, 57(2), pp. 208—221.

Kshetri, N. (2017). Blockchain's Roles in Strengthening Cybersecurity and Protecting Privacy. Telecommunications Policy, 41(10), pp. 1027—1038. DOI: 10.1016/j. telpol.2017.09.003

Laney, D. (2001). 3D Data Management: Controlling Data Volume, Velocity and Variety. META Group Research Note, [online] 6. Available at: http://blogs.gartner.com/ doug-laney/files/2012/01/ad949-3D-Data-Management-Controlling-Data-Volume-Velocity-and-Variety.pdf [Accessed 26 December 2018].

Marian, D. (2016). The Correspondence Theory of Truth. In: E.N. Zalta, ed. The Stanford Encyclopedia of Philosophy. [online]. Available at: https://plato.stanford.edu/ entries/truth-correspondence/#6 [Accessed 26 December 2018].

Meyer, D. (2018). Blockchain Technology is on a Collision Course with EU Privacy Law. The Privacy Advisor. [online]. Available at: https://iapp.org/news/a/blockchain-technology-is-on-a-collision-course-with-eu-privacy-law/ [Accessed 26 December 2018].

Peppet, S.R. (2014). Regulating the Internet of Things: First Steps Toward Managing Discrimination, Privacy, Security, and Consent. Texas Law Review, 93(1), pp. 85-178.

Savel'ev, A.I. (2015). Problemy priminenya zakonodatelstva o personalnykh dannykh v epokhu "Bolshykh dannykh" [The Issues of Implementing Legislation on Personal Data in the Era of Big Data]. Pravo. Zhurnal Vyschey Shkoly Ekonomiki [Law. Journal of the Higher School of Economics], (1), pp. 43-66. (in Russ.).

Savelyev, A. (2017). Contract Law 2.0: 'Smart' Contracts as the Beginning of the End of Classic Contract Law. Information & Communications Technology Law, 26(2), pp. 116-134. DOI: 10.1080/13600834.2017.1301036

Savelyev, A.I. (2017). Kryptovalyuty v systeme obyektov grazhdanskikh prav [Crypto-currencies in the System of Civil Law Objects]. Zakon [Law], (8), pp. 136-153. (in Russ.).

Shmachkova, T.V., ed. (2008). Politologiya [Political Science]. Moscow: Moskovskii gosudarstvennyi institut mezhdunarodnykh otnoshenii (Universitet) MID Rossii; TK Vel-by; Prospekt Publ. (in Russ.).

Stanton-Ife, J. (2016). The Limits of Law. In: E.N. Zalta, ed. The Stanford Encyclopedia of Philosophy. [online]. Available at: https://plato.stanford.edu/entries/law-limits/ [Accessed 26 December 2018].

Turner, B.S. (1991). Preface to the New Edition. In: Parsons, T. The Social System. London: Routledge, pp. xiii-xxx.

Turner, T.S. (1968). Parsons' Concept of "Generalized Media of Social Interaction" and its Relevance for Social Anthropology. Sociological Inquiry, 38(2), pp. 121—134. DOI: 10.1111/j.1475-682X.1968.tb00678.x

Weber, R.H. and Studer, E. (2016). Cybersecurity in the Internet of Things: Legal Aspects. Computer Law & Security Review, 32(5), pp. 715—728. DOI: 10.1016/j. clsr.2016.07.002

Wettig, S. and Zehender, E. (2004). A Legal Analysis of Human and Electronic Agents. Artificial Intelligence and Law, 12(1-2), pp. 111-135. DOI: 10.1007/s10506-004-0815-8

БИБЛИОГРАФИЧЕСКИЙСПИСОК

Политология / Науч. ред. Т.В. Шмачкова. М.: Московский государственный институт международных отношений (Университет) МИД России; ТК Велби; Изд-во Проспект, 2008.

Савельев А.И. Криптовалюты в системе объектов гражданских прав // Закон. 2017. № 8. С. 136-153.

Савельев А.И. Проблемы применения законодательства о персональных данных в эпоху «Больших данных» (Big Data) // Право. Журнал Высшей школы экономики. 2015. № 1. С. 43-66.

Arkhipov V.V., Naumov V.B. The Legal Definition of Personal Data in the Regulatory Environment of the Russian Federation: Between Formal Certainty and Technological Development // Computer Law & Security Review. 2016. Vol. 32. Iss. 6. P. 868-887. DOI: 10.1016/j.clsr.2016.07.009

Berger P.L., Luckmann T. The Social Construction of Reality: A Treatise in the Sociology of Knowledge. London: Penguin Books, 1966.

Chernilo D. (2002). The Theorization of Social Co-Ordinations in Differentiated Societies: The Theory of Generalized Symbolic Media in Parsons, Luhmann and Habermas // British Journal of Sociology. 2002. Vol. 53. No 3. P. 431-449. DOI: 10.1080/0007131022000000581

Johnson H.M. The Generalized Symbolic Media in Parsons' Theory // Sociology & Social Research. Vol. 57. No 2. P. 208-221.

Kshetri N. Blockchain's Roles in Strengthening Cybersecurity and Protecting Privacy // Telecommunications Policy. 2017. Vol. 41. Iss. 10. P. 1027-1038. DOI: 10.1016/j. telpol.2017.09.003

Laney D. 3D Data Management: Controlling Data Volume, Velocity and Variety // META Group Research Note. 2001. Vol. 6. URL: http://blogs.gartner.com/doug-laney/

files/2012/01/ad949-3D-Data-Management-Controlling-Data-Volume-Velocity-and-Variety.pdf (дата обращения: 26.12.2018).

Marian D. The Correspondence Theory of Truth // The Stanford Encyclopedia of Philosophy / Ed. by E.N. Zalta. 2016. URL: https://plato.stanford.edu/entries/truth-correspondence/#6 (дата обращения: 26.12. 2018).

Meyer D. Blockchain Technology is on a Collision Course with EU Privacy Law // The Privacy Advisor. 2018. URL: https://iapp.org/news/a/blockchain-technology-is-on-a-collision-course-with-eu-privacy-law/ (дата обращения: 26.12. 2018).

Peppet S.R. Regulating the Internet of Things: First Steps Toward Managing Discrimination, Privacy, Security, and Consent // Texas Law Review. 2014. Vol. 93. Iss. 1. P. 85-178.

SavelyevA. Contract Law 2.0: 'Smart' Contracts as the Beginning of the End of Classic Contract Law // Information & Communications Technology Law. 2017. Vol. 26. Iss. 2. P. 116-134. DOI: 10.1080/13600834.2017.1301036

Stanton -Ife J. The Limits of Law // The Stanford Encyclopedia of Philosophy / Ed. by E.N. Zalta. 2016. URL: https://plato.stanford.edu/entries/law-limits/ (дата обращения: 26.12. 2018).

Turner B.S. Preface to the New Edition // Parsons T. The Social System. London: Routledge. 1991. P. xiii-xxx.

Turner T.S. Parsons' Concept of "Generalized Media of Social Interaction" and its Relevance for Social Anthropology // Sociological Inquiry. 1968. Vol. 38. Iss. 2. P. 121-134. DOI: 10.1111/j.1475-682X.1968.tb00678.x

Weber R.H., Studer E. Cybersecurity in the Internet of Things: Legal Aspects // Computer Law & Security Review. 2016. Vol. 32. No 5. P. 715-728. DOI: 10.1016/j. clsr.2016.07.002

Wettig S., Zehender E. A Legal Analysis of Human and Electronic Agents // Artificial Intelligence and Law. 2004. Vol. 12. Iss. 1-2. P. 111-135. DOI: 10.1007/s10506-004-0815-8

AUTHORS' INFO:

Victor B. Naumov — Candidate of Legal Sciences, Senior Research Fellow of the Information Law and International Information Security Department, Institute of State and Law, Russian Academy of Sciences, Partner of the International Law Firm Dentons.

Vladislav V. Arkhipov — Candidate of Legal Sciences, Associate Professor of the Department of Theory and History of State and Law, Saint Petersburg State University, Counsel of the International Law Firm Dentons.

СВЕДЕНИЯ ОБ АВТОРАХ:

Наумов Виктор Борисович — кандидат юридических наук, старший научный сотрудник сектора информационного права и международной информационной безопасности Института государства и права РАН, партнер международной юридической фирмы Dentons.

Архипов Владислав Владимирович — кандидат юридических наук, доцент кафедры теории и истории государства и права Санкт-Петербургского государственного университета, советник международной юридической фирмы Dentons.

CITATION:

Arkhipov, V.V. and Naumov, V.B. (2018). Pervasive Legal Problems of the Internet of Things and the Limits of Law: Russian Perspective. Trudy Instituta gosudarstva i prava RAN — Proceedings of the Institute of State and Law of the RAS, 13(6), pp. 94-123.

ДЛЯ ЦИТИРОВАНИЯ:

Архипов В.В., Наумов В.Б. Сквозные правовые проблемы Интернета вещей и пределы права: российская перспектива // Труды Института государства и права РАН / Proceedings of the Institute of State and Law of the RAS. 2018. Том 13. № 6. С. 94-123.