Not going dark: personal data from the Internet of Things ushers in a golden age for law enforcement

Last week, Privacy News Online wrote about the increasing use of vehicle forensics to solve crimes. These “smartphones on wheels” join a growing list of everyday devices that are becoming “smart” – that is, incorporating powerful computers, often linked to the Internet – and therefore of interest to law enforcement. Recent posts on this blog have noted the privacy issues with Amazon’s Ring products, and smart speakers. More generally, it has been clear for a while now that the Internet of Things poses serious problems in this regard. One issue is “Hyppönen’s law“, which states that “Whenever an appliance is described as being ‘smart’, it’s vulnerable”. The uptake of such “smart” devices therefore provides increased opportunities for their flaws to provide a way for privacy to be compromised.

Another issue concerns the huge amounts of personal data that they gather. A report from the Brennan Center for Justice provides a good summary of how the authorities are accessing that data in order to help them with their work:

The proliferation of connected devices provides expansive opportunities for the government to assemble detailed portraits of people’s lives. Many companies offer entire suites of connected devices: Google sells everything from connected cameras to thermostats and activity trackers to digital assistants, and even offers private security monitoring through its partnership with Brinks. Police can further augment data from connected devices with data collected by their own substantial arsenals of surveillance tools. This type of comprehensive tracking would have been unimaginable before the digital age and eliminates practical limits on surveillance, such as the expense of allocating personnel to engage in 24/7 monitoring.

The increased use of connected devices in people’s lives brings with it a new problem. Where single devices provide only a partial record of a person’s activities, data from multiple Internet of Things systems can be consolidated to provide an extremely detailed picture of what a person is doing, and with whom. This issue will only get worse as more devices are routinely installed in homes.

One of the most troubling aspects of this pervasive surveillance is that it is hard to opt out of it. For example, in some areas, Amazon’s Ring devices watch everything that happens in the locality. Increasingly, that data is available to the local police, sometimes in real time. And yet for the person walking or driving down the street, it is hard to know which houses have Ring devices spying on passers-by, and certainly impossible to avoid being watched where they are. Similarly, if smart speakers are installed in a person’s home, visitors are unavoidably being spied upon, even if it is not evident, and probably not intentional. Overall, this leads to a normalization of surveillance, which becomes a habitual and invisible part of life’s background.

The Brennan Center report runs through the constitutional and statutory protections against such surveillance that are available under US law. In the EU, the GDPR is likely to provide even stronger privacy protections, although this has not yet been tested in the courts. The author of the Brennan Center report, Angel Diaz, has also put together a guide to the use of Internet of Things devices. It includes summaries of how the devices work, who makes them, what kinds of data are collected and how long it is retained. Particularly useful is the listing of possible uses of device data by law enforcement, transparency reports, relevant legal cases, and further reading. Since most readers of this blog will already have a good idea of how such systems work, probably the most valuable part of this resource is the listing of current cases involving Internet of Things devices. One of the most interesting is from 2017, and concerns a Fitbit tracker. As the New York Times reported at the time:

When Connecticut police arrived at the home on the morning of Dec. 23, 2015, Mr. Dabate spoke of a violent struggle with a masked intruder who zip-tied him to a chair, demanded his wallet and credit cards, cut him with a knife and then fatally shot his wife in the basement, according to an arrest warrant.

But over time, the narrative that Mr. Dabate told investigators started to unravel when compared with a timeline pieced together using digital data from the family home, the warrant said. Most importantly, a Fitbit on Ms. Dabate’s waistband recorded that she had walked 1,217 feet around the house during the time her husband said they were being attacked.

It’s clear that Fitbit-like devices provide uniquely valuable information in the case of murder or physical violence against a person. They provide detailed information that can undermine any attempts by a perpetrator to construct alternative explanations of events. The New York Times quotes a prosecutor as saying: “There is far more data out there than we can keep up with.” That’s clearly problematic from a privacy point of view, but it does have one important benefit. It underlines once more why the authorities’ persistent claim that backdoors need to be added to encrypted systems because things are “going dark” is simply untrue. It might even be said that the arrival of the Internet of Things represents a golden age for law enforcement, when they have more data than ever before.

Featured image by Alexei Zverev.