We live in a time when our devices are so ingrained in our everyday lives that many of us could hardly imagine living without the convenience and utility that they afford us. Indeed, smart devices have already demonstrated a capability to fundamentally transform how we interact with the world around us. They are our personal assistants, there for us day and night, whenever we need to call on them. They are our fitness coaches, keeping us accountable and pushing us to reach our goals. They can even be our lifesavers, implanted in our bodies and automatically alerting us or our doctors if their monitoring sensors detect any potentially life-threatening abnormalities.
The blanket term for these internet-connected smart devices is commonly referred to as the Internet of Things (IoT), and the IoT movement is one which is already fully in motion and is only continuing to gain steam. While they are unquestionably convenient and make our lives easier in so many ways, many people may not fully understand the deeper implications of personal data we feed into these devices and the systems that run them every second of the day. The thing about IoT devices is that in order to function properly and meet the needs of their users, the devices need to collect and process large amounts of sensitive personal data about our lives, preferences, and daily activities. Needless to say, if that data is somehow compromised or ends up in the wrong hands, it would obviously be an enormous invasion of personal privacy.
But what happens if the data stored on our devices could potentially hold key evidence in a criminal case? Should authorities be able to demand access to the personal data collected and processed by IoT devices? Who is to decide under what circumstances such access to sensitive personal data should be authorised? And what expectation of privacy can we really assume when we upload masses of data into our smart devices if they could be subject to search and seizure in a criminal investigation?
These are difficult questions that have no simple answers. However, investigators, judges, device owners, and device manufacturers will need to consider these difficult questions more and more as IoT devices become more ubiquitous and inevitably become entangled in the criminal justice system as potentially valuable sources of evidence.
One of the major problems is that the precedent for such cases is still extremely limited, and IoT data playing a role in criminal investigations is still very much in its infancy. This means that the landscape is still quite uncertain and proper procedures for handling these cases are certainly not in place.
To date, there have been only a handful of cases where IoT has played the role of witness in criminal investigations. Data from the popular Fitbit exercise trackers have been used in a few cases; one in which a woman’s rape allegations were discredited after the data obtained from her Fitbit contradicted her version of events, and another that implicated a man in his wife’s shooting death after data from his wife’s Fitbit indicated she was moving around for nearly an hour after her husband claimed a masked intruder killed her. Amazon’s Alexa voice-activated personal assistants have also been called on as witnesses in a murder investigation and in a separate suspicious death investigation after investigators in both cases noticed their presence at the two separate locations. Investigators in both cases sought to access audio data that may or may not have picked up audio evidence that could prove critical to solving the cases. In another case, data from a man’s implanted smart pacemaker pinned him as the lead suspect in an arson investigation after the data was reviewed by a cardiologist who deemed the data to be inconsistent with the man’s story of what happened.
While Fitbit released the data to authorities in both cases, Amazon initially resisted, citing user data privacy rights. Important to note, though, is that both Amazon’s and Fitbit’s privacy policies indicate that they may be obligated to release data to law enforcement upon receipt of a binding court order. Although authorities may in certain cases be able to obtain IoT data for evidence, questions regarding probable cause are extremely important to consider. If a judge isn’t familiar with how a device works or collects and processes data, or cannot determine if useful evidence even exists within the IoT data in question, how can he or she grant probable cause to authorities to search through the data? Judges may very well rule on something they do not fully understand, and that sets a dangerous precedent for consumer data privacy. To address this issue, courts must strive to keep up with technology and fully understand the privacy implications of what they are ruling on.
Ultimately, a proper balance needs to be achieved between protecting our right to privacy and ensuring justice is served. Courts must be able to function effectively in our ever-connected world while not overreaching into what could amount to an unnecessary invasion of personal privacy. We need to be prepared for a future where IoT technology will continue to play the role of witness in criminal cases. Now is the time to be proactive and ensure that justice can be properly served without undermining our right to privacy.
Attila Tomaschek, digital privacy expert, ProPrivacy.com