DEFCON 29 IoT Village - Sessler and Hendricks - IoT Devices as Government Witnesses

A man in Connecticut was arrested after his wife’s Fitbit implicated him in her murder. Prosecutors in Arkansas sought to use data from an Amazon Echo as evidence against a murder suspect. Local police sought access to car, TV, and even refrigerator data to monitor Black Lives Matter protestors—and the FBI did the same thing to help track down suspects in the aftermath of the January 6th, 2021 riot at the U.S. Capitol. These examples are hardly isolated instances—there are thousands of other cases just like them. And they all speak to an important truth: IoT devices are increasingly being used by law enforcement for investigational purposes and, in some cases, even being made into star witnesses at trial. But law enforcement’s use of IoT devices raises two important questions. First, does allowing the government to use IoT data violate consumer expectations of privacy, particularly at a time when IoT products are being made and marketed with an eye toward information security? Second, are criminal suspects being provided with the same near-limitless access to IoT data for purposes of mounting their legal defense? The answers to both of these questions are troubling, in large part because the law is inherently back-ward looking and is thus not equipped to grapple with the raw amount of information is now generated. Just as many consumers did not realize several years that their watch or car audio system would be used by law enforcement to track their location 24/7, so lawmakers and judges did not either. For example, the Federal Privacy Act of 1974 never contemplated that, rather than maintaining records, the government would simply buy access to private records—as ICE recently did by purchasing access to CLEAR—or create its own iOS app to ensnare criminals, as the FBI recently did. Likewise, although the Supreme Court noted the private nature of cell phone location data in Carpenter v. United States, this was a 5-4 decision (while RBG was still on the bench) that only applied the Fourth Amendment to historical cell phone GPS data, effectively leaving the law unsettled on many other types of IoT data. This has led courts, including a New York federal court in a case involving Apple, to express concerns that, even where warrants are involved, allowing the government to force companies to produce IoT device data could “result in a virtually limitless expansion of the government’s legal authority to surreptitiously intrude on personal privacy.” These concerns are heightened by the fact that, although the Federal Rules of Criminal Procedure are supposed provide defendants with equal discovery rights, the Stored Communications Act often prevents defendants from accessing the IoT data of others, such as witnesses, accusers, or potential other defendants. In practice, this means that IoT data can effectively be used against criminal suspects but is not available for them to use in arguing their legal defense. This results in an incredible inequality in the criminal justice system. And it may also lead to erroneous outcomes: as with DNA evidence, IoT data may help exonerate criminals just as often as it implicates them. Indeed, in the Arkansas v. Bates murder case, the prosecution dismissed the charges against the defendant shortly after it obtained the Amazon Echo data, which apparently validated the defendant’s alibi. Similarly, allegations of cheating against low-income students at Dartmouth Medical School were dismissed after IoT data brought into question potentially erroneous remote test monitoring that may have been skewed by poor internet. So what can we do to reform or limit government use of IoT data? This talk aims to talk through ways in which both the infosec and legal communities can increase their mutual understanding and help drive reform. In the short term, the infosec community can increase security by minimizing, encrypting, or de-identifying data. This can reduce the amount of information that IoT devices collect and, thus, are required to turn over to law enforcement. Over the long-term, the best solution may be to pass new laws or drive new judicial precedent that incorporates an understanding as to what IoT data is, how it is changing expectations of privacy, and how it is being used by law enforcement. Such laws could either limit access to IoT data—enshrining a greater degree of privacy—or set forth procedures delineating when authorities may use it and guaranteeing defendants equal access. Of course, there are other potential solutions and we hope this talk will help launch a broader discussion on how to help the law interact with IoT technology.