Follow Us

Law.com Subscribers SAVE 30%

Call 855-808-4530 or email GroupSales@alm.com to receive your discount on a new subscription.

Internet Law Privacy Technology Media and Telecom

Search Warrants for IoT Data Spur Legal, Privacy Complications

Law Enforcement Attempts to Access Amazon Echo Raise Questions over the Viability of IoT Data in Investigations and the Vulnerability of Private Information

A case surrounding a mysterious death in a Benton County, AR, has far-reaching implications for the ownership and privacy of data generated from Internet-connected devices.

Print
X

Thank you for sharing!

Your article was successfully shared with the contacts you provided.

A case surrounding a mysterious death in a Benton County, AR, has far-reaching implications for the ownership and privacy of data generated from Internet-connected devices, aka, the Internet of Things (IoT).

County officials in Benton County have argued that IoT information is pertinent to their ongoing investigation into the death of Victor Collins, who was found deceased in the hot tub of a home belonging to James A. Bates on Nov. 22, 2015. The IoT data in question stems from Bates’ Amazon Echo — a “smart speaker” that allows users to order products and access Amazon services through voice commands.

According to files from the Arkansas Administrative Office of the Courts, county law enforcement officials served Amazon with two search warrants requesting data accrued by the Amazon Echo, such as audio recordings and transcriptions of the night in question. See, http://bit.ly/2jb05OX. Amazon refused to fully comply with the warrant, framing the issue as one over the privacy of customer information.

What does the battle over this data say about a user’s right to data privacy? Christopher Dore, partner at Edelson, notes that while the warrants for IoT data from an individual Amazon Echo was “very interesting,” it was not entirely an “unexpected development.”

“It was only a matter of time before law enforcement started to realize the usefulness of IoT [devices] and the effective monitoring abilities that these type of devices have,” Dore says.

Yet Dore questions just what relevant information could be from gathered an Amazon Echo. The device, when powered, is always ready to receive commands, enabled by a user saying “Alexa.” From there, audio is recorded for 60 seconds and erased upon the recording of new sounds.

Therefore, the usefulness of such data therefore rests on the possibility that when “some event was happening in a house, someone said or yelled a word that was close enough to ‘Alexa’” so the device would start recording and store data, Dore says.

Legal Authority to Access Amazon

On its surface, the search warrant against Amazon may run into uncertain legal territory. Paul M. Tiao, partner at Hunton and Williams, questions the authority Benton County officials have to access Amazon cloud data that is potentially stored out of state.

“The fact that Amazon is resisting this indicates there may be some legal and factual arguments that the [local] government doesn’t actually have the authority under the law to get this data,” he says.

Tiao notes that because that the case regards stored audio information, “the Stored Communications Act would be a good place to start to figure out what authority [any] government may have to obtain this data.”

“Typically the more sensitive the data, the higher the burden of proof the law will require,” he adds.

There may be, however, other factors at play besides legal authority to access the data. Tiao notes that Amazon’s “objections are fairly typical objections to subpoenas and search warrants. Among other things, they might argue that the warrant isn’t specific enough to cover the data requested here, it is too broad, or it would be unfairly burdensome on the company to isolate the pertinent communications and deliver them to the government.”

There is also the possibility, he adds, that “Amazon may be trying to make a statement to their clientele and customer base that they are very privacy protected, which is something customers care a lot about.”

While this situation may garner analogies to the “FBI v. Apple” fracas over encryption, Adam Levin, chairman and founder of identity and data protection company IDT911, cautions against thinking of them in the same light.

While this case involves a subpoena for an IoT device’s cloud-stored information, “the Apple situation was different, because Apple was being asked to create something new. They were essentially being asked to create software that would break their system and enable someone to get in there,” he says.

And while Apple’s situation had broader impacts for the future of encryption, and privacy of communications, this case more intimately concerns how vulnerable the growing amount of private information on an individual is given the growth of IoT devices.

“It’s all about those devices that track us that can determine if someone is in a residence or anywhere, and how long they’ve been there, when they sleep, and when they wake up — all of these devices are gathering data that is being sent somewhere,” he says. “We’re all leaving a trail of breadcrumbs, and the trail is getting longer and longer and it’s getting more and more precise.

*****
Ricci Dipshan writes for Legaltech News, an ALM sibling of this newsletter in which this article also appeared.

The views expressed in the article are those of the authors and not necessarily the views of their clients or other attorneys in their firm.

Read These Next