We are constantly told to be careful with what personal information we intentionally put on the Internet for the whole world to see. But with the rise of the “Internet of Things,” it seems we should be even more concerned about what we unintentionally put up on the World Wide Web. Billions of “smart” devices make up the “Internet of Things” (“IoT”). These “Internet of Things” smart devices use wireless technology to communicate with other devices. For example, personal use IoT devices, such as Samsung’s fridge of the future that allows users to check spoilage from their phone, can conveniently collect information or can remotely carry out the demands of the users. Other more common devices, such as the modern smartphone that have built in sensors that track every single movement of the user, can become a part of the Internet of Things when they pass on any of that information into the internet (most of them do).
It seems as if top officials within the US surveillance community are playing good-cop-bad-cop with their approach of addressing the opportunities that the new generation of smart home devices offer to track human activity. The Director of National Intelligence, James Clapper, has acknowledged that surveillance agencies, without specifying which ones, might use IoT devices to expand upon their surveillance capabilities to monitor the better American public. It seemed as if he was excited when he told the Senate that “intelligence services might use the [Internet of things] for identification, surveillance, monitoring, location tracking, and targeting for recruitment, or to gain access to networks or user credentials.”
On the other hand, the Federal Bureau of Investigation released a public announcement expressing their concern that the soft security of many IoT devices may expose users to new avenues of harm. The FBI even listed examples of such harms, including the possibility of criminals gaining access to and controlling security systems, garage doors, and automated house locks of private homes. The Director of the National Security Agency, Admiral Michael Roger, gave the impression that the government is concerned about the potential violations of privacy that will arise from the presence of IoT devices within the home, stating that it was time to make such devices “more defensible.” However, it is highly doubtful that the director of the National Security Agency suggested that such devices should be “more defensible” from government snooping. One would naturally assume that the ability to access the millions of sensors that comprise the Internet of Things to monitor human activity is every security and law enforcement official’s dream.
The possibility of a reality where the government has access to every single spec of movement we make brings up two very important questions: (1) Are the companies that sell these products adequately protecting their users from government intrusion? (2) Does the 4th Amendment protect against government surveillance and the collection of data that arise from one’s activity within her personal home?
The answer to the first question is quite simply, no. Hewlett Packard Enterprise released a report that found that an “alarmingly high average number of vulnerabilities” in each of the 10 most popular IoT devices. The answer to the first question requires a closer look into the companies that make these products. Many of these companies are established corporations that have no experience making products that connect to the Internet such as coffee machines, children’s toys, and refrigerators. Many others are young start up companies that do not have the means or may not stay in business long enough to address security holes. Furthermore, based on Hewlett Packard’s findings, it may just be that these companies simply do not care about protecting their users’ information.
Next, does the U.S. Constitution protect against the government intrusion into the privacy of one’s home? An analysis of the Supreme Court decisions that focused on this issue leads to the notion that the 4th Amendment will not protect the information deriving from IoT devices because the collection of that data does not intrude upon an individual’s “reasonable expectation of privacy” or may not qualify as trespass.
The Supreme Court adopted and still uses a two-pronged “reasonable expectation of privacy” test, as stated by Justice Harlan in his concurring opinion in Katz v. United States, to determine whether a warrantless search by the government intrudes upon someone’s 4th Amendment rights. The 4th Amendment does not protect information that was knowingly revealed to the public. In United States v. Miller, the Supreme Court held that information voluntarily given to third parties is not subject to 4th Amendment protection. In Smith v. Maryland, the Court went one step further and held that the information collected by third parties is not protected when an individual was presumably aware that third parties collect that data. In conclusion, the 4th Amendment will not protect the information from IoT devices that is uploaded onto the Internet. The user is knowingly sending all of the information from his device to the company by connecting it to the Internet. At the very least, the user is aware that the company is recording the data from the device to the application or website she is using to access the device.
In Kyllo v. United States, the Supreme Court held that the government can not access information from within an individual’s personal home with a device “not in general public use” to explore “details of the home” that would have been “unknowable without physical intrusion.” The device used by the government to observe individuals in Kyllo, a thermal imaging device, differs greatly from the IoT devices the government may use in the future. The next big issue for the Supreme Court will be to decide how dispositive the “not in general public use” element is in determining whether a search is reasonable.
We live in a society where the presence of technology within our daily lives continuously increases. Hence, our privacy over the most intimate details of our lives will increasingly rely on the Supreme Court’s answer to that one small question.