Monday 1 May 2017

Adrian Weckler: How your gadget could testify against you

In 2015 a woman was given a two-year suspended sentence based on evidence from her Fitbit device
In 2015 a woman was given a two-year suspended sentence based on evidence from her Fitbit device
Adrian Weckler

Adrian Weckler

Could the gadget you got at Christmas testify against you in a police or insurance company investigation?

In a year's time, don't say we didn't warn you about this.

Voice-activated and connected health devices are increasingly being viewed as evidence to be used in court cases. I'm not talking about iPhones, although Apple did receive 262 requests from Irish authorities relating to "device" whereabouts in the first six months of 2016. And I'm not talking about Facebook accounts, even though 89 requests were lodged by gardai with the social media giant between January and June last year looking for information to help build criminal cases.

No, I mean that the net is now widening to include things like Fitbits and smarthome gadgets.

The latest instance is an Arkansas murder investigation where police are requesting files from an Amazon Alexa device to help build a case against an accused.

The Echo is a voice-activated gadget that connects to the internet and controls household lights or heating systems by simply speaking. It's always turned on and recording. It's not supposed to save sounds or noises unrelated to specific commands, but sometimes it might pick up audio based on mistaken understanding of a request.

Police think that the device may have recorded something that could implicate the suspect, a man called James Bates. But in echoes of Apple's earlier privacy stand on denying access to a terrorist suspect's iPhone data, Amazon is fighting police requests to hand over deeper sets of data it might have that are linked to the device. In the Bates investigation, a smart water meter in Bates's home may also turn out to be critical in proving whether Bates used an unusually large amount of water at a late hour of the night.

While relatively few Irish people yet have Amazon Alexa gadgets in their home, thousands have water meters.

And Irish homes are starting to fill up with legions of gadgets that collect critical pieces of data about us. Our Netflix accounts, smart thermometers and security cameras. Even our coffee makers, which increasingly co-ordinate with our online schedules.

Such data is now being eyed up by authorities, regulators and even private companies (such as insurers) for verification or evidential purposes.

The big question we all now face is: how much of it should be used for this?

In the case of a household fire, would you hand over access to your smart thermostat's backup files to an insurance company if that might yield a clue as to how the fire started? If authorities suspected arson, should they be allowed to request access to such files?

How about other incidents, such as domestic abuse? If one spouse claims to have been beaten, assaulted or raped, should smart gadgets in the home, which might potentially help corroborate or disprove the claims, be admissible as evidence? Should they be the legitimate subject of a warrant?

This isn't an academic question. A 2015 Pennsylvania case saw a woman, Jeannine Risley, given a two-year suspended sentence based on evidence from her Fitbit device. The woman claimed to have been assaulted in her home but a court found that she had made the episode up after investigating police used evidence from her Fitbit health tracker to disprove her whereabouts and her movements. In that case, the woman (foolishly) consented to police parsing the Fitbit. But to what extent can authorities expect to rely on such 'witness' devices in future?

Fitbit is an interesting case. It makes two things clear in its terms and conditions: (i) it adheres primarily to US law and privacy standards and (ii) it might give you up to police if asked.

"We may consult with and disclose unlawful conduct to law enforcement authorities and pursuant to valid legal process, we may cooperate with law enforcement authorities to prosecute users who violate the law," the company says in a clear warning.

A few months ago, the office of the Irish data protection regulator announced that it would "step up" audits of certain 'internet of things' firms after a survey of 300 connected devices found "alarming shortfalls in the management of personal data by developers and suppliers".

Separately, Helen Dixon's office is involved in an enquiry into Yahoo for reportedly handing over access to customer accounts to US authorities late last year without informing its users or European regulators.

But the bigger question is whether objects in our homes and on our wrists should be legitimately yankable for the data they hold on us. If we think some circumstances merit it, how extreme must those circumstances be?

The degrees of answer to this may resemble the split in opinion that occurred in the Apple iPhone privacy case of 2016.

There, Apple executives up to and including Tim Cook said that they would not provide a "back door" entrance into iPhone encryption to FBI investigators prosecuting a domestic terrorism case. The public cheered and booed in almost equal numbers. It was a case of privacy versus security.

On that occasion, privacy won the day. But for how much longer?

In Ireland, the issue may not be tested until a painful outlier case, such as a child kidnapping, crops up.

Sunday Indo Business

Promoted articles

Also in Business