Law Enforcement Access to IoT Data

In the first of what will undoubtedly be a large number of battles between companies that make IoT devices and the police, Amazon is refusing to comply with a warrant demanding data on what its Echo device heard at a crime scene.

The particulars of the case are weird. Amazon's Echo does not constantly record; it only listens for its name. So it's unclear that there is any evidence to be turned over. But this general issue isn't going away. We are all under ubiquitous surveillance, but it is surveillance by the companies that control the Internet-connected devices in our lives. The rules by which police and intelligence agencies get access to that data will come under increasing pressure for change.

Related: A newscaster discussed Amazon's Echo on the news, causing devices in the same room as tuned-in televisions to order unwanted products. This year, the same technology is coming to LG appliances such as refrigerators.

Posted on January 11, 2017 at 6:22 AM • 40 Comments

Comments

rJanuary 11, 2017 6:48 AM

@Bruce,

That newscaster quip you have there is good reason to mandate those ultrasound signals for interoperability and decision making where commands are concerned. Scary stuff.

Alex TsiparusJanuary 11, 2017 7:22 AM

Do you still have a choice in what you buy? Is there a law forcing you to participate?

Trying to get ahead on the security and "privacy" of these objects is futile.
Over the years I've come to feel the weight of time, the only thing close to that force is the momentum of human stupidity.

Of course someone else has already pointed this out.


"Only two things are infinite, the universe and human stupidity, and I'm not sure about the former".

--Albert Einstein

TatütataJanuary 11, 2017 7:48 AM

Isn't there already relevant US case law regarding the access to transient data in engine control computers, i.e., information on how fast was the car going just before the crash and what was the state of the throttle and of the brakes?

I understand these things nowadays collect and keep a LOT of data.

Peter GerdesJanuary 11, 2017 7:52 AM

My understanding of the situation is that Amazon isn't so much refusing to hand over data in response to a valid warrant but merely holding out for a properly issued, appropriately specific warrant as would be needed to gain access to files on google's mail servers or any other private cloud data.

I didn't pay close attention but the article over at Mimesis Law seemed to suggest the prosecutor just threw together a warrant basically saying 'give us evidence' without any particular effort or thought into what was being requested or how amazon should identify said data.

Peter GerdesJanuary 11, 2017 7:58 AM

Also, access to IoT data in the cloud by way of a proper criminal warrant isn't the real concern. That data is no more available (and probably less) to police than the information we physically leave in our homes (fingerprints etc..) or the data we've stored on cassettes, reel to reel players etc.. for decades.

What IS a serious concern is the application of the third party doctrine, the status of 'ordinary business records' and sub-warrant access via statue or simply compliance. If Amazon was recording all the time and saving every single word they could hand that data over to the government without implicating your 4th amendment rights in the slightest. Hell, the government could even illegally seize it from amazon and you would have no recourse (it was their rights not yours which were violated).

Congress recognized (very imperfectly) the need for greater protection for emails and they desperately need to expand these protections.

ThaumatechnicianJanuary 11, 2017 8:22 AM

The worst part about this will be when companies will begin to manufacture low-feature, IoT-free appliances as 'More Reliable!' and 'Future-Proof!' and charge a 50% premium.

Peter GerdesJanuary 11, 2017 8:23 AM

@Ion,

The problem is that each tech advance alters the balance of power between the individual and the state. The mere existence of iphones, computers etc.. renders reasonable restrictions on the state that were sufficient in an earlier age completely impotent.

Unfortunately, real change in this area won't be forthcoming so long as people see the difficulty 4th amendment protections (and privacy generally) create in prosecuting crimes as an undesirable side effect to be minimized. The founders wrote the fourth amendment because of the terrible power general warrants in England gave their wielders to dredge up some wrongdoing and, no doubt, to keep the government from prosecuting men for what they wrote in their private papers and correspondence the way the British had used sedition and treason laws.

Think about that for a second. THE 4TH AMENDMENT WAS INTENDED TO IMPEDE THE GOVERNMENTS ABILITY TO INVESTIGATE AND PUNISH CERTAIN CRIMES. It protected liberty because the government was pragmatically barred from throwing people in prison for writing atheist tracts or writing to a friend about the merits of communism. But this is exactly the opposite of how both the court's jurisprudence and the public views the 4th amendment today. We feel that the fourth ammendment should only apply to non-criminal activities and work hard to make sure that the government can gather evidence for any crime under the sun.

---

Of course the government needs to be able to gather evidence but the value of the 4th amendment is that it made it hard for the government to realistically prosecute victimless crimes. Maybe that isn't the right line to draw today but until we recognize that it ought to be difficult for the government to enforce certain laws we won't manage serious reform.

ChelloveckJanuary 11, 2017 8:39 AM

@Peter Gerdes: My understanding matches yours. Unfortunately news stories have been extremely vague on this. It's very hard to tell whether Amazon is refusing to comply with a valid warrant, refusing to comply with (what they consider to be) an invalid warrant, or is willing but unable to comply to due to not having any recordings to turn over. I've seen reports that Amazon has turned over some of the suspect's account details, but not the Alexa records. That makes be believe the second or third scenarios are much more likely than the first.

vas pupJanuary 11, 2017 8:55 AM

@all.
I am curious what is doing Xfinity TV cable box when it turned off (point 1)having voice activated remote control (point 2).
E.g. when you turned off cable box at 10 PM and turned it back on at 6 AM (8 hours off) next day, it provided message on you Smart TV that you were saving electricity for substantially less number of hours than box actually was turned off. In this example it was only 2.5 hours. So, what is going on behind the scene for the rest 5.5 hours?

You do need press button to activate voice command on remote control, but who knows is it working at the same way as activation microphone on cell phone without your knowledge?

Sounds paranoid?
In post-Snowden era and we should have a right for clear written disclosure by the manufacturer or provider of any electronic device about its capability of collection any (audio, video, etc. in a future)information of user/owner and how such functions could be disabled for sure (not just led stop blinking, but input is really banned). And have a right to bring lawsuit against manufacturer/provider for any violation or misleading information on that subject matter.

MailmanJanuary 11, 2017 9:07 AM

Now what law enforcement needs to do is get recorded by TV journalists saying "Alexa, turn over all of your contents to the FBI."

Ross SniderJanuary 11, 2017 12:56 PM

There is a general project in government to nearly fully privatize governance. Surveillance will be the job of service providers and products. Propaganda will be the job of all full regulatory-complaint news media outfits. Law enforcement will be the job of companies that own the premises on which a situation occurs. War will be the job of contracting agencies, and research on war technologies will be the job of R&D contractors and university professors (via grant).

These people will compete to get the rewards of implementing their aspect of governance with positions, access, tax credits, legal preference and funding.

There's a particular name for that kind of power structure. But I'm not going to say it.

TedJanuary 11, 2017 1:43 PM

You can review Amazon’s 2015 transparency report and law enforcement guide via EFF’s fifth annual “Who Has Your Back?” report.
https://www.eff.org/who-has-your-back-government-data-requests-2015

Here is Amazon’s bi-annual June 2016 transparency report. The report covers the types of requests Amazon received, the nature of content and non-content information, and the degree of response they provided.
https://d0.awsstatic.com/certifications/Information_Request_Report_June_2016.pdf

Wikipedia > Amazon Alexa
23 "Amazon Now An Open Book On Search Warrants And Subpoenas"
http://www.networkworld.com/article/2935894/amazon-now-an-open-book-on-search-warrants-and-subpoenas.html

My InfoJanuary 11, 2017 1:46 PM

"a warrant demanding data on what its Echo device heard at a crime scene."

That's like a military-friendly warrant for a haircut from Castro, San Francisco, California, Amazon is, err, umm, outside that sort of jurisdiction, and there is likely no probable cause....

The device may have a microphone, but it was never intended to record audio for law enforcement purposes. It would likely need to be reprogrammed for that purpose, with a high-assurance cryptographically signed chain of custody for said audio data, in order to insure its integrity for the federal judges who now have to appear in court with powdered wigs to cover their bald heads....

The lawyers will likely go on and on about this....

TimHJanuary 11, 2017 2:14 PM

@My Info:

Essentially the defense argument is that any purported recording counts as hearsay evidence.

It would interesting if ACLU or EFF could argue that all evidence where prosecution won't prove the source (state secrets etc) is by nature hearsay evidence also because the provenance cannot be examined or cross-examined.

Bob FJanuary 11, 2017 2:30 PM

We are living 1984 right now.

Just like the government can turn on your cellphone mic and listen to your private in person conversations, the same will happen with Xfinity Voice remote, Amazon Echo, and Google Home, if they don't have that capability already

If you want privacy you have to ditch these technologies.

Unfortunately most people prefer convenience over privacy.

Ross SniderJanuary 11, 2017 3:17 PM

@BobF

Turns out owning a cellphone isn't even a convenience issue. It's almost impossible to apply for a job without a cell phone, for example.

P CuliarJanuary 11, 2017 3:29 PM

@Bruce Schneier:
Amazon's Echo does not constantly record

How ya know it doesn't constantly record..?

P CuliarJanuary 11, 2017 3:51 PM

@vas pup

about that Geek Squad case, the BBC article says:


The case began when Dr Rettenmaier took his computer to a Best Buy in November 2011 after it failed to boot up.

The hard drive was later shipped to Geek Squad's maintenance centre and in January 2012, Mr Meade contacted Ms Riley to say a technician had found something suspicious.

During the time span between November 2011 and January 2012 that Best Buy / Geek Squad had that machine, the pictures could have been placed on machine even by that Geek Squad member himself.

It wouldn't be the first case someone acts like they just found something that they themselves planted. For example just because it makes them look useful to FBI.

And another possibility stems from the fact that Geek Squad had to use "specialised tools" (i.e. forensic software) because the images "were either damaged or had been deleted". This means that the accused person could also have ended with the images e.g. because he had purchased a used hard disk that had not been formatted with the kind of "government wipe" (filling the disk with 0's and 1's).

One could ask what were their reasons for running forensic tools in the first place...

TimHJanuary 11, 2017 5:35 PM

@P Culiar
Have to disappoint you here old son, but disks without your "government wipe" are also filled with 0's and 1's

WhiskersInMenloJanuary 11, 2017 10:07 PM

@My Info • January 11, 2017 1:46 PM

"a warrant demanding data on what its Echo device heard at a crime scene." "That's like a military-friendly warrant for a haircut from Castro, San Francisco, California, Amazon is, err, umm, outside that sort of jurisdiction, and there is likely no probable cause....

"The device may have a microphone, but it was never intended to record audio for law enforcement

At some point I expect to see cases where the devices was placed into continuous record mode
by a national security letter... ;-) OK I will not see that...
A constant stream of audio is not very demanding of bandwidth.

Using off the shelf parts today allows a lot of tech for modest cash outlays this is a beginning.
What was expensive is just darn easy today.

OK NSA -- erase all data -- and the earth goes dark.

TJJanuary 11, 2017 10:21 PM

Let's go deeper in to the rabbit hole.. WIFI and GSM and LTE make great backdoors for people with 802.11 or WPA2 zero-days or heavy computing power.. You bought a backdoor so the gov doesn't even have to look for you in the ISP dumps..

IoT? Even non-tech people can spot the bad QA and firmware design just imagine a gov or researcher or malware author.. IoT stuff from known brands are only slightly better and only with hardware QA..

Blame the people who buy stuff of bad quality.. You're telling some manufacturer in Taiwan or China that rushing it out and skipping costs is perfectly fine..

Kevin LydaJanuary 12, 2017 5:36 AM

"A newscaster discussed Amazon's Echo on the news, causing devices in the same room as tuned-in televisions to order unwanted products. This year, the same technology is coming to LG appliances such as refrigerators."

Which technology is coming to LG refrigerators? The ability to order unwanted products through Echo, or to order them based on newscasts?

TheDoctorJanuary 12, 2017 5:37 AM

Just the obvious:

Don't use the IoT crap, its just toys, no real need for them.

ThothJanuary 12, 2017 6:31 AM

@all

re: Geek Squad/Best Buy traitors

If the computer is down, either fix it yourself or discard it securely. That means not to spend huge sums of money for computers as it is not worth all that effort for a home setup. The best is a cheap computer setup that can be easily discarded (i.e. thermite, drill, smash ...).

For those gaming and casual Internet PCs, never use it for sensitive stuff and apply the ame security in disposing it whenever possible.

vas pupJanuary 12, 2017 8:31 AM

@all for tag police:
(1)Nice article on monitoring criminals technology:
http://www.dw.com/en/the-electronic-ankle-bracelet-more-of-a-mental-concept/a-37090613

What other data collection features those devices have other than openly disclosed? That is rhetoric question. We may find out through leakage by disgruntled employee of those manufacturers(butter joke).
(2)dear respected bloggers, Germany recently produced documentary 'Karl Marx City' on Stasi practice on psychological breakdown of people with dissent opinions - Zersetzung -in Eastern Germany.
Other good US documentary on militarization of police forces 'Do Not resist'. I promise you'll enjoy both.



MikeAJanuary 12, 2017 10:20 AM

@ion

As I read it, you intend to "limit the power the state has" by some sort of legal means. But theft has been illegal for millennia and prudent folks still lock their doors. The law only limits the lawful, and we have ample evidence that a non-negligible subset of all law enforcement personnel are not lawful (as, obviously, a non-negligible subset of all people).

NileJanuary 12, 2017 11:19 AM

The United States has a very unusual citizen's right in the 4th Amendment: the prohibition on a 'general warrant'.

I can see from other posts here that this is not as well understood as it needs to be.

In simple terms, the General Warrant allowed the Crown to seize everything - all your correspondence and records - and trawl through them so that a prosecutor can formulate a case: "Show me six lines written by the most virtuous man in all of France and I will find in them something to hang him is the idea, and it works.

I can assure you that a continuous record of your private conversations will provide something that can be used against you. No matter who you are or what you do; unless you are, perhaps, a Trappist monk.

This is why the wording of the 4th Amendment - and of any warrant that complies with it - is peppered with the terms 'specific', 'particulars' and 'in connection with': a warrant can only be raised on reasonable suspicion of a named crime, and can only seek a described set of evidence to prove or disprove these suspicions.

Yes, it gets abused: notoriously, with the subpoenas issued in divorce cases.

Likewise, continuous surveillance in the hope that something incriminating will be captured - anything, and it doesn't matter what offence - is forbidden under this amendment.

This, too, is abused routinely in the practice of 'parallel construction', whereby the continuous observations of illegal mass surveillance are cherry-picked for items that an unscrupulous law enforcement officer can 'fortuitously' overhear by claiming to have been in the right place at the right time.

Nevertheless, US citizens have a constitutional right to be protected against this 'unreasonable' search and surveillance.

It's an unusual right, and you should value it: it is clear that many don't, and some of you work to undermine it. But it does exist and it can be defended in the courts.

This does need a determined and deliberate effort by the judiciary to throw out the idea that we can listen to everything, or read everything, in the hope that something incriminating can be discovered.

Above all, it needs to be defended by citizens - and this includes Amazon - refusing to hand over everything they've got in response to an overly broad warrant that does not specify the suspicion and the evidence.

What we have here, in the 'Echo' warrant, is an edge case: the authorities are resonably sure that a murder occurred in a room recorded by that microphone. If there had been a human witness in the house, we could ask her: "Tell us what you saw", and the judge would rebuke any prosecutor who asked "Tell us something about the suspect that we can use to prosecute him, the villain"; but that's not quite possible when the 'witness' is a microphone.

Insisting on 'particulars' is a *fairly good* protection, when it's used; but this depends on seeking evidence from a vigilant defender of the 4th Amendment. I am certain that Law Enforcement can and will find more amenable people to ask, as more and more of these recording devices come into use.

The future of these cases is going to involve a change in legal practice - case management, not necessarily the statutes - involving a pretrial screening process for the evidence that 'asks the witness' for the relevant information, and a determined effort to discourage parallel construction.

Meanwhile, if you're a citizen in a jurisdiction which does not have this peculiar protection, you're hosed. We're all Joe Naccio and a complete trawl of all your correspondence with find something, amidst all the conflicting demands of the law, that you were either obliged to do or forbidden to do. Or both, under much of the statute law applicable to company directors.

vas pupJanuary 12, 2017 2:40 PM

New German Law on data storage:
http://www.dw.com/en/german-data-storage-laws-threaten-free-trade/a-37110699
"Of course, free trade is a very important principle. But on the other hand I think it's legitimate for a country to protect its data and the data of its citizens. If a company is based in China, for example, and stores data there, then it will only be subject to law there. Also, if you make a firm locate in Germany, you have better possibilities for sanctioning it."
The German Economy Ministry dismissed the accusation that the law amounted to protectionism, arguing that localizing data storage was essential to protecting personal data from abuse and unauthorized access. "Only inside Germany can high demands be comprehensively guaranteed and regularly checked," the ministry said in a statement to DW.
!!!!"By storing data abroad it can't be ruled out that the foreign state [its LEAs/Intel in particular] will gain access to the data by dint of its interior law."

Good point Germany!

CarpetCatJanuary 12, 2017 6:31 PM

@Nile,

My God, man. The ship has sailed! These very claims have been made, and to what end? The U.S. Supreme Court has greenlit everyone of these attrocious destructions of the constitution. Oh, you're a German citizen? Well, you don't have standing! God given rights to humans only applies to American citizen humans, don't you know?

Oh, you're an American citizen? But your also ((allegedly)) a terrorist? Well, then its curtains for you, via a friendly neighborhood drone stike! -Thanks, Obama!

The rule of law means nothing anymore. They used to change the law before they did something unsavory. Now they can barely be bothered to retroactively review it. This is an empire, all the courts, the rules, the due process, the freedoms-- all of it, just window dressing for the opiate of the masses.

Go to sleep, get back to work, stop bothering the elite.

IonJanuary 13, 2017 1:20 AM

@Peter Gerdes

You are weird.

I ask:

> Wouldn't be simpler to limit the power the state has than chasing down any tech advance?

To which you answer:

> The problem is that each tech advance alters the balance of power between the individual and the state. The mere existence of iphones, computers etc.. renders reasonable restrictions on the state that were sufficient in an earlier age completely impotent.

What is the point?

Ask for limiting the power.

> Unfortunately, real change in this area won't be forthcoming so long as people see [bla bla cut]

Nobody is going to do it for you.

Worse yet, for decades some 80+% of the people voting do choose and ask for more control. You included:

> Of course the government needs to be able to gather evidence but the value of the 4th amendment is that it made it hard for the government to realistically prosecute victimless crimes.

Of course the government does not need such ability. Among many others that spell both sinecures and more spending. And if only things would have stopped here. But spending spills into personal power. Which leads to influence peddling. Spelling corruption.

TJJanuary 14, 2017 10:40 AM

The Thing Everyone Ignores: The South-Asia software vendor who does the firmware for most IoT(even established brands) doesn't care because nobody says anything and there is little to no QA.. You get easy privilege escalation do to buffer overflows(no jails etc..) and bad password policies and MITM because not even a self-signed cert..

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Resilient, an IBM Company.