Are the Police Using Smart-Home IoT Devices to Spy on People?

IoT devices are surveillance devices, and manufacturers generally use them to collect data on their customers. Surveillance is still the business model of the Internet, and this data is used against the customers' interests: either by the device manufacturer or by some third party the manufacturer sells the data to. Of course, this data can be used by the police as well; the purpose depends on the country.

None of this is new, and much of it was discussed in my book Data and Goliath. What is common is for Internet companies is to publish "transparency reports" that give at least general information about how police are using that data. IoT companies don't publish those reports.

TechCrunch asked a bunch of companies about this, and basically found that no one is talking.

Boing Boing post.

Posted on October 22, 2018 at 8:13 AM • 34 Comments

Comments

Clive RobinsonOctober 22, 2018 9:11 AM

@ Bruce,

Are the Police using Smart-Home IoT Devices to Spy on People?

Short answer "Yes if they can".

Long answer, they will if they can get access and won't get into much trouble if they can.

They will take the same attitude as Government and Corporate entities. With the currebt ceop of legislators looking like they will give various LEO's access to Gov data and be able to buy Corp data.

If they don't get access either of those ways, and as the legislators will not stop them, then it will have to be the judiciary in some way. But I'm not holding my breath on that, Cops in the US kill by gun and taser without any signs of remorse and get backed to the hilt by people who should know better.

So I can not see them being even remotely worried by the judiciary in criminal cases. Which suggests civil cases and take large chunks of money away from them till some one tells them enough is enough.

meOctober 22, 2018 9:34 AM

Yes, it happened recently with nest camera.

but my question is: Why, after what Snowden told us, people buy iot camera and alexa?

Name (required)October 22, 2018 10:58 AM

1) Betteridge's law of headlines: "Any headline that ends in a question mark can be answered by the word no."

2) Obligatory xkcd.

3) Democracies need to have an explicit opt-in rule in place that prohibits police from using any new surveillance technology or technique without explicit permission from their legislature. What we have now is an implicit opt-out rule that allows new surveillance tools until they are explicitly prohibited.

datalabOctober 22, 2018 11:40 AM

Another question is who are these IOT manufacturers selling the data to? For example does Alexa come with a TOS that allows Amazon to measure key words spoken at a household, to determine what political issues are being talked about to sell to a campaign so they can door knock and talk to you about your recent abortion or bankruptcy.

vas pupOctober 22, 2018 12:09 PM

@all some thoughts on the subject:
(1)I did not see in the article list of companies cable TV's box companies (Xfinity/Comcast, RCN, etc.) which are permanently attached to Internet. You can't turn them off because they claim necessity to install updates, so your box in kind of sleep mode and could be activated without your knowledge and processing power potentially used for other things without your awareness.
Some remote controls have built-in microphones. That feature let potentially do voice sampling/audio collection with all possibilities utilizing AI.
(2)IoTs are vulnerable for direct access (so called white hat hacking) by LEAs directly or utilizing private experts without any knowledge of manufacturer/provider. E.g. like stingray as fake tower does not need any approval from cell phone service provider. Private experts could do that for their own benefits - e.g. PI. The problem is in both cases information obtained out of access is not disclosed as evidence and needs parallel construction to provide evidence in the court obtained within established rules of criminal procedure.
Conclusion: obtaining data directly from providers using court order, NSLs, etc. let utilize that data as evidence in the court directly, but other path is available as well - see (2) above for criminal intelligence.
(3) In any IoT device should be provided control of data collection to user - kind of kill switch imbedded into device meaning OFF means OFF, not sleeping mode.
(4)At the bottom of the article there is reference to five eyes activity on encryption back door - don't have time to take a look.

GenieOctober 22, 2018 12:36 PM

Are the Police Using Smart-Home IoT Devices to Spy on People?

Aren't the police a little more credit than that? Let's avoid the *chan party van syndrome. Don't just dole out a "police" badge to anyone breaking into your home. Impersonating a police officer is a felony in Oregon and probably other places as well.

Burglars hack the whole electronic IoT system and use it to find an opportunity when you are not at home. You're rich and flashing your money when you've got all that IoT stuff anyways.

DavidOctober 22, 2018 1:19 PM

@Me
> but my question is: Why, after what Snowden told us, people buy iot camera and alexa?

Because they’re unaware. I recently helped a friend with a laptop, and showed him simple things like ad blocker browser extensions. It blew his mind.

Because there’s no better alternative.

Because we live in a world where things are measured in $. These devices are cheap for the consumer, the manufacturer, and the legislature.

Michel RenaudOctober 22, 2018 1:20 PM

@Genie

"You're rich and flashing your money when you've got all that IoT stuff anyways."

Seriously? I'm definitely not rich but I do have a few IoT devices. It's not like most are that expensive anyway.

GenieOctober 22, 2018 2:42 PM

@Michael Renaud: Seriously? I'm definitely not rich but I do have a few IoT devices. It's not like most are that expensive anyway.

Some of them are built into expensive appliances. "No user serviceable parts inside." Hidden microphones everywhere.

@Bob: Are they? Probably. Will they? Definitely.

The temptation exists.

VinnyGOctober 22, 2018 3:03 PM

@vas pup re: cable TV's box companies... I have no doubt that Dish Network would spy on me if they thought there was a buck in it for them, but the processor in my original Hopper is frequently hard-pressed to keep up with such simple tasks as changing channels, so I doubt that there is much back-channel activity there. Of course, perhaps that is why it is so slow...

RealFakeNewsOctober 22, 2018 10:55 PM

@me

but my question is: Why, after what Snowden told us, people buy iot camera and alexa?

To quote an otherwise "highly intelligent" family member one afternoon: but I've got nothing to hide so what's the problem?

While this attitude persists, there is no hope.

Bong-Smoking Primitive Monkey-Brained SpookOctober 22, 2018 11:22 PM

but I've got nothing to hide so what's the problem?

If one has nothing to hide then, by definition, one has no private life. It also means identities, credentials and passwords are public. That's a big problem!

Everybody's got a thing or two to hide.

echoOctober 23, 2018 12:35 AM

I don't find IoT devices very appealling from a practical point or maintenance of view plus I can't afford them. I have a fair idea of the vulnerabilities and footprints of my laptopcs and phones.

I have been learning a lot about black holes lately. One of the big things is the information paradox. The thing is it isn't actually a real paradox as such. It's really nothing but an inability to fully articulate what happens to information ebcause our understanding of the physics of black holes is currently limited. There's a lot of goofy psychological things like this about. This begs a question...

Just to be akward one issue is that the more people become more open the more they become vulnerable but at the same time a mexican stand-off happens. At some point in the future might it become difficult for a politician or anyone to achieve authority without a public data footprint? I'm not being naive just asking a "What if?" in the context of a changing world which isn't just changing technologically but socially and culturally too.

WeatherOctober 23, 2018 1:38 AM

Echo
The people that made those fumlas new about Terence point, on phys.org a article was about time slowing down instead of the universe expanding.
We are on earth, and unless you account for the sun and planet's and anything between, it might be a static refence point, but it can't view stuff much outside our solar system with out ruling out the noise.

That electron formula I posted early tryed to rule out the sun and planet's (0.637) but still was wrong,but on probability matched half of the gas constant,but viewed from here the gas constant at alpha centuries would show something different.

Do you acculy read posts?

RealFakeNewsOctober 23, 2018 2:52 AM

@echo

I think people don't really care about politician's private or public data beyond what the news feeds them.

For example, the European Court just ruled in favor of suppressing MEP expenses in the name of "privacy", and thus obstructing a fraud investigation.

All those pro-EU don't seem to care, either about the massive fraud at the center of a largely unwanted dictatorship, or the fact the EU Court is now complicit in its cover-up.

The only time people care is when they're attempting to weaponize the information against their adversaries or anyone against their cause.

Put simply: people only care when it's working against their agenda. In the case of those pro-EU, they support a dictatorship, and are the types that would freely vote for Stalin or Hitler. Thus they're also pre-disposed to committing fraud or other crimes themselves if given the opportunity, otherwise they would not tolerate the corruption they are in favor of.

mrc1980October 23, 2018 3:33 AM

@Genie

We had a fancy new touchscreen coffee vending machine installed at work.

Its got a cellphone/SIMcard to take payments
Grilles for microphones, speakers and what appeared to be several cameras. dotted around the screen.
I ambushed the engineer when it inevitably broke down and had him walk me through the insides.

Originally it was designed to notice when people were standing around and use a combination of audio recognition to detect what people were talking about to advertise better.
A facial recognition camera "To bring up your regular order" and to phone home with various other metrics.

These have been disabled [by removing the modules camera & Microphone] and within admin options [PW 0000] as the EU based manufacturers solicitors decided that it could be classed as an invasion of privacy and a security risk for their customers.

However it would be the work of minutes to reinstall everything and I wonder how many machines that are fully operational are out there.

echoOctober 23, 2018 3:38 AM

@RealFakeNews

I care! Then again I tend to be unpopular with people with a bureaucratic mentality who fail policy and standards at the best of times hence all the bother I got myself in and scrabbling around to fix the mess.

The media can be very selctive and certainly edit opinion to match whatever the latest ediorial line is not to mention personal biases of the editors or higher profile journalists which aren't always openly disclosed.

I think I heard of the European court expenses ruling. I wasn't especially happy and was surprised and disappointed with this. I haven't read the ruling so cannot have much more of an opinion, nor know whether this is a judgment issue or 'margin of appreciation' issue. One thing I did read of last night was an activist organisation campaigning to push improvements in European law relating to medical insurance for pre-existing conditions prooted themselves by saying they would continue the fight for all European citizens. This is an interesting development in the sense that an EU wide NGO is emerging which to some degree may help provide a lead on filling this vacuum.

Another tought is that even if there are accounting issues it may just be they are more obvious. The UK certainly cooks the books as does the US albeit in different ways for different reasons.

echoOctober 23, 2018 3:47 AM

@mrc1980

Its got a cellphone/SIMcard to take payments

[...]

These have been disabled [by removing the modules camera & Microphone] and within admin options [PW 0000] as the EU based manufacturers solicitors decided that it could be classed as an invasion of privacy and a security risk for their customers.

Perhaps the ordering/advertising functions should be shifted off the vending machine and be on the users phone linked by a fairly dumb protocol which processes the ordering (and advertising grrr) at a low level? Could this kind of "off device" idea be extended industry wide to things like 'Amazon Echo' perhaps with an open standard module?

Mind you, snipping the wires solves a lot of problems very cheaply in a low tech way no amount of software voodoo can alter.

AlexROctober 23, 2018 4:24 AM

@me

but my question is: Why, after what Snowden told us, people buy iot camera and alexa?

Because people have a problem, and IoT devices provide a "good enough" solution.


If you're taking care of a baby, an extra pair of hands would be great - but a voice-controlled home assistant is not bad either. If you're away from home and you want to keep an eye on your premises - an IoT camera does that for you.

There are many side-effects, but it takes expertise to become aware of these issues, and it takes more expertise, time and money, so solve the problems adequately. Guess which of these risks matters more to a consumer: "not catching a burglar who enters your house" vs "someone hacks my device and uses it to send spam to random people on the planet, though I still get to use my Internet connection and IoT device".

One might argue that IoT device users do the rational thing. The price for solving the problem their choice caused, is distributed across all the users of the Internet (a tragedy of the commons), while they reap the benefits provided by the IoT device.

Another aspect is that the information about security and privacy is usually not available, or deeply buried. When you pick up a product package, you see nice flashy images of the UI, logos of supported operating systems, the number of megapixels, gigabytes and gigahertz, but nothing about the data it collects, the purpose of collection, the encryption algorithms used, and so on.


As an analogy, think about the ecological impact of plastic and fossil fuels. There is much more awareness on this front, as such matters have been discussed for decades. And yet... Microplastics are now likely to be a part of our diets, and the glaciers are retreating.


The good news is that something is being done about IoT privacy, at least within the EU. With the advent of the GDPR, they are funding such research. I have co-authored a paper, that suggests a way to address the issue - "Let there be LITE" (there's a poster with the label and a summary of results, to give you an idea). The purpose of the label is to provide concise and salient information, understandable by non-experts, about the data an IoT device collects, the place and duration of storage, the purpose of collection and the parties who access it. I would greatly appreciate it, if you shared your thoughts about the design of the label and the ways in which you would improve it.

POLAROctober 23, 2018 4:53 AM

It turns out that IoT security is so low that you can look into your IoT device and stare the police staring at you.

meOctober 23, 2018 7:02 AM

@David
browser extension backdoor is complex, i understand that people might not think that it can be a problem but iot camera, connected to internet, without ever setting up a password???
anyone should think is this public?
on the other side people can think "if they sell it, it is secure" and don't think no password=public... after all it's a security camera! why should it be public??!?!

@RealFakeNews
i don't think they buy them because they have nothing to hide, probably they are unaware of the problem.
yes, we are hopeless :(

@AlexR
Fair point: "they solve a problem"... or at least they should...
because from my point of view, even without any security bug they are still garbage: smart thermostat that has works *only* with internet and leave you cold in mid winter because server mainentrace??
horrible idea!
again people unaware?? maybe... but i have read so many stories of this:
-the smart lock that bricks because an update
-smart dog food dispenser that crash so you have to feed the dog manually
...
they create more problem than they solve.

how many stories we have to see before people realize that is a bad idea to buy them? do anyone have a research that evaluate how many people after getting scammed by this always online policy + server mainentrace and buy again iot things or stops buying them?
(went a bit off topic)

VinnyGOctober 23, 2018 8:03 AM

@echo re: I don't find IoT devices very appealling from a practical point or maintenance of view plus I can't afford them.
A couple of decades ago I was fascinated by the idea of automating nearly every task in my home, right down to opening and closing window shades based on sunlight exposure and room temperature. Over time I realized that my attitude was a gross violation of the law of diminishing returns, and would also tend to make daily life pretty boring... That said, I would still have some interest in messing about with a generic hardware/software tool kit that would allow me to prototype (which for me would constitute the end use) automation of various household and real property tasks in a completely self-contained, and otherwise (relatively) secure system.

AlexROctober 23, 2018 9:17 AM

@me

because from my point of view, even without any security bug they are still garbage: smart thermostat that has works *only* with internet and leave you cold in mid winter because server mainentrace??
You're right, that's very bad, but that is not the kind of thing a non-expert thinks about when buying a device. They will only consider this in winter, if the problem affects them personally. Incidentally, the label design I mentioned earlier addresses this matter, through a diagram that shows the communications the IoT device is part of. In my user study, participants were able to interpret the diagram correctly. So if you want to change the status quo, keep an eye on the evolution of that label and talk to your friends about it :-)


how many stories we have to see before people realize that is a bad idea to buy them?

I think you're asking the wrong question. There are zillions of articles about the detrimental effects of smoking, drinking alcohol, not wearing seatbelts - you name it! Most of us have personally witnessed the negative consequences of these choices. And yet, people do these things on a regular basis.


It takes more than awareness to change behaviour. End-users have to understand the impact before they acquire the device, and there must be a clear causal link between their choice and their wallet, their wellbeing or status.

TimothyOctober 23, 2018 10:49 AM

The ICO, the UK’s independent information rights organization, published a decision notice addressing an information request made to the Bedfordshire Police regarding their ability to use the “Internet of Things” for law enforcement purposes.

According to the decision notice, the Bedfordshire Police would originally neither confirm nor deny if they held the requested information, citing an exemption of the FOIA. However, the ICO decided that the Bedfordshire Police were not entitled to rely on the exemption and have ruled that they disclose the requested information within 35 days. The complainant who issued the request issued the same request to every UK police force. Initially, the ICO considered how a selected number of police forces handled the request and will issue subsequent decision notices separately and accordingly, with this being the lead case.

The Request for Information was as follows (excerpts):

1. Do you currently have the capability to examine connected devices, also known as internet of things. i.e. what are your digital investigation and intelligence capabilities in respect of the Internet of Things. See the attached report for examples. [...]

2. If you do have the capability, what software / hardware do you use and/or which companies do you contract with to provide services to examine connected devices for information, such as in the course of police investigations. [...]

3. If you do not have the capability do you have any plans to develop skills and capacity to exploit internet of things as part of criminal investigations;

4. Do you have any internal guidance and/or policies and/or national guidance or policies on the obtaining of evidence from Internet of Things / connected devices.

6. A November 2016 HMIC report warned about the chronic digital skills shortage in policing. Do you currently, or do you have plans, for officers to receive training in relation to extracting / obtaining / retrieving data from or generated by connected devices. [...]

The ICO offers more information regarding the IoT and Consumer guidance here (search Internet of Things) and the UK’s DCMS also published a report in March 2018 “Secure by Design: Improving the cyber security of consumer Internet of Things Report.”

For anyone with a more than passing interest in IoT privacy and security, public comments for NIST’s draft IoT Cybersecurity and Privacy Risks document (draft NISTIR 8228) are due tomorrow, October 24, 2018.

echoOctober 23, 2018 3:51 PM

@VinnyG

A couple of decades ago I was fascinated by the idea of automating nearly every task in my home, right down to opening and closing window shades based on sunlight exposure and room temperature. Over time I realized that my attitude was a gross violation of the law of diminishing returns, and would also tend to make daily life pretty boring...

Same. I bought into the idea of automated nervana until I realised what this meant. I'm concerned about my health and wellbeing. I'm not happy relying on automation too much plus would lose the ceremony and exercise of everyday mundane tasks.

That said, I would still have some interest in messing about with a generic hardware/software tool kit that would allow me to prototype (which for me would constitute the end use) automation of various household and real property tasks in a completely self-contained, and otherwise (relatively) secure system.

Yes I can see the value in this. I'm personally more tilted towards cooking and shopping and wardrobe management. The big thing I'm really looking forward to is when robo cars become common place. Doing things like arts and crafts and going places for a day out are more my priorities. I am aware of and can use and develop technology but so much is happening and so much is disposable I have lost the will.

echoOctober 23, 2018 4:01 PM

@Timothy

This is typical of UK instititions. I'm unsure whether it's because they cannot manage change or dilute their perceived authority or are angling for a budget increase. Given UK police cannot even manage to create a simple database to track court protection orders and were so behind the times with computers they spent years editing witness statements to change "mouse" to "manual input device" it's enough to make you scream.

You can see how achingly slow UK police are when women have to kick up a royal stink to get the police to understand complex crimes involvign discrimination and equality (aka "intersectionality") or how police areonly now beginning to say they need to fasttrack graduates or provide training because criminals and society are becoming more sophisticated. It took decades for the police to get a clue over marital abuse and rape and even today after legislative changes and constant media pressure the police can still behave as if they don't get it.

The public know the realities and are capable but the police are so instititionally behind they need crime figures and bodies to rack up to the point where they are a milisecond away from triggerign apublci enquiry before lifting a finger.

UK police have a habit of pulling tricks like they pulled with this FOI. If it's not one thing it's something else and it is all the time.

Clive RobinsonOctober 24, 2018 1:41 AM

@ VinnyG, echo,

Over time I realized that my attitude was a gross violation of the law of diminishing returns, and would also tend to make daily life pretty boring...

There is also the issue of "self reliance"...

Whilst I am not a "survivalist" type, I do know how to survive with not much in quite a few environments and more importantly repair and make my own tools etc.

I am increasingly aware of teenage children that are compleatly lost in a urban environment in a temperate climate without their mobile phones... Even older teens and Uni students appear incapable of having "lives" without their phones, the battery dies and they go into some kind of weird almost timeless limbo till the charge light goes out... Worse the almost incoherent panic of trying to find a charger when the batery dies and they are away from home. So much so that some coffee shops use mobile chargers as a way to make you buy more coffee at rediculous prices...

Even adults are now becoming dependent to the point they "live in the moment" with social meetings requiring "talk in" or "instrument landing"...

What worries me is that as we make our lives easier with gadgets we actually bring our children up to be dependent on them or more correctly being incapable of life without technology...

Back in the late 1980's when the Cold War was still a Hot Topic conversation, you would hear people talking about EMP from a nuke exploded over the North Sea taking out the telephone systems for much of North West Europe. They would give lurid details of how everything would come to a halt and society go into freefall then panic and then riots civil unrest and starvation etc. This was back before mobile phones and many 16Bit Personal Computers where the Plain Old Telephone System (POTS) was in many places still "Rotary dial" land lines, and Modems were still down in 2100bits/second land.

It kind of makes you what would happen if a similar nuke went off today... I kind of wonder if the mobile phone dependents would become the first wave of zombie like ravening hords ;-)

@ Wesley Parish,

You could use the basic premise for one of your stories 0:)

echoOctober 24, 2018 2:15 AM

@Clive @Vinny G

What worries me is that as we make our lives easier with gadgets we actually bring our children up to be dependent on them or more correctly being incapable of life without technology...

I have noticed this too. I'm not a survivalist either but things I was taught and learned from reading books while growing up did stick. I sometimes watch the more reasonable outdoor adventure and survival craft type of videos not videos made by nutters (although I have watched a few). They are really interesting especially the occasional long video you can relax to like a documentary. I wish I had an excuse to do soe of these things. Lazy and impatient as consumerism has made me I bought the bits to repair a necklace so I'm not altogether helpless. A necklace has uses too in a pinch or so my overwild imagination tells me.

One security issue is so many people today are "smartphone zombies" They hardly seem to know what is happening around them because their noses are glued into their phones.

Brexit is causing a big enough meltdown as it is. Heaven forbid any real not manufactured crisis occurs.

TimothyOctober 24, 2018 9:48 AM

@echo

This is typical of UK instititions. I'm unsure whether it's because they cannot manage change or dilute their perceived authority or are angling for a budget increase.

Nothing beats first-hand knowledge! With regards to institutional bureaucracies, is the UK’s health system organized under a nationalized system? I remember reading an article maybe last year or so, about the restrained austerity of the British health system, as opposed to the marketized American approach. I think the U.S. spends twice as much per person on health care, but I don’t recall them having proportionately better outcomes. There was also an interesting article about ‘social prescriptions’ in the UK, where doctors could write prescriptions for well-being activities like swimming, tango classes, sculpting workshops, ukulele lessons, choir, or even volunteering. I remember thinking that that was a pretty cool idea. The article reports that there are major associated cost savings.

With regards to the police, I wonder what percent of government spend is on the justice system, and how it is allocated. Does the UK have parliamentary oversight or an office of inspector general for the judicial branch? Your concerns are important and it would be wonderful if large groups were as nimble as individuals when it comes to transformation, especially when harms can be so long lasting if not permanent.

I’ve been searching for a response from the Bedfordshire Police regarding the ICO’s decision notice. The notice was dated September 20, 2018 and, if I read it right, had a 35 day compliance deadline. Whoever made the information request had some very progressive and well-articulated questions. I am excited and curious to see their next response.

JimOctober 24, 2018 6:41 PM

Undercover cops break Facebook rules to track protesters, ensnare criminals
https://www.nbcnews.com/news/us-news/undercover-cops-break-facebook-rules-track-protesters-ensnare-criminals-n916796
Police officers around the country, in departments large and small, working for federal, state and local agencies, use undercover Facebook accounts to watch protesters, track gang members, lure child predators and snare thieves, according to court records, police trainers and officers themselves.


From 5 years ago:

https://www.businessinsider.com/police-make-fake-facebook-profiles-to-arrest-people-2013-10
It's no secret cops use social media to monitor the public, but it might surprise you that they create fake Facebook profiles to nab criminals — in direct violation of the website's terms of service. The Justice Department published a social media guide for law enforcement officials this year that explicitly says officers create fake profiles even though Facebook officially bans the practice. "I was looking for a suspect related to drug charges for over a month. When I looked him up on Facebook and requested him as a friend from a fictitious profile, he accepted," one officer responded in an open-ended survey question in the DOJ's guide. "He kept 'checking in' everywhere he went, so I was able to track him down very easily." This officer isn't alone. More than 80% of the responding officials said social media was a valuable tool for crime-fighting and that "creating personas or profiles on social media outlets for use in law enforcement activities is ethical."

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.