A landmark murder case is being built around the data collected by Amazon Echo and other smart home devices, a clear sign that police authorities and surveillance agencies see as much value in IoT devices as we do. So, do we know what we’re letting ourselves in for this connected, Artificial Intelligence-led world?
Over the Christmas break, I was fascinated to read of an upcoming murder trial in the US, where police in Arkansas requested access to one of the new Amazon speakers, in the hope it provides some useful evidence.
According to tech news website The Information (subscription required), authorities in Bentonville issued a warrant for Amazon to hand over any audio or records from an Echo speaker belonging to James Andrew Bates, who will go on trial next year for the murder of Victor Collins.
Amazon, significantly, declined to give police any of the information that Echo logged on its servers, but did hand over Bates’ Amazon account details and purchases.
Police say they were able to pull data off the speaker, but it’s unclear what information they were able to access, and even if this was of any use. Indeed, some may ask why this information would be useful to police in the first place, but today’s smart devices are ‘always-on’ and have tiny microphones (the Echo has seven) that are often listening, even if the user hasn’t requested the device to do anything.
In Amazon’s case, the Echo keeps approximately 60 seconds of audio in memory for pre-processing so responses can be “instant” (think like caching with web browsers). This listening is done locally, and not in the cloud – hence the police’s interest in accessing data from the device.
Echo is activated using the wake-up word ‘Alexa’, but we’ve known for some time that IoT devices can innocuously pick-up conversations nearby without being ‘on’ – this was the case with Samsung’s Smart TVs, which were caught spying on users in 2015.
There has clearly been a lot of publicity around this case, but the Amazon Echo element is actually pretty irrelevant. Cynics would argue that the chance of pulling some useful data is fairly low.
What is fascinating, though, is that Bates had numerous connected devices in his home, including a water meter, which showed that 140 gallons of water were used between the hours of 1 a.m. and 3.am on the the night Collins was found in Bates’ hot tub. This is apparently a normal amount of water to be used for a hot tub, but it shows how smart home devices can implicate you without you even knowing.
Related: Users risk security by not updating connected IoT devices
Encryption debate rears its ugly head again
This murder case comes at a fascinating time as far as information security is concerned, because we’ve recently witnessed the biggest encryption debate in the 21st century.
We’ve had the FBI push Apple and other Silicon Valley giants to create backdoors in their products, and then the UK quietly introduced the most draconian surveillance laws we’ve seen in modern history (popularly known as Snooper’s Charter, but officially known as the IP Bill). Germany also has contentious privacy laws. It’s almost as if Edward Snowden’s revelations on NSA/GCHQ mass surveillance never happened…
To be fair to Apple and Amazon, they have fought for users’ privacy. Microsoft is another, having recently fought attempts to hand over data on one customer, stored in an Irish data center, to US officials.
We need these technology behemoths, these unexpected guardians of our digital privacy, to continue this fight because we are seeing an explosion in ‘smart’ devices that can track our every action.
All too often we assume that the only security risk here is that of cyber-criminals trying to access or sell our details, but we forget that law enforcement could also be interested in this data, not to mention companies looking to know more about who we are.
The danger with the smart home boom is two-fold. 1) They will know everything about our whereabouts and actions, and 2) owing to the race-to-the-bottom approach that exists in the consumer electronics market, we will increasingly be buying products from unproven vendors, with unknown intentions. We also don’t know how these vendors will react to government pressure.
This may sound like doom and gloom, but when you see tech giants like LG and Samsung Electronics introduce lightweight privacy policies, and little-known IoT device manufacturers showing little appetite for reporting data breaches (or even fixing the underlying security vulnerabilities exposing users’ personally identifiable data), you know that there’s more to come as the number of devices scales up. This is not theory – last year, we saw that Sony’s IP cameras had backdoors which could potentially be exploited.
This leads me to ask if customers know what they are buying, and from whom? Because ultimately the convenience of any smart device – for a consumer or business – will be forgotten when the authorities have reason to go snooping through your personal, proprietary or confidential data.
More smart home devices at CES, but more police interest too
The smart home juggernaut is not going to stop. As analyst firms predict, mainstream adoption is not far away.
This week’s CES in Las Vegas is a good example; we’ve seen everything from home robotics and automation and voice assistants, even down to smart hairbrushes and other niche products.
Most of these products will be binned within the year owing to a nascent market, but as a trend, there’s no ignoring it.
Indeed, it’s no coincidence that the adoption of these devices is happening as governments are looking to increase their powers, and where police are fighting to become more tech-savvy as crime moves seamlessly between the analog and digital worlds.
As a parallel to the Amazon Echo case, this week we reported on the news that the UK’s Met Office were looking to take digital forensics to smart devices, like investigating smart fridges.
I’ve spoken to Mark Stokes, the Met’s head of digital, cyber and communications forensics unit, before, and he lamented the downsides of encryption and – to be frank – online privacy, from a police perspective.
Some would argue it’s natural for police, not to mention surveillance bodies like NSA and GCHQ, to seek new ways to identify and implicate criminals. A brief look back in time shows this is to be expected.
After all, we’ve seen the advance of DNA, fingerprinting, two-way radio, phone tapping and more recently, digital forensics. Go back to 1910 and you would find the first instance of wireless telegraphy being used in the arrest of criminals.
What’s my point? Criminals will always be ahead of the authorities on exploiting technology, but the authorities will use all means – legislative and leaning on tech providers – to get ahead.
Ordinary citizens and businesses will be caught in the middle, perhaps unaware what data these devices are collecting, where they stand legally, and if authorities have access to their personal data. Privacy as we know it is dead – and there will be more cases like this to come.
This article originally appeared on IoB’s weekly IoT newsletter. Click here to sign up!