Law enforcement authorities increasingly rely on information collected by Internet of Things devices as a source of evidence in support of their investigations. Substantial publicity developed when authorities in Arkansas recently subpoenaed communications collected through Amazon’s “Alexa” service which operates in conjunction with the Amazon “Echo” devices. Alexa, a popular digital assistant service, responds to voice commands, answering queries and performing errands as instructed by the user. The authorities in Arkansas sought the Alexa communications as part of a murder investigation.[i]

      In response to the subpoena, Amazon confirmed that it retains a substantial archive of audio recordings and transcripts documenting user communications processed through the Alexa service. When individual consumers communicate with the Alexa service, Amazon retains a record of that communication. Amazon argued that the content of its Alexa communications archive should be accessible to government authorities only when those authorities can demonstrate that there is a compelling need for such access and that the information sought can not be obtained from other, less intrusive, sources.

      Game devices provide another set of Internet of Things equipment now often targeted by government authorities. For example, Sony’s PlayStation game platforms now enable individual players to compete against others located around the world through its “PlayStation Network” (PSN). PSN makes use of the Internet to connect its global network of players. The PSN platform also enables players to communicate securely with each other through voice and text messages, all communicated through the PSN system.[ii]

      Government authorities allege that criminals and terrorists can use the PSN communications platform to communicate securely. Sony, in its terms of use associated with PSN reserves the right to record and monitor PSN communications and other PSN activities as may be necessary for compliance with law. Presumably in this setting, authorities could subpoena Sony’s PSN archive to access communications the PlayStation users believed to be private.

      Audio headphones and speakers are among the most recent Internet of Things devices to generate usage monitoring concerns. In a recently filed lawsuit, users of wireless headphones and speakers manufactured by the well known company, Bose, alleged that the company collected data documenting the diverse content accessed by users through the Bose equipment. The users further claimed that Bose sold that information to other parties.[iii]

      This case alleges that the app provided by Bose, “Bose Connect,” which enables users to access audio content for their Bose wireless headphones and speakers also tracks all of the content accessed by the device and shares that information with Bose. The customers allege that, through this system, Bose creates a database of user listening activities and preferences. They further allege that Bose then sells that information to advertisers and vendors.

     If these allegations regarding “Bose Connect” are accurate, then the company could presumably track all audio content accessed by users of the Bose equipment, not only music but also all other forms of sound recordings and communications, including speech. If Bose has created this type of user monitoring database, then government authorities in various regions of the world are also likely to be interested in accessing the data to identify audio content accessed by targeted individuals.

      The range of devices incorporated into the Internet of Things seems to expand daily and each additional category of connected devices brings additional information gathering concerns. Televisions that are part of the Internet of Things provide us with convenient access to diverse media content, yet also have the capability to eavesdrop on our in-home personal communications. Automobiles and other vehicles connect to the Internet to make us safer and more efficient, yet they too have the ability to monitor our communications and track our travels. Medical devices, such as heart pacemakers and insulin pumps, integrate Internet connectivity for greater efficiency of diagnosis and treatment, yet also generate extremely personal and sensitive information collected, owned, and controlled by the device manufacturers, not the individual patients.

      At present, the businesses that provide Internet of Things devices and services associated with those devices appear to be eager to establish massive archives collecting communications and information associated with the use of those devices by individual consumers. This approach is, in part, understandable. The enterprises involved view that consumer use material to be highly valuable, in a commercial sense. It is important to recognize, however, that creation of those archives invites continuing demands by governments around the world for access to the content of the archives for law enforcement and national security purposes.

      By using the Internet of Things to capture data and communications associated with individual consumers, companies are cultivating an extremely valuable commercial asset. That asset, however, also places a substantial burden on those companies. It makes the companies targets for government investigators around the world. Just as a variety of commercial enterprises view customer information generated by the Internet of Things to be highly valuable, so too are governments eager to have access to that information in support of their surveillance and investigatory efforts.

      While this is a relatively new area of law in which the case law is not quite settled, there have been some instructive cases that were based on comparable principles. In many of these cases, courts have put limits on governments’ abilities to conduct investigations into electronic data. For example:

      In 2010, the Sixth Circuit Court of Appeals ruled that the government could not force an Internet Service Provider to turn over emails to government investigators without a warrant. Even though federal law (the “Stored Communications Act”) specifically allowed the government to force an ISP to turn over emails, this federal act was unconstitutional as applied to cases where the government had no warrant. The court held that “a subscriber enjoys a reasonable expectation of privacy in the contents of emails that are stored with, or sent or received through, a commercial ISP."[iv]

      Similarly, in 2015, the Fourth Circuit ruled that the government had violated the Fourth Amendment when, without a warrant, it inspected a person’s cell phone’s historical cell site location information to trace the movements of the person over a long period of time. While a person generally has no reasonable expectation of privacy in his location at any given moment, there is a reasonable expectation of privacy that is infringed when the government uses information available only through technological means not available to the general public to track a person’s movements over a long period of time.[v]

      In 2016, the United States District Court for the Eastern District of New York refused to force Apple to assist with bypassing security on an Apple device. In this case, the government had a warrant to search the device in question. But it could not force the manufacturer to assist in allowing the government to access the information.[vi]

      Also in 2016 (in fact, only weeks after the Apple decision), the District of Kansas refused to issue a warrant that would have forced Microsoft to disclose copies of the emails of a defendant alleged to have violated copyright laws. The court held that the application to view all of the defendant’s emails was so broad as to violate the “particularity” requirement of the Fourth Amendment, which requires that warrants “particularly describe” the things to be seized.[vii]

      The precise extent to which government investigative authorities can access electronic data is unclear, but these cases demonstrate that the courts are vigilant about protecting people’s privacy rights, even when it comes to electronic data.

      In a sense, the Internet of Things provides a commercial network which can extend the reach of government surveillance and investigation beyond the scope previously permitted by United States law. Millions of law abiding Americans have invited the Internet of Things into their homes through multiple devices in the name of convenience. As those devices capture information and transmit that information to vast private repositories, personal consumer information is archived on a massive scale. Personal information is thus warehoused for future commercial use and for future government access.

      The U.S. government has never been permitted to place information gathering devices into the homes of millions of Americans without specific legal justification. Now however, thanks to the energetic efforts of commercial companies, a network of surveillance and monitoring devices exists, at the invitation of consumers, and government authorities now routinely access that network as part of their law enforcement and national security activities. It is not unreasonable to suggest that governments around the world have, at least in part, outsourced their monitoring and surveillance functions to the commercial companies that operate the Internet of Things. In the age of the Internet of Things, the key defender of the privacy of the individual citizen is the court system, which will be called upon to review a rapidly growing number of government requests for access to the substantial private collections of user information generated by the ever-growing network.