With Google’s acquisition of technology company Nest, not only has Big Data met the Internet of Things, we have allowed the camel’s nose into the tent of privacy.
The Supreme Court is all over the map when it comes to privacy, allowing for example the government to obtain intimate information about people with or without a warrant by subpoenaing from third parties by flying over their homes, by collecting data in “public” places, by installing beepers and tracking devices, and by conducting all manner of surveillance and data collection.
But there has been a general “bright line” test in Fourth Amendment jurisprudence – the four walls and roof of a home.
When it comes to a private domicile, the Supreme Court has tended to extend privacy protections. It has refused to allow law enforcement agents to conduct dog sniffs for drugs at the “curtilage” of the home (immediately adjacent to the house), refused to allow the cops to enter the curtilage to install wiretap devices, monitoring devices, or even examine the trash. It has disallowed warrantless monitoring of beepers or tracking devices within the home, and in one landmark case, it refused to allow the police to point an infrared sensor at a home to determine whether or not a person was emitting “excess heat” and therefore inferring that they were illegally growing marijuana in their home.
There’s just something about a home that acts as a “bright line” for the Supreme Court. Note that the Fourth Amendment itself does not single out the home, nor does it afford the home any particular privacy protection. The Amendment protects “persons, places, houses [not homes] and effects” against unreasonable searches and seizures.
But the Supreme Court believes that your home is your castle, and searches (like dog sniffs) which are reasonable when performed on your person at airports or on the street, or in your car at traffic stops, in your luggage and effects, become “unreasonable” when performed at the building where you pay the rent or mortgage.
But modern technology extends the “home” into the Internet. The Internet of Things takes private, personal things that are happening in the home and place them into a potentially unprotected domain. In this way, and by sharing information about what is happening inside the home with third parties, Supreme Court precedent will deem the homeowner to have voluntarily given up their privacy interests in their home. That’s where the third party doctrine comes in.
In Smith v. Maryland, the Supreme Court made an unremarkable finding. When the government suspected Smith of making harassing and obscene (and stalking) calls to a woman he had robbed a few days earlier, the police subpoenaed Smith’s telephone records from the phone company to see if he was, in fact calling the victim. He was.
The Court rejected Smith’s claims of a reasonable expectation of privacy in the fact that he had called the victim because the records subpoenaed belonged to the phone company, and because they had been “voluntarily provided” this information to the phone company knowing that it could be used. The Smith court relied on language in the phone book to evidence consent, much like a more modern Terms of Use on a website can establish consent. The Court said:
Most phone books tell subscribers, on a page entitled “Consumer Information,” that the company “can frequently help in identifying to the authorities the origin of unwelcome and troublesome calls.” E. g., Baltimore Telephone Directory 21 (1978); District of Columbia Telephone Directory 13 (1978). Telephone users, in sum, typically know that they must convey numerical information to the phone company; that the phone company has facilities for recording this information; and that the phone company does in fact record this information for a variety of legitimate business purposes.
So if you voluntarily provide information to a third party, then the government can get it from that third party without your knowledge or further consent.
Hornet’s “Nest”
Enter the Internet of Things. With smart homes, smart watches, smart phones, and smart devices, we will assume that every day objects – from refrigerators and toasters to biometrics and other monitoring devices will not only have the capability of collecting data about us, our environment and our activities, but also to transmit, share, and analyze that data.
A jogging application can tell not only when and how hard I am running (or not running) but also where I am running, the times I choose to run, the weather when I run and don’t run, etc.
A user may choose (or use an app that is designed to choose for you) to have that data stored or analyzed on an Internet based or cloud based server. There is a great deal of utility to doing so. By sharing that data with the cloud, the user can compare their time with others, can track their progress over time, can be alerted to changes in gait or timing which could be for example unknown symptoms of injury or disease. The data could also be accessed by doctors or other medical professionals to assist them in determining the overall health of the subject. The miracle of the Internet of Things.
An Internet connected refrigerator can not only balance its electricity use to ensure peak load balancing to avoid blackouts and brownouts, it can ensure that the Shabbat laws )for observant Jews) on turning on lights and compressors on the day of rest are followed. It can analyze food consumption to recommend a new diet, can know when the milk has reached its expiration date and order new skim milk from the grocery store. The refrigerator will also know what foods you buy, what brands, and which ones you actually eat. It knows if you are really eating your vegetables, or just buying them and letting them wilt. And of course, as it monitors you, it can be monitored by others – or as we recently learned – it can be hacked.
The Internet of things means that we are inviting tracking devices into our homes and agreeing to share the results with third parties.
And once we share with third parties, we lose both control over the data, and the privacy of that data – no matter what the privacy policies of those third parties say. We can expect that these devices will be infiltrated and any security contained therein will be compromised – either by some government or by some hacker.
That’s almost a virtual guarantee. Privacy policies routinely fail in the face of governmental subpoenas, demands, or warrants. The fact that we have “voluntarily chosen” to share our data with a cloud based server or other Internet connected service means that we no longer have a “reasonable expectation of privacy” in that data.
So the home is no longer the castle.
While the government can’t point an infrared tracking device at our house (without a warrant) to see if we are emanating heat, it can (and routinely does) get information about our “excess” electricity use from the power companies – often by prearrangement with these government regulated entities.
While they can’t install a device to see if we are opening doors, or moving through the house without a warrant, they can subpoena records of our movements from the company monitoring our security cameras or motion sensors. Our smart smoke detectors, CO2 detectors, and other devices become surveillance devices against us. While Google may want this data for commercial purposes (and we may or may not be willing to let them have it) once it is given up to Google, it becomes available as a matter of law to the NSA, the FBI, the CIA, and any US or foreign government with a subpoena and the power to enforce it. Oh, and to any 17 year old hacker.
The Internet of Things represents a sea change in technology. We will also need a sea change in the law to accommodate it. And that ain’t happening any time soon.