Albert Fox Cahn and Justin Sherman
Smart-home devices like thermostats and fridges may be too smart for comfort – especially in a country with few laws preventing the sale of digital data to third parties
You may have a roommate you have never met. And even worse, they are nosy. They track what you watch on TV, they track when you leave the lights on in the living room, and they even track whenever you use a key fob to enter the house. This is the reality of living in a “smart home”: the house is always watching, always tracking, and sometimes it offers that data up to the highest bidder – or even to police.
This problem stems from the US government buying data from private companies, a practice increasingly unearthed in media investigations though still quite shrouded in secrecy. It’s relatively simple in a country like the United States without strong privacy laws: approach a third-party firm that sells databases of information on citizens, pay them for it and then use the data however deemed fit. The Washington Post recently reported – citing documents uncovered by researchers at the Georgetown school of law – that US Immigration and Customs Enforcement has been using this very playbook to buy up “hundreds of millions of phone, water, electricity and other utility records while pursuing immigration violations”.
“Modern surveillance” might evoke images of drones overhead, smartphones constantly pinging cell towers, and facial recognition deployed at political protests. All of these are indeed unchecked forms of 21st-century monitoring, often in uniquely concerning ways. Facial recognition, for instance, can be run continuously, from a distance, with minimal human involvement in the search and surveillance process. But the reporting on Ice’s use of utility records is a powerful reminder that it’s not just flashy gadgets that increasingly watch our every move; there’s also a large and ever-growing economy of data brokerage, in which companies and government agencies, law enforcement included, can buy up data on millions of Americans that we might not even think of as sensitive.
Privacy protections in the United States are generally quite weak; when it comes to police purchases of private data, they are completely absent. This is one of the oddities of trying to update 18th-century rights to address 21st-century threats. At the time of the country’s founding, the framers wrote about protecting things like our homes, our papers and other physical objects. Flash forward to today, and these categories fail to capture most of our intimate data, including the ins and outs of your daily routine captured by a nosy electronic roommate – or a data broker.
Courts have been slow to update these legal categories to include computers and other electronic records. But while we now have the same protections for our laptops as our paper records, the matter gets much less clear in the cloud. The documents and data we access remotely every day can end up in a gray zone outside the clear protections afforded in our homes and offices.
Whether it’s our financial records, our phone records or the countless other records held about us by third parties, this data is generally open to police even without a warrant. This so-called “third-party doctrine” has come under more scrutiny in recent years, and there is some hope the courts will catch up with the changes in technology. Until they do, however, nearly all the data held about us by private companies remains completely exposed. Hence why utility records might end up in the hands of law enforcement via a private company, or how smart-home devices like thermostats and fridges could very well be sending off your data to be sold away.
While the recent Washington Post story focused on data brokerage and utility records, the smart-home phenomenon makes this problem of data sale and unchecked surveillance even worse. These gadgets are sold as flashy, affordable and convenient. But despite all that has been written about the speculative benefits of the so-called Internet of Things, these technologies are often terribly insecure and may provide few to no details to consumers on how they’re protecting our data. Ring, Amazon’s home security system, has documented surveillance ties with law enforcement; that is but one example. The more that smart devices are marketed in the absence of strong federal privacy protections, the more likely it’s not just about hackers half a world away controlling your home’s temperature – it’ll also be about arrests and deportations with the help of smart-home data.
All of which means American citizens and lawmakers must remember that protecting modern privacy is not just a question of facial recognition bans and legal restrictions on smartphone data collection, for example. It’s also a matter of regulating the appliances and smart devices that watch people in their homes – and reforming the giant industry that profits off buying and selling those systems’ data.
- Albert Fox Cahn is the founder and executive director of the Surveillance Technology Oversight Project (Stop), a New York-based civil rights and privacy group, and a fellow at the Engelberg Center for Innovation Law and Policy at New York University’s School of Law. Justin Sherman is the technology adviser at Stop and the co-founder of the Ethical Tech initiative at Duke University