In the US, the concept of the ‘reasonable expectation of privacy’ came about when the police were considered to have breached the fourth amendment by wiretapping a public phone to capture a gambling ring. Today, we have a reasonable expectation of privacy in our own person, home, car, office and, to some extent, public places. New data privacy regulations, such as GDPR, have extended this to strengthen the rights of individuals on how their personal data is captured and used.
So what’s the difference between a wiretap on a public phone and gathering evidence from an IoT-enabled device such as a personal assistant like Alexa or a wearable like Fitbit? For all its potential, IoT could easily become an ethical and data privacy minefield for law enforcement.
Are garbage bins spying on you?
In 2012, the City of London had a great idea: it put video screens on its public garbage bins. But unknown to the public, the bins were harvesting information on WiFi-enabled devices to track the movements of their owners. In the first month, over a million unique devices were recorded before the scheme was closed down due to a public outcry.
IoT devices gather a vast amount of data and it is increasingly difficult to ensure that the individual has properly given consent for their data to be captured in this way. The question becomes what rights does the law enforcement agency have to use that data?
GDPR offers both a ‘vital interest’ and a ‘public interest’ basis for processing personal data. It suggests that this means it is ‘necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller’. The huge word here is ‘necessary’. The regulation deems necessary as meaning targeted and proportionate to the intended purpose. Say a camera captures a known drug dealer in an area where they haven’t been seen before. Would the law enforcement agency be entitled to retain that information to track the drug dealer?
The answer is likely to be negative. Personal information that’s captured for one purpose can only be used for the initial purpose. Anything else, except in some limited circumstances, has to be considered an unauthorized secondary purpose. Data privacy regulations place an emphasis on data minimization, meaning you shouldn’t keep data you don’t need.
As personal data from IoT devices increases, law enforcement requires extremely tight policies and governance on how that data is captured and stored. In addition, data management solutions are required to ensure the legitimate use of the data as it passes through the system from the initial contact to the final delivery of digital evidence to court.
IoT and the threat of cyber attack
Today, almost any IoT device is vulnerable to cyberattack – even Alexa, Siri and Google Home were hacked simply by shining lasers at them! Many experts believe that IoT now represents the largest cybersecurity risk.
The increasing adoption of IoT-enabled devices, such as body-worn cameras, connected weapons and smart vehicles, is creating a huge attack area for hackers. There are simply too many examples of where an IoT device with limited security has been the entry point for criminals into corporate systems. In some ways – although still incredibly important – data breaches become a lesser problem for law enforcement. Just consider what a malicious hacker could do if they got control of an IoT-enabled firearm!
This year, we’ve seen the first moves to address this situation. In the US, the Internet of Things (IoT) Cybersecurity Improvement Act requires agencies within the federal government, contractors and vendors providing IoT devices to the government to be more transparent in communicating any cybersecurity vulnerabilities associated with connected devices. In addition, the SB-327 law comes into force in California next year to ensure device manufacturers be equipped with ‘reasonable’ security features to prevent unauthorized access, modification or information disclosure.
These are steps in the right direction but it’s important that all law enforcement agencies protect the edge of their network. In effect, IoT introduces a growing number of edge devices that have to be securely provisioned, managed and decommissioned.
The role of an identity-driven IoT platform
An identity-driven IoT platform provides a law enforcement agency with the ability to create and manage a single, central identity for everything that’s attached to your IoT network, including IoT devices, applications, people and other resources. New devices connecting to the network are immediately identified and, if authentication can’t be established, isolated. You have an end-to-end identity infrastructure that manages access, relationships and lifecycle for every IoT device in use within your organization.
Want to know more about how IoT is transforming all areas of the public sector? Visit our website.