Quimbee logo
DMCA.com Protection Status

Alexa, are you spying on me? Using Smart Devices in Litigation

4.9 out of 5 Excellent(90 reviews)
Start your FREE 7-day trial
Preview this course and the rest of Quimbee's CLE library for free with a 7-day free trial membership.
Buy this course - $49
Get access to just this course for $49
Play video

Alexa, are you spying on me? Using Smart Devices in Litigation

More and more homes contain smart devices: Amazon Alexa, Google Home, Nest Thermostat, Smart TVs, Roombas, and more. These devices store all kinds of activities and send that data to the cloud. This CLE explores the types of data available, looks at some cases where that data was used, and discusses the law regarding the collection of this type of data. Section 1 is an introduction to the CLE and covers some definitions relevant for the presentation. In Section 2, explore a variety of cases involving internet of things devices. In Section 3, attorneys will learn how to obtain data from various devices.


Brian Chase
Director, Digital Forensics


Brian Chase:  Hello, and welcome to Alexa, are you spying on me? My name is Brian Chase, I am director of digital forensics for ArcherHall. Today we're going to be talking about smart devices in the home and the kinds of data they are storing about us. We'll talk about how that data is being used and in litigation and we'll do that by looking at some cases from around the country. Most of the cases we discussed today are cases that were pulled from the news. They are not cases that made it up on appeal. So often we're dealing with incomplete records and possible errors made by reporters when trying to understand the data. So where those come up, where we see errors, I'll point those out, I'll discuss areas where I think the news got it wrong, but they will give you an idea of how this data is being used actively in litigation.

  Most of these cases are from the criminal arena simply because those are the ones that get picked up by the news outlets. But it won't be hard to imagine how you could use the same kinds of data in civil cases, or in other types of litigation, whether you're dealing with employment or contract or personal injury, there are a wide range of uses of this kind of data. But before get into all of that, I just want to tell you a little bit about myself and about ArcherHall. So ArcherHall is a digital forensics company. We do work all over the country. That means we collect data from digital sources, things like cell phones, computers, social media data, email accounts, and of course, smart home devices. We collect that data in forensically sound manner. We analyze it, we testify about it at trial. We also offer eDiscovery services.

  That's the hosted review of data. You might be familiar with tools like Relativity that are used in the eDiscovery realm. We offer those services as well. My personal background, I am based in Tucson, Arizona. I'm a graduate from the University of Arizona, both for my undergraduate and law degree. My undergraduate degree is in management and information systems. And then I went on to then obtained my law degree from the University of Arizona. I practiced law for about 10 years, doing mostly plaintiff personal injury and criminal defense work, but I've been doing digital forensic expert witness work for about eight years. I have tried cases as an attorney. I have testified in excess of 20 times as an expert witness. And I teach at the University of Arizona Law School. I'm an adjunct professor there, teaching a trial skills course there at the law school.

  So with that background out of the way, let's get into our topic today. We're going to be focusing on what we call Internet of Things devices. The term Internet of Things is given to devices other than our traditional computers, laptops, and tablets that connect to the internet. Those things could include things like your Amazon Echo, your Google Home device, your Nest Thermostat, your Philips, your light bulbs, your smart refrigerators, your washers and dryers, your ovens, your crockpots. There are so many devices nowadays that are internet enabled. Just look at the next big Amazon sale, maybe Black Friday or their Amazon days, whatever their summer sale is. You're going to see a ton of these devices go on sale. They are getting more and more popular and they are getting cheaper. So we're going to see more and more of them in the home.

  Then we have another term called the Smart Home. There's no formal definition of the Smart Home, at least not one that I have seen. But what it generally refers to is when you have multiple of these internet of things devices working together. So maybe you're using your Google Home account to control your thermostat and your security cameras, or maybe you have an Echo Show device sitting in your kitchen that's connected to your ring video doorbell so that when someone rings the doorbell, it shows up on your Echo Show, or you're using your Amazon Echo to adjust the temperature, to turn lights on and off. So when you have more of these devices kind of connected together is when we start to see what we call the Smart Home. So with that background out of the way, let's get into our cases. Like I said, all of the cases today are pulled from the news.

  We'll talk about things that are not yet news stories, but the first case we're going to go over is one that is probably the most popular. If you heard of any of these stories, this is likely the one you heard about. It is a case from 2015 in Arkansas. A man named James Bates had friends over to watch football at his home. They were drinking. They watched the game and he goes to bed. The next morning he wakes up and his friend, Victor Collins is dead in his hot tub. So Mr. Bates calls 911, police arrive, and they're a little skeptical about what happened. They find broken beer bottles. There's some broken doorknobs, there's blood spots near the hot tub. So they are skeptical about the cause of death. And then the medical examiner rules the death a homicide. So police get a search warrant for the home.

  While they're searching the home, they find and seize an Amazon Echo device. They then draft a warrant to send to Amazon. And in their warrant application, they write that they have reason to believe that amazon.com is in possession of records related to a homicide investigation being conducted by the Bentonville Police Department. So why would they think that? Why would they think Amazon has data related to the homicide? Well, if you're not familiar with the Amazon Echo, I will tell you how it works. When this story first came out, a lot of people had not seen an Amazon Echo. Didn't how it works. Nowadays almost everyone knows how it works. There's been super bowl commercials about it. But if you're not familiar, let's talk about it a little bit. The Amazon Echo connects to your home wifi and it listens for the wake word of Alexa.

  You can change that wake word, but by default, the wake word is Alexa. After it hears the at word, Alexa, it sends the audio that follows up to Amazon. So basically it listens for you to say, Alexa, then it listens for what you tell it to do. It takes that whole audio snippet sends it up to Amazon and Amazon servers process that data, recognize what you're saying, and then send that response back to the Echo device for it to play the response, play the answer to whatever you've requested it to do. Amazon then saves that audio recording. The audio recording is saved indefinitely. So what the Bentonville Police Department is saying in their warrant applications is that they have reason to believe that either somebody shouted out something like Alexa, help me I'm being murdered or shouted out something that the device would have understood to be the word Alexa, such that it recorded the following audio that came after.

  So Amazon gets this warrant and they fight it. They argue that there is a First Amendment issue and that police must have a compelling need for that data. So case starts shaping up to be a pretty interesting issue, maybe an appellate issue. So the result of this battle, well, none. Mr. Bates agreed need to turn over the data. So the battle ended, he turned over the data, there was nothing useful there. And that's where a lot of the reporting stopped on this case, but there was actually more, there was another smart device. There was a smart water meter in the home, and that measured the water usage by the hour. And between the hours of one and 3:00 AM, Mr. Bates used 140 gallons of water. To put that in context, earlier in the evening when they were watching the football game, they were never using more than 10 gallons of water in an hour.

  So substantially more water being used between one and 3:00 AM. If you recall, Mr. Collins, the deceased, was found in a hot tub. So the theory became that Mr Collins was killed in the hot tub. And then the water was drained out and refilled. Or there was water used to try to wash away the blood and clean up the crime scene. So Mr. Bates is charged with the homicide, but there was even more data. So the next news story on this case comes out and says that Mr. Bates has a step counting app on his iPhone. And that the iPhone showed once he went to bed, he didn't get up again that evening. And then the case was dismissed. I suspect this is one of the areas where the news media got it a little wrong because I'm sure you're thinking right now, well, how do we know he didn't just take out his phone out of his pocket and put it on his nightstand that would never know if he got up or not.

  And you'd be absolutely correct. What I suspect happened is that he was wearing a Fitbit or Apple watch or some type of wearable device that not only measured his steps or counted his steps, but also tracked his sleep so that it showed when he went to sleep and when he woke up, proving that he was asleep the whole night, that's what I suspect happened. So there was multiple pieces of data here. You take any one piece in isolation and you might have a very different takeaway of what happened in this case. You look at just the water meter usage, and you've got some pretty damning evidence. You look at just the step counting app and you've got some very exculpatory evidence.

  The key with digital evidence is putting it in the context of the overall story. There is a famous picture of Prince Williams. And it looks like the picture of him like from the side and it looks like he's giving the crowd the middle finger. But there's another picture. And the picture is taken from the front, head on. And there, when you can look at that picture, you see he's not giving the crowd the middle finger, he's actually holding up three fingers. So if you were to take that one picture from the side angle and take that in isolation, you've got the Prince flipping off a crowd in England, not something you would expect a Prince to do. And it's not something that he did.

  Once you look at the whole piece, you look at the other picture taken head on you see no, he's holding up three fingers. This picture I think is really helpful and understand some of the issues with digital forensics. If you take a piece of data in isolation, it might tell a very different story than what is actually going on. Digital evidence, just like all the other evidence in a case, is a piece of the overall puzzle, is a piece of the story. It must be incorporated in with the rest of the case. And if, when you incorporate it in with the rest of the case, it makes no sense, then there's a good chance the digital evidence might be wrong or rather the interpretation of that evidence might be incorrect. The digital evidence doesn't tend to lie, but the interpretation of that data can change from one examiner to the next based on their own biases that they bring with them, based on the facts that they know about the case.

  So always be placing digital evidence in the context of the overall story of what's going on in the case to try to avoid those issues of misinterpretation. So let's move on now to our next case. Our next couple cases here, we're going to talk about Fitbit. So this one is a case out of 2015, a man named Richard Dabate, and I might be pronouncing his name wrong. I'm not sure I've only seen it printed. Haven't heard it. He's in Connecticut. He calls police and describes a home intruder who came into their home, stole his credit cards, his wallet, tied him into a chair, cut him with a knife and then shot and killed his wife in the basement of their home. So when police arrive and start investigating, they are pre-suspect of Richard. They don't really believe his story. First off, why did a home intruder shoot his wife, but only cut him with a knife.

  And then he's tied to a chair, only one arm and one leg is tied to the chair. So they're pretty skeptical of his story. And his knife cut is fairly superficial. So they start looking into digital evidence in the case. And they're matching the digital evidence up with the timeline that Richard has provided. So they look at his wife's Fitbit. She was wearing a Fitbit at the time she was killed. And when they match up the data of the steps taken, recorded by Fitbit, with when she was allegedly shot and killed, it turns out she logged another 1200 steps after she died. Obviously that didn't make any sense. So they're getting more skeptical of the timeline of events, of Richard's version of what happened. So start looking at other data, home alarm sensors, Facebook activity, and cell phone records, and all of this shows that Richard's story, Richard's timeline, doesn't work.

  He ends up getting charged with the homicide of his wife. As of the time that I am making this recording in July of 2021, his case has not yet gone to trial. It was actually set for trial last year in 2020. It was in the early spring, but you'll probably all remember what happened in early spring 2020, COVID shut down the trial. It got postponed. It has not yet been rescheduled. Our next case with a Fitbit comes out of Pennsylvania. A woman in Pennsylvania called 911 to say she was sexually assaulted. She woke up at midnight to an assailant on top of her in her home, in her bed. She struggled with the assailant and she said her Fitbit fell off in the process. So the police found the Fitbit and examined the data from it.

  And it showed that instead of her being asleep and waking up, as she said in the 911 call, and as she told police, she was actually awake all night and walking around. There were steps being logged all night. They combined that data with other data from the scene, other evidence, no signs of forced injury, things like that. And they ended up charging her with false reporting to law enforcement because her own Fitbit showed that she was not telling the truth about what happened. Another story, this one's in 2016. There's a woman named Nicole Vander Heyden, who is found beaten and strangled to death in a field. The night before she is at a concert with her boyfriend, Doug Detrie. The police look at Doug Detrie and look at his cell phone and the victim's cell phone. And they see a text message exchange between the two where she's accusing him of cheating on her.

  So he becomes a suspect.The night before she turns up dead, he's being accused of cheating on her. Sounds suspicious. Then there's blood found in the garage of their home. They live together. The cord that was used to strangle, Ms. Vander Heyden was found across the street from their home. So police arrest Mr. Detrie believing that he killed her at their home and then disposed of her body in a field. But we have got at smart home data here, Mr. Detrie was wearing a Fitbit. It showed that once he got home, he took very few steps that night. Got up, went to the bathroom, checked on their baby, but really didn't do much. And then there was more, he had a device installed on his car for progressive snapshot. Now, many of the auto insurance companies out there, when you sign up for a new auto insurance policy, they'll offer to give you a discount if they can monitor your driving for six months.

  They do that in one of two ways. One is that you agree to install an app on your phone that uses your phone's GPS to track your driving. And the other is a physical device that you plug into the car's OBD port, that kind of diagnostic port under the steering wheel. And he had one of these devices plugged into his car. That device uses GPS and has a cellular connection. It monitors where you drive and how you're driving. It showed his car didn't move that night. So he's got Fitbit evidence showing very few steps, nothing really unusual, sleeping most of the night. And he's got data from his vehicle showing his vehicle didn't move that night. So the data really is exonerating Mr. Detrie. The DNA evidence from miss Vander Heyden comes back and points to another man, a man named George Burch.

  So law enforcement goes to Google and asks Google for location history for Mr. Burch. And Google's location history puts Mr. Burch at all of the locations as Ms. Vander Heyden, at her home and at the field where her body was disposed. He gets charged with the murder. If you're not familiar with Google location data, it is a great source of information. If you have an Android phone, by default your Android phone is sharing your location with Google. That data is saved by Google in a service called Google Timeline. You could go to Google right now, type in Google Timeline in the search bar there, and you'll be able to see your own Google data. And you can see if Google has been tracking you, the data is really granular.

  It shows where you were, when you were, how you got there. Did you ride a bike? Did you walk? Did you take public transportation? Did you drive a vehicle? Google knows the difference between all of those different things and they store this data. So in this case, Mr. Burch had a phone that was sharing its location with Google and law enforcement got a warrant for Google to produce that data. And sure enough, it showed Mr. Burch at all of these locations pointing towards his guilt. But again, keep in mind they didn't just use his location history. They used location history, combined with DNA evidence. You always want something more than just the data. What if Mr. Burch had given his phone to a friend of his and his friend borrowed and his friend's responsible. We don't know who the user of the phone is.

  So you want to combine it with other evidence, in this case that other evidence was DNA evidence. Now, many times we'll get location data from other sources. You can use your Fitbit for location services, or maybe you pair your Fitbit or your Apple watch, or your other wearable exercise tracker with an app like Strava or Wahoo that are used to track bike ride and runs. These devices or these apps can store location just like Google does. To illustrate this, there's a story that came out about Strava. This really isn't related to any case, just an interesting story. Strava was collecting data for people using the app to exercise, and they thought it'd be a great idea to anonymize this data and release it to the public. To show that the public look at these people exercising all over the world.

  Well, they did that. They released the data and people on the internet quickly got ahold of the data and started going through it, started looking at it. And they found very interesting things. Like very clear paths of travel around centralized facilities at what looks to be military installations that the government says don't exist. They found those military installations, CIA Black Sites, lots of data that really should not have been in the public realm. They were even able to de-anonymize this data, filter it back to a particular individual and figure out a particular individual's travel. After this story came out, the DoD did tell people who are deployed to not use apps like this since it could leak their location to the public.

  All right, our next case is out of Ohio. An individual named Ross Compton called police, said his house went up in flames. But before his house burned down, he was able to pack several bags and a suitcase and get them out to the street. Police were a little suspicious of this because Mr. Compton was an elderly individual and overweight, and he had a heart implant and a pacemaker. So police were suspicious of this fire and they got a warrant for the pacemaker data. So a cardiologist pulled the data from his pacemaker and said that this Mr. Compton's versions of events was highly improbable. And Mr. Compton ended up getting charged with arson. Now we don't know exactly what the cardiologist saw to come to that conclusion. Again, we only have the news article here, but we can speculate likely it did not show an elevated heart rate like you would expect to see in an overweight elderly man who is frantically packing because his house is burning down.

  So the cardiologist's data led to Mr. Compton being charged with arson. Mr. Compton passed away before the case resolved. So we don't have a trial transcript. We don't have a result in his case. Both pacemakers though, they're storing a lot of data and that data is accessible fairly easily. They're designed so that cardiologists can pull that data off of you wirelessly. So they don't have to do surgery to get the data. They often connect via Bluetooth. They have been stories about pacemakers being hacked via Bluetooth. While hacking's really not the topic of our talk today, I will be talking about a few other stories of hacking because hacking often reveals the data that these devices are storing. So if you ever see an article in the news about some sort of device being hacked and data being leaked, while the hacking might not be important to your practice, the types of data that resulted from whatever device was hacked might be important because it reveals what kind of data that device is storing or what data the company is storing.

  And that data can certainly be useful in litigation. All right, another case here. This was another one that was fairly popular in the news. This is, I believe 2018. I could be wrong on that. But it was a Portland couple who were just talking in their home about hardwood floors, nothing particularly exciting here, just conversation. Then the husband received a frantic phone call from his employee telling him that he's being hacked and he needs to disconnect his devices. The employee says he just heard them talking about their hardwood floors. So the couple of course was a little freaked out about this and they contact Amazon. So what happened was they had an Amazon Echo in their home and the Echo heard something like Alexa send a message to, and then the employee's name. And so it did, it recorded the message. And then it said, do you want to send this message to this person?

  And then it heard the word, yes. So it sent the message to the employee. They weren't hacked, the device wasn't misbehaving. It was just kind of a fluke, a series of coincidences that led to the device recording their conversation and sending it to the employee because the device thought it heard them say, "Hey, Alexa, send a message to... The problem was, they were far away from the device. They didn't hear the Echo talking back to them for the confirmation. So this story might be a little scary or alarming and saying pretty highly improbable. But when you take into account the large number of devices, the scale at which we're talking about here, if you were to say, this is a one in a million occurrence, then you'd expect this to happen every day. There's more than a million of these devices in the world.

  So the fact that we have one story over however many years the Echo has been out, stuff like this is bound to happen eventually. Luckily here was a fairly meaningless conversation. It wasn't leaking any private data, but it's a very, very unusual set of circumstances. And the devices are always improving to try to avoid these kind of false positive situations like this. There's another case, somewhat similar out of New Mexico, where there was a domestic violence incident. A man named Eduardo Barros was housesitting with his girlfriend and their daughter, and a fight in sues. And he draws a gun. He yells, "Did you call the sheriffs?" And according to the news, that then triggered the smart device in the home to call the sheriffs. So police arrived and they were successfully able to defuse the situation and arrest Mr. Barros, that's how the news reported it.

  There was one major problem with the news story. And that's not possible. You can't tell your device to call the sheriff. Your device doesn't know where you are. Most of them are not equipped with 911 services. Now you can add that in. There are ways on some of these smart devices to add 911 services. It's usually a paid service. It often requires connecting it to a phone line. But at the time this story came out, none of that was possible. But as we saw with the previous story, it can call other people with an Echo, assuming that this case was an Echo, we don't actually know what smart device was at issue in this New Mexico case. But you can use your Echo to call people in your contact that also have an Echo. So you can call your friends, your family members.

  You can even call other Echo devices in your home using a feature called Drop In, kind of like a telecom system in your home. So there are ways to communicate with the Echo, just not really with 911. How about we go across the pond here to England, and we've got a story of a 74 year old Gerald Corrigan who was shot and killed with a crossbow while he was adjusting his satellite dish. The suspect Terrence Whall had tried to cover his tracks. He was driving a Land Rover and he knew his Land Rover tracked all sorts of data. Most modern cars do. Most modern cars are tracking your location. They're tracking things like where the gear shifts occur. Your actual location, where doors are locked and unlocked. When that occurs. Lots of data being stored by modern vehicles.

  And Mr. Whall knew that. So he set his Land Rover on fire, but that didn't stop law enforcement. They went to Land Rover, the company, and looked to see if the data had been sent to the company. And it had. Most companies are sending the data. We've certainly heard stories about Teslas and how much data Tesla is storing about its vehicles. Same thing with Fords, GMs, there's all sorts of vehicles tracking your location and sending that data back to the manufacturer. So Land Rover produced his GPS data, which showed him traveling from his home to the home of Gerald Corrigan, and then leaving the scene right after the time that Mr. Corrigan was shot and killed with the crossbow. But there was more. That wasn't the only data from the Land Rover. The Land Rover also showed him opening his trunk for 39 seconds, which was enough time for him to grab the crossbow and that happening before the killing.

  So his Land Rover despite the fact that he tried to cover his tracks, showed exactly where he drove, that he opened his trunk and that he left the scene after the murder. Let's talk about Roombas. Many of you may have a Roomba that connects to your home wifi. If you've installed the Roomba app on your phone or other... It's not just Roomba, it's other robot vacuums. But if you've installed the app, you might have seen a map of your home. The devices are mapping your floor plan. They do that so that they're going to be able to vacuum everything and make sure they can successfully get back to the charging port when they're done. But that data, at least on the Roomba side is being sent up to iRobot, the company that makes it. And they're storing this data. At one point, a couple years ago, their CEO said that they were looking at ways to monetize this data by maybe selling it to advertisers. The next day their marketing team quickly walked that back and said, "No, no, no, your data is safe. We're not selling it."

  But they acknowledge that they have it, which means they could produce it if they have it. So if they get a warrant from law enforcement, they could produce a floor plan of your home. You could imagine situations where law enforcement might want that data. Maybe they're about to execute a raid on a facility and they want to know what it looks like on the inside to prepare for that, to make sure that they know where hiding places might be or where furniture might be. They could go get that map. Maybe they're trying to see when somebody died, looking at maybe a body on the floor. And if the Roomba was running at the same time, kind of gross to think about, but that Roomba could be bumping up against the dead body and mapping that. There are plenty of ways where this data could be useful. And it is being stored by the company.

  How about some children's toys that connect to wifi? Like the Hello Barbie. The Hello barbie is a Barbie doll that connects to wifi and it will talk to your kids. It's very similar to the Amazon Echo in that regard, your kids can talk to it, it talks back. It's storing data. These devices have been hacked so that hackers were talking to kids, pretty creepy. So lots of data can be stored by these wifi connected toys. I'll tell you about another one. There's a smart toy from Fisher Price. It's kind of like a little Teddy bear style toy, except it connects to wifi. And in the nose of the toy is a camera and the camera can be used to see your kids. It also has microphones in it. It has gyroscopes in it. Like your phone does so it can detect movement. It could store all sorts of data about how your child is playing with the toy and it can record your child.

  Again, the license have been hacked. They're often accessible on the internet or via Bluetooth connections, kind of creepy. I personally would not have these kind of toys for my child or my children. That would be a little creepy to be able to have hackers communicating with children in the home. But let's switch from child's toys to adult toys. There was a story last year, 2020 about Cellmate, which is a wifi connected chastity belt for men. Researchers were looking at it and discovering that they could access these devices over the internet by guessing the six digit friend code. The friend code is used so that a male could put on this Chasity belt and then give control of the belt to their friend. And when the researchers did this, they found a ton of information about the users, such as their location, their phone numbers and their password.

  Like I said, this is kind of one of those hacking stories. And what it revealed is this chastity belt is storing the location of its users. Therefore, it's useful for location data. The researchers let the company know about this vulnerability and tried to get them to fix it. And they never responded. They tried many, many months to get the company to fix it. And the company never did. So finally they released this to the public because it was a security concern. While following that disclosure, hackers got this data and they started locking people into their device and then demanding ransom to get released from the device. They were demanding $270 to unlock the device.

  If you were one of the unfortunate males to get locked into this device, you had two options. One, was to pay the ransom, or two, was to take an angle grinder to the device and try to cut it off. Keeping in mind where this device is located, that second option is not ideal. So the users of this device were kind of forced to pay their ransom. I would not suggest using a wifi accessible toy like this because you can see where this could all go very, very wrong.

  Let's switch gears from this kind of lock to a different kind of lock, smart locks for your doors. So these are devices that you install on your door so you can lock and unlock your door. They're accessible via an app, sometimes you can tap your phone to the lock, to lock or unlock your door, sometimes you can type in a code to lock and unlock the door. Well, these devices connect to the internet and of course they store how the door was locked and unlocked, and when.

  So this data could be useful in a variety of circumstances. Let's say your client has one of these devices at their home, and they tap their phone to their lock at 3:25 PM to unlock the door. Well, now you've got pretty good information showing that your client is at their home at 3:25, since they tapped their phone to the lock. If your client's being accused of being across town at 3:30, pretty unlikely that they made it across town in five minutes if they just tapped to their phone to their lock. And we see these locks all over the place, people are installing them on their homes, on their Airbnbs, in apartment complexes, they're becoming more and more popular because they offer a whole lot of features that can be really useful. Could see like on an Airbnb, it'd be really nice because then you'll have to deal with physical keys, same thing with apartment complexes. But any place you see these smart locks, there's going to be data about when the doors are being opened and closed, when and how they're being locked and unlocked.

  All right, let's move on from there and let's go back a little bit and talk some more about adult toys, because we got another story here. This story is out of 2018, and I covered a male device, let's switch and talk about a female adult toy. This toy connects to the phone using Bluetooth, and then can be shared over the internet. And the idea behind it is a vibrator for women and it is designed so that you can remotely control it with your partner that maybe is away or is a long distance. And the device has an app that allows a lot of sharing, including sexually explicit images. Well, hackers were able to get in, very similar to the method that they did with the cellmate toy. There was a predictable ID, a code that they could get. And when they got in, they found those sexual images, explicit images, they found information about sexual orientation of the user, and the home address of the user.

  So again, this is not a court case, this is a hacking case, but it tells you what this kind of device is storing about its users. That data is being stored by the company, meaning that data can be disclosed with proper legal process. Not that that be very common in any case, but it's there, and it illustrates that how all of these wifi connected devices are storing data about us. So if you're making the choice to install or use a wifi connected device, you might want to think for a while about what data this device is storing and the security of that data.

  All right, let's move on to Nest devices, the Nest thermostat and the Nest smoke detector. So the Nest thermostat, both of these devices by the way are owned by Google. Nest is a Google company. So the thermostat connects to your phone and is a learning thermostat. It learns what you like your temperature to be. When it does that, it can detect your location based on your phone. So if you're not at home, it can raise or lower the temperature according to time of year to save you money on your heating and cooling bills. It can also detect when you on your way home. Maybe it learns that you leave your office every day at 5:00, and it takes you 45 minutes to get home. So when it detects that your phone starts moving at 5:00, it can start cooling your home or heating your home to the desired temperature.

  The device tracks why it is changing temperature, when the temperature is changed and why. Was it due to an automatic schedule, was it due to detecting some sort of change, or was it due to somebody manually walking up to the thermostat and adjusting the temperature? Certainly if it's that last one that puts a user at the home at the time. On the smoke detector side, well, it's tracking smoke and carbon monoxide, pretty much what you'd expect it to track, not a lot of useful data there. But both of these devices, the thermostat and the smoke detector detect motion. So the thermostat, the screen on it is normally off, but when it detects motion, it lights up so that you can see what the temperature is.

  And on the smoke detector, if you install it in hallway, it has a little nightlight feature. So if it's at night and it detects motion, it has a little ring light that can light up and help illuminate the hallway. And it can do that when it also detects smoke to try to help you exit the building. Well, that motion detection is saved to the device. And so that motion detection could tell us if somebody is at home at a particular time, especially on the thermostat side. Now usually those are installed high enough up in a hallway that a dog or cat isn't going to set it off. And if it's set off by motion, should only going to be a person will walking by that device. So that data is available, but it's only available on the device itself.

  So let's spend a little bit of time now getting away from these stories and talking about how we get this data and how we can use it in litigation. So there's three areas where we're going to find this data. One, is on the device itself, the second is from the phone, the connected phone, because almost all of these devices get set up using an app on your phone, so we can see the data in that app on the phone. And the third location is in the cloud. Much of this data is being sent up to the cloud.

  So let's talk about each one of these. At the device level you're almost never going to see this kind of data in litigation. This data resides only on the device and it generally requires destruction of the device to get at it. You have to open up the device, get at the storage chip within the device, and then you have to have specialized equipment to be able to read that data off the chip. And then you have to figure out how to interpret that data that's stored on the chip. This is very time consuming and very expensive. I have only ever seen it done in a research context, I have never seen it used in litigation yet. That's not to say that there isn't going to be a case where it's used, but it's going to be highly unlikely.

  The other part of this is that the storage on the device itself is fairly limited. You're generally not going to find a lot of data. On the thermostat, for example, that was only storing the most recent 30 days. So even if you had a case that justified the costs of dissembling this data, and reading it, and trying to interpret all of that data, unless you get that device within 30 days of the incident date data's gone anyway, that's why it's going to be really rare to see this. You need a really unique set of facts where the case comes in quickly, it's sufficiently complicated or high value enough to justify those costs. So it's going to be very, very rare to see that.

  The data on the phone is very different. Your phone stores lots of data. Like I said, almost all of these devices get set up using an app on your phone. Let's take the Amazon Alexa app as an example. I'm sure many of you have this app, have an Alexa device at home, and you might have seen this. In your app you can see the history of what the device was doing. You can see kind of the history of the most recent things played. You can also see a history of all of the recent commands that you said, all of the recordings. So when you say, "Alexa, tell me the weather," that's stored in the app. And so you can see that in the app, you can see the both Amazon's interpretation of the data, meaning what they understood your command to be, and there's a little play button where you can play the audio and you can actually listen to what was said, listen to the audio recorded.

  And that gives us a user talking to the device, because we can actually hear it, and it gives us what was actually said, as opposed to Amazon's interpretation of it since Amazon's interpretation might not be correct. We've all had those experiences where we've tried to use a voice assistant and it did not do what we asked it to do. Well, often you can go in and see why. You can see what it understood your command to be versus what your command actually was. And of course, along with all of this, we get the date and time of the recordings. Now, the play button there is actually playing audio that's stored in the cloud, that audio is not stored on your phone.

  So sometimes we don't get all of this data through a phone download when we're doing a forensic download of a phone, which is how we have to get the data associated with these apps, we will see some of it. We might not see all of it because some of it, like that audio, is actually stored in the cloud. And what happens is when you press that play button it's just going to Amazon servers, getting that audio and playing it. So a lot of the data you're looking at on your phone is actually in the cloud and not on the phone itself, but we will be able to see some of it. And what we can often do with a cloud download, or sorry with a phone download, is use the data on the phone to connect to that cloud account and then download the data from the cloud as well.

  But the cloud data, that third option, that's where we find a lot of this IOT data nowadays. A lot of this data goes up into the cloud. There's a number of reasons for that. One, is that the companies want this data so they can improve their product. The more data they have, the more they can improve their product and make it better. So they want to capture all of this data to make sure they're delivering a good product. Some companies want this data so that they can use it for advertising, to sell you ads so that they can make more money off of your data. But if this data is in the cloud, it generally means we can go acquire it from the cloud, thanks to laws like GDPR in Europe and CCPA in California, consumers have the right to get their own data. So most companies have provided a way where you can download your own cloud data.

  So we can do this at our company here at ArcherHall, we get the client's username and password, we work with them, we connect to that cloud account, and we either use forensic tools designed for cloud accounts, or we use the built in tools of that cloud account to download that cloud data preserve it, analyze it, produce it for a litigation. You can do this for yourself. You can go see some of this data. As an example for Google data, you can go to takeout.google.com. You log in with your username and password. You might need a second factor, which is like that text message code that's sent to you, or it might pop up a message on your phone saying, "Hey, is this you trying to log in?"

  But once you get into takeout.google.com, you will see where you can download all of your Google data. That includes your email, your calendar, your location history, and these smart home devices. If you have Google smart home devices, things like the Nest devices or the Google Home or HomePod, all of those devices are going to store data in Google, in the cloud, and you can download all of that data. The nice thing about cloud data is it's really easy to obtain. It's just that username and password, it can be acquired remote, it's very inexpensive to hire forensics companies to download this data as well, because it's easy for us to obtain. And then from there we can analyze it and we can produce reports that you need for litigation.

  Let's talk about some of the legal requirements here as we get close to ending. So for of you in criminal practice, you might be wondering, is a warrant required to get this data? Well, this cloud data is possibly third party data, it's being sent to Google, or Amazon, or Facebook, or whatever the company is. And we have the Third-Party Doctrine from US v. Miller and Smith v. Maryland in the '70s, say you have no reasonable expectation of privacy of data you were handing over to a third party. So that would suggest a warrant is not required to obtain this data.

  And then we have the 1986 Electronics Communication and Privacy Act. You might have heard of the relevant section of this called the Stored Communications Act, which allows law enforcement to get this data without a warrant. If you're in federal court, you've probably seen a 2703(d) order, that's the US code section here for the Stored Communications Act. That's the section that allows law enforcement to get this kind of third party data without a warrant. They do have to go see a judge, they do have to provide some evidence, but it's not the same as the warrant standard.

  But in 2018, we had Carpenter, Carpenter v. US. And in Carpenter law enforcement obtained 127 days of historical cell site location information. That's data from your phone's carrier based on the phone, the cell towers, cell sites that your phone is connecting to for phone calls and text messages. Law enforcement obtained this data under the Stored Communications Act, so they did so without a warrant, as the act authorizes. But Carpenter challenged this data, said, "You do need a warrant to get this." And it went all the way up to the US Supreme Court. And the US Supreme Court agreed with Carpenter and said, "You do need a warrant to get this kind of cell site location information." And they declined to apply the Third-Party Doctrine. They said, "Look, this data is an entirely different species of business records. It is completely different than our historical business records, third-party doctrine records, which under Smith v. Maryland and Miller were canceled checks and the phone numbers you dialed, data you're giving over to your phone company, or your bank, and you're pretty knowingly doing it."

  And then Carpenters said, "Look, you don't need to opt out of modern society to be able to get the benefits of the Fourth Amendment." So the question after carpenter is how does this apply to other things that might be third party records, like social media accounts? Does social media accounts or email accounts, does that fall in here? It's data you're knowingly handing over to a third party, but does that now require a warrant after Carpenter? Many lower courts are requiring a warrant for that kind of data. But what about our smart device data that we've been talking about today? Well, smart devices, as we've seen, store lots of data about us, and there's really no way to limit the data that it stores. So do you, by getting one of these devices kind of give up your privacy rights, or would Carpenter suggest that you don't have to give up your expectation of privacy and a warrant is still required?

  Well, the Seventh Circuit in 2018, in case of Naperville Smart Meter Awareness versus City of Naville, that case held that a warrant is required to get smart electric meter data that was measuring electricity usage in 15 minute intervals. That case came out very shortly after Carpenter, and Carpenter was the reasoning behind it. We're going to see more and more of this litigation develop where defense attorneys are raising Carpenter as an issue.

  So if a warrant is required to get this kind of IOT or smart home data, what about the particularity requirement for a warrant? You can't just go get everything. And in US v. Blake, it's an 11th Circuit case from 2017, the court suggests you can't go get an entire account, you can't go get somebody's whole Facebook account or Twitter account just because you have probable cause for one incident that occurred a couple months ago. Many people have had these accounts for many, many years, the whole account does not become subject to seizure. So they said, you've got to be particular, you've got to limit that warrant to you had probable cause for.

  And this is another area of developing case law, how much data can law enforcement get with a warrant? Can they get all of the data in the account, can they get only from the date of incident onward, can they get maybe a few months before the date of incident to try to see what data was leading up to the incident, what the normal pattern of behavior was? So these are issues that we're going to continue to see at the appellate courts, and maybe we'll see the Supreme Court take up one of these issues in the coming years as well.

  But for those of you in civil practice or on the criminal defense side, who want to get this data, there are ways that you can obtain the data. We talked about doing it through a cell phone download, but if you want to go to a cloud provider, that Stored Communications Act does apply to you. There are ways to get the data without a warrant for those who are outside of law enforcement. The Stored Communications Act, It is 18 US C121, and it's sections 2701 through 2712. Give you that so that you can look it up. It's a 1986 law, so applying it to today can be a little challenging. There is case law out there on its application, but generally you're going to need a signed authorization from the account holder to get this data. If you were to go to say Google and ask for location data from a user with a subpoena, they won't give it to you. They will tell you the Stored Communications Act prohibits disclosure of that kind of data with just a subpoena alone. So it's often going to require more.

  Now you can get metadata with a subpoena. So maybe you want to get those phone numbers dialed, like we saw on the Third-Party Doctrine, and you can get that with a subpoena. But if you want to get content of communications, location data, more private or sensitive data, you can't just use a subpoena, you're going to need a authorization from the account holder, authorizing you to get that data. So if you're trying to get this data for your client, well, make sure you have a signed authorization, you can attach that to your subpoena and then send it off to the provider to get the data. If you're trying to get the opposing party's data, you're going to need them to authorize it. You're going to need that signed authorization first, or you're going to need them to go and get their own data from the cloud provider.

  Like I said, many of these services allow the users to download their own data, so often you can just download this data you're yourself or the opposing party can download it themselves so that you don't have to go this route, but obviously that's not going to work in every situation.

  So I want to wrap up here by just kind of summarizing some things and giving you some pointers for the future. So don't overlook these tiny devices in your home. The Amazon Alexa, the Philips Hue light bulbs, the ring video doorbell, the Nest cameras, all of these devices are storing lots of data. And so if you have a case where that data might be relevant, don't forget about these devices. They can store lots and lots of data, and often this data is inexpensive to get. You can get it by logging into the cloud account and downloading it there. Now, if you are doing that, make sure you have a witness to introduce it at trial. If you downloaded your own client's data, who's going to lay that authentication and foundation testimony at trial.

  So make sure you're still thinking about admissibility of that digital evidence as you're gathering it. That's where you might want to hire an expert or an investigator to download the data, in some situations, it might be perfectly fine for your client to do it themselves, but consider admissibility when you're trying to gather the data. If you do it yourself, you might be making yourself a witness in the case. So just keep that in mind, when you're obtaining cloud data. This data can reveal all sorts of private information. It can reveal user's location, should be really useful in certain circumstances. It can show kind of their daily activity. Maybe you're litigating a personal injury case and the issue is how did the plaintiff's activity change after the injury? Well, Fitbit data might really show that, it might show the decrease in the number of steps taken every day. It might show their sleep got worse due to the pain that they're in. That IOT data from the Fitbit could be really helpful in demonstrating the damages in the case.

  Last piece of advice, be cautious about using the data, it can be misleading. Remember taking in isolation, you could draw very different conclusions about what's going on. So always take precautions, always fit it in with the overall story of the case. If it matches up with other witness testimony or other facts not in the case, great, it gives more weight to that evidence. If that digital evidence doesn't match up with anything else, well, maybe the interpretation of the evidence is wrong. Not necessarily, it could be that witnesses are lying and the evidence is straightforward, but you always want to exercise caution. You don't want to overly rely on evidence or take a too narrow approach of the evidence so that you're not getting a full picture. You want to want the full picture so you're properly understanding how this data is used and what it means.

  So I thank you all for attending. I hope you found something useful here today. And certainly if you ever have questions about this kind of digital evidence, or you want an expert to help you out, please feel free to reach out to us here at ArcherHall. You can find us at www.archerhall.com, and you're welcome of course to contact me directly, my email address is bchase, that's B C-H-A-S-E, at archerhall.com. Our phone number is (855) 839-9084. Thank you all for attending, and I hope you get to use this data in your upcoming cases. Bye.

Start your FREE 7-day trial
Preview this course and the rest of Quimbee's CLE library for free with a 7-day free trial membership.
Buy this course - $49
Get access to just this course for $49

Course materials

HandoutSupplemental Materials

Practice areas

Course details

On demand
1h 39s

Credit information