You may have a roommate you have never met. And even worse, they are nosy. They track what you watch on TV, they track when you leave the lights on in the living room, and they even track whenever you use a key fob to enter the house. This is the reality of living in a “smart home”: the house is always watching, always tracking, and sometimes it offers that data up to the highest bidder – or even to police.
This problem stems from the US government buying data from private companies, a practice still quite shrouded in secrecy, but relatively simple in a country like the US that has weak privacy laws: approach a third-party firm that sells databases of information on citizens, pay them for it and then use the data however deemed fit. The Washington Post recently reported – citing documents uncovered by researchers at the Georgetown school of law – that US Immigration and Customs Enforcement has been using this very playbook to buy up “hundreds of millions of phone, water, electricity and other utility records while pursuing immigration violations”.
“Modern surveillance” might evoke images of drones overhead, smartphones constantly pinging cell towers, and facial recognition deployed at political protests. All of these are indeed unchecked forms of 21st-century monitoring, often in uniquely concerning ways. Facial recognition, for instance, can be run continuously, from a distance, with minimal human involvement in the search and surveillance process. But the reporting on Ice’s use of utility records is a powerful reminder that it’s not just flashy gadgets that increasingly watch our every move; there’s also a large and ever-growing economy of data brokerage, in which companies and government agencies, law enforcement included, can buy up apparently fairly innocuous data on millions of Americans.
When it comes to police purchases of private data, privacy protection is completely absent. This is one of the oddities of trying to update 18th-century rights to address 21st-century threats. At the time of the country’s founding, the framers wrote about protecting things like our homes, our papers and other physical objects. Forward to today and these categories fail to capture most of our intimate data, including the ins and outs of our daily routine captured by, say, a nosy electronic roommate or a data broker.
Courts have been slow to update these legal categories to include computers and other electronic records. But while we now have the same protections for our laptops as our paper records, the matter gets much less clear in the cloud. The documents and data we access remotely every day can end up in a gray zone outside the clear protections afforded in our homes and offices.
When it comes to police purchases of private data, the protections are completely absent. Our financial, phone and countless other records held about us by third parties are generally open to police even without a warrant. This so-called “third-party doctrine” has come under more scrutiny in recent years, and there is some hope the courts will catch up with the changes in technology. Until they do, however, nearly all the data held about us by private companies remains completely exposed. Utility records might end up in the hands of law enforcement via a private company, or smart-home devices like thermostats and fridges could very well be sending off your data to be sold away.
While the recent Washington Post story focused on data brokerage and utility records, the smart-home phenomenon makes this problem of data sale and unchecked surveillance even worse. These gadgets are sold as flashy, affordable and convenient. But despite all that has been written about the speculative benefits of the so-called Internet of Things, these technologies are often insecure and may provide few to no details to consumers on how they’re protecting our data. Ring, Amazon’s home security system, has documented surveillance ties with law enforcement; that is but one example. The more smart devices are marketed in the absence of strong federal privacy protections, the more likely it’s not just about hackers half a world away controlling your home’s temperature – it’ll also be about arrests and deportations with the help of smart-home data.
All of which means American citizens and lawmakers must remember that protecting modern privacy is not just a question of facial recognition bans and legal restrictions on smartphone data collection. It’s also a matter of regulating the appliances and smart devices that watch people in their homes – and reforming the giant industry that profits off buying and selling those systems’ data. (Albert Fox Cahn and Justin Sherman)