IoT devices may testify against criminals in court

CYBERSLEUTH

Eye witness accounts are notoriously unreliable. Photographs can be altered or faked entirely using software such as Adobe s Photoshop. But what about data -- especially data that collected by ordinary devices and stored without much thought. Recall the famous "slow speed" chase of O.J. Simpson s white bronco? The police were able to locate Simpson on the tangled web of Los Angeles freeways because he had made a call from his cellphone and cell-tower records allowed them to triangulate and zero in on the Bronco.

Many people now know it s possible to track their cellphone s location (any by extension them), and are aware that sensitive data is collected by security cameras and online transactions. Most, however, probably don t think about their personal data being collected by the innocuous devices in their everyday lives. Everything from thermostats to car entertainment systems to medical devices to toys collect data on usage, location and the users activities.

The data collected by this exploding universe of interconnected devices, referred to as the Internet of the Things, is often stored by the device manufacturer with or without the users understanding. The unique thing about IoT data is that is very personal, and continuously recorded. And, unlike evidence such as DNA, it's instantly available.

So it was just a matter of time before such data would end up in lawsuits.

In a fascinating case in Connecticut, the police earlier this year arrested a murder suspect based in large part on data collected from the victim s Fitbit activity tracker. (Hartford Superior Court Docket No. TTD -CR17-0110576-T). The details, according to the arrest warrant and published reports, are that Connie Debate was found shot to death in her home. Her husband, Richard Dabate, claimed that he had been at the YMCA when he got a text message from his home alarm system. Upon arriving home, Dabate told police that he encountered a masked, obese intruder on the second floor in the house around 9 a.m., who struggled with him, tied him to a folding metal chair, burned him with a torch, and then after a struggle over the torch, during which the intruder s mask was burned, the intruder fled. Finding no evidence of a break-in, the police obtained search warrants for both Debate s cellphone records, computers and house alarm.

Although much of Richard Debate s outlandish alibi seemed suspicious, the case against him was cemented once the police thought to check data from Connie Debate s Fitbit. That data showed Connie Dabate was walking around as late as 10:05 a.m. that morning, an hour after the husband claimed she had been shot by the intruder. Better than a fuzzy eye witness account, the unbiased Fitbit data clearly contradicted Richard Dabate s account and after that his story began to unravel. Richard Dabate was arrested and charged with murder. He has plead not guilty.

Although the Fitbit data was sufficient to help police arrest Richard Dabate, the prosecution will have to show that the Fitbit data is reliable enough to be used as evidence at trial. As anyone who has worn an activity tracker knows, the data are not perfect and there are reports that the tracker may under-report activities such as pushing a cart (where the person s arms don t swing as would happen when running). But activity trackers have not been accused of recording steps when there actually were none.

Because this is a criminal case, the Fitbit data will be required to meet the reliability standards of Daubert v. Merrell Dow Pharmaceuticals, 509 U.S. 579 (1993), to be admissible. Under the Daubert standard, scientific evidence is evaluated according to five factors: whether the methodology has been tested; whether the methodology has been peer reviewed and published; whether the methodology has a potential error rate and the extent of the error rate; the existence and maintenance of standards controlling its operation; and whether it has attracted widespread acceptance within a relevant scientific community. While Fitbits or any other IoT device may not have undergone rigorous scientific testing, it seems likely that basic data such as whether the device was moving or not, will be viewed as credible.

The Dabate murder trial will be interesting not only for the precedent it may set for use of IoT data as evidence, but also for creating national attention about just how much data is collected by IoT devices and stored by their manufacturer. Fitbits collect data such as "the number of steps you take, your distance traveled, calories burned, weight, heart rate, sleep stages, active minutes, and location" according to Fitbit s privacy policy. For Fitbit models with GPS, data collection also includes "precise location data." That data is transferred from the device to Fitbit s servers every time the device is synched with applications or software. Nowhere does Fitbit state how long it keeps the data.

As IoT data becomes an instrument of prosecutors and plaintiffs, government officials should require manufacturers to have clear privacy policies that include not only what data is collected but also how long it is kept and where it is stored.