Gail Gottehrer is the founder of the Law Office of Gail Gottehrer LLC in Stamford, CT. Her practice focuses...
Sharon D. Nelson, Esq. is president of the digital forensics, managed information technology and cybersecurity firm Sensei Enterprises. Ms....
John W. Simek is vice president of the digital forensics, managed information technology and cybersecurity firm Sensei Enterprises. He...
It’s been estimated that about 8 billion “things” are connected to the Internet, and that the number of connected “things” could exceed 20 billion by the end of 2020. Sharon Nelson and John Simek are joined by Gail Gottehrer to explore the scope of the Internet of Things. It is critical to understand what data these devices collect, the privacy and security issues associated with them, and how IoT data can be, and has been, used as evidence in court. They also discuss recent legislative efforts to regulate the IoT at the state and federal level and the litigation that may result from them.
Gail Gottehrer is the founder of the Law Office of Gail Gottehrer LLC in Stamford, CT. Her practice focuses on emerging technologies as well as the digital security laws and ethical issues arising from them.
Special thanks to our sponsor, PInow.
Digital Dilemma: Your IoT Device May Be Testifying Against You
Intro: Welcome to Digital Detectives, reports from the battlefront. We will discuss computer forensics, electronic discovery and information security issues and what’s really happening in the trenches; not theory, but practical information that you can use in your law practice, right here on the Legal Talk Network.
Sharon D. Nelson: Welcome to the 105th Edition of Digital Detectives. We are glad to have you with us. I am Sharon Nelson, President of Sensei Enterprises, a digital forensics, cybersecurity, and information technology firm in Fairfax, Virginia.
John W. Simek: And I am John Simek, Vice President of Sensei Enterprises. Today on Digital Detectives our topic is, ‘Digital Dilemma: Your IoT Device May Be Testifying Against You.’
Sharon D. Nelson: Before we get started, I would like to thank our sponsor. Thanks to PInow.com. If you need a private investigator you can trust, visit pinow.com to learn more.
John W. Simek: Today our guest is Gail Gottehrer, the Founder of the Law Office of Gail Gottehrer, LLC in Stamford, Connecticut. Her practice focuses on emerging technologies including autonomous vehicles, AI, biometrics, robots and facial recognition technology, and the privacy and security laws and ethical issues associated with the data collected and used by these technologies.
She is one of the few defense lawyers to have been involved in the trial of a class action to verdict before a jury.
Gail is a member of the New York State Bar Association’s Task Force on Autonomous Vehicles and the Law in the state of Connecticut’s Task Force to study fully autonomous vehicles.
Gail also serves as co-chair of the New York State Bar Association’s Technology and Legal Profession Committee, a member of the New York State Bar Association’s Transportation Law Committee and as Chair Elect of the ABA TIPS Automobile Litigation Committee.
Gail was selected as one the Profiles in Diversity Journal’s 2017 Women Worth Watching in STEM and one of the Connecticut Technology Council’s 2016 Women of Innovation.
Great to have you with us today, Gail.
Gail Gottehrer: Thank you so much. It’s great to be here.
Sharon D. Nelson: Well, we’re sure happy you could join us, and to start out with Gail, it’s still fairly uncommon to meet a lawyer who knows a lot about the Internet of Things law, so how did you get involved with that kind of law?
Gail Gottehrer: Yes, that is true but I think hopefully we’re catching up in the legal profession, we’re catching up to technology, but I’ve always been interested in data and technology. So when I was younger I was that annoying kid who always wanted to take apart the TV, because I wasn’t really clear on how everything was working and I was fascinated by it.
So needless to say, I caused my mother fit, but I was always found that stuff fascinating and when I became a lawyer to your points are and really technology was not a major focus of lawyers, but I found it interesting and lucky when the firms I was at had technology cases and they said who wants to do that, I always raised my hand.
So early in my career I worked on tech cases back when technology and the hot technology at the time was gateway computers and Iomega storage drives, which now unless you’re a person of a certain age you don’t know what that is, but that was the hot technology back in the 1990s. And I was involved in some cases on the plaintiffs’ side, class actions alleging that there were upgrades promised and not delivered for those technologies. And it was parenthetically even with those upgrades neither of those technologies would have been anywhere near any speed that anyone would want to use today.
But then more recently through a case I handled for a major insurance company that is the class action that you mentioned that went to trial, I learned about something called telematics, which people probably know what that is that kind of dongle that you put in your car to hopefully get an insurance discount that records all sorts of information about your driving.
And through that, I learned about autonomous vehicles and just completely got hooked and since then, probably the last 10 years or so, I have been focusing on AI and autonomous vehicles and the data they collect, how it’s being used, how it can be used as evidence in a wide range of cases and how the law is struggling to keep up with the incredibly fast pace of technology and also how data collection and use now is just so pervasive in all our lives whether we know it or not, which just raises so many interesting legal and ethical issues as well.
So that’s a long answer to your question.
Sharon D. Nelson: But a very thorough one.
John W. Simek: Well, I’m not going to ask you whether or not the TV was tube or transistor, but we’ll get back to that.
Gail Gottehrer: It was like the size of a small oven I have to tell you, right. It’s had its own tube inserted there. It was a cabin almost, it was crazy, but yes, and it had a dial that you had to just get up and turn on your own.
John W. Simek: Okay, now I know that Gail is the same generation as we are Sharon.
Sharon D. Nelson: Yes, yes. We both remember the days.
Gail Gottehrer: We are updating ourselves now.
John W. Simek: That’s right.
Sharon D. Nelson: That’s okay.
John W. Simek: So Gail, talk to us a little bit about what is the Internet of Things and can you tell our listeners, give them some examples of some IoT devices.
Gail Gottehrer: Sure. So the Internet of Things is basically just a network of physical devices or things that are connected to the Internet and the connection to the internet enables them to communicate with each other and then to share and collect data in real time. So why it’s a significant thing is that the things that we’re talking about as part of the Internet of Things are items that we would generally describe as dumb, that means that just like inanimate objects, things that wouldn’t normally transmit data, but that by virtue of being connected to the Internet suddenly become smart.
So some examples would be smart refrigerators, toasters, coffee makers, doorbells, lights, thermostats, TVs, baby monitors, teddy bears and other toys that can communicate with children, things like electric meters and water meters that we see a lot in smart buildings and now more and more in smart homes, things like wearables, fitness trackers or smartwatches, vacuums like the Roomba and cars.
So it’s pretty much so many things that we take for granted in our lives that when we were growing up, were just kind of things that sat there, but now are things that are connected that you can access through the Internet that you can control through the Internet that collect data and exchange data, because a few years ago, maybe 10 years ago, a watch was just a watch.
You know if somebody said to you, you could be checking your email on your watch and it will have an app on it that could measure your blood pressure and let you know if you may be sick or having a heart attack, people would laugh and say, that’s impossible, but now we pretty much take that for granted and they’re ubiquitous.
So it’s interesting because there are projections that I’ve read that right now, there are more connected things in the world than there are people. And when you think just about some of the items that we just listed, people have multiples of these devices so that’s probably not surprising.
Sharon D. Nelson: Yeah, and the more affluent of course you are, the more devices you tend to have, so some people really have a lot of data being collected in their homes and in their businesses.
So I think that one of the things that people are most ignorant of is what kinds of data these devices actually collect and they’re usually horrified. We speak on this subject occasionally, we have nowhere near your qualifications, but we do try to talk to them about the kinds of data that the devices collect. So maybe you could go through that just a little bit Gail.
Gail Gottehrer: Sure they collect tremendous amounts of data and to your point that the data is very personal. So if you think about even take kind of an innocent example what you would think your refrigerator, what would your — even if your refrigerator is connected what does it know about you, but it knows everything you eat and it potentially knows how many people are in your house by the volume of food. It can tell when you’re home or when you’re traveling by when the food is diminished or how often you restock it.
So while it may be really convenient to have it connected to supermarkets or other apps that can tell you, you need milk or can automatically have milk delivered to you, at the same time, that’s a lot of information. So if you have a lot of milk in your house there could be an inference that you have children in your house. And we’ll talk about more of these types of things, but it’s important to keep in mind that while one of these instances may not seem that troubling.
So you think so what if some company knows that I have children and I have a lot of milk in my house. When you think of all these one piece of data from a variety of these devices and how they get connected through all the ways that the Internet plays a role in our lives, companies can paint a really specific picture of you, your daily habits, your family, just your personal life from all these little one-off pieces of data and that’s kind of the helpful perspective to think of it in.
So another one would be a thermostat. If you have one of those Nest Adjustable Thermostats, that knows the hours you keep, because it knows when are you either raising the air-conditioning or lowering it, raising the heat or lowering it, that provides information about your daily habits, who is in your house.
Things like smart speakers like Amazon, Echo and Google Home, they record conversations and we can talk about later. They record conversations they’re supposed to record or other ones, but they record ambient noise and voices as they’re waiting for the wake word or the watch word. I don’t know that people really think about that so much.
Wearables and Fitbits, well it may be great to know how many steps you walked and it may be keeping you on goal to lose weight or get healthier, it’s also monitoring your health. It tells your heart rate all sorts of information about you, and more and more of these devices now monitor your sleeping pattern, that’s a lot of information about you.
It can tell things about your emotional state, and again, I think this kind of medical biometric information itself is very concerning and sensitive and people need to know where it’s going and how it’s being used, but once you start collecting that and combining it with all — some of these other types of information we’ve talked about, you start to see the picture.
To think about doorbells, the smart doorbells don’t just pick up who’s ringing your bell, they record information about who is walking past your house and that may not trouble you as a homeowner, but think about it if you’re the person just walking down the street and now you’re recorded on this tape.
Smart TVs, there have been cases where they’ve been turned on remotely and recorded people in their homes. Think about every room in your house where you have a television and how much could be recorded, how much you take for granted that you have privacy in your home and you don’t think that the television might be recording you.
Things like smart vacuums and I have to confess that I love my Roomba, but there was a report recently that some of these devices were recording information about the configurations of people’s homes, right, so where is that data going.
So just — a lot of information about you is being transmitted and collected through these devices that most of us put in our homes or bring into our lives because they offer convenience and personalized experiences and they’re helpful, but I think it’s important to know what are they actually collecting, where is that going, how long is it being kept, is it being resold because when you combine the information that only a few of these devices collect you start to see a picture of how much companies that you may not even know about, know about you.
John W. Simek: Well Gail, we do digital forensics, so we’ve got our own war stories primarily from family law cases.
Gail Gottehrer: I am sure.
John W. Simek: That’s Sleep Number bad boy that was a good case too, but the — but can you tell our listeners a little bit or talk about some of the cases where data may have been used as evidence in court.
Gail Gottehrer: Sure. So there was a particularly disturbing case a few years ago in Pennsylvania where a woman called the police and made an allegation that she had been raped and she claimed that she had been asleep in the house and then someone broke in and had attacked her, and the police responded and they initially became suspicious because it had been snowing at the time and they didn’t see any footprints in the snow around the house. But the evidence that was dispositive in her being charged for filing a false police report was that they checked her Fitbit that she had been wearing and it showed that at the time that she claimed she was sleeping and had been attacked she was actually walking around during the time she had said she had been sleeping, and that there hadn’t been any spike in her heart rate or her blood pressure as you would expect if somebody was being attacked or trying to fight off an attacker, at the time that she said she had been raped. So that device became the key evidence, that data from that device that the police got and it lets her being prosecuted for filing a false police report.
So that’s just one example of something that without that kind of data, it would have been much more difficult to prove that the police might have gone on trying to look for a suspect for an incident that hadn’t occurred. And other cases that people have probably heard about too is that there’s been a trend of police who are becoming more and more savvy and realizing the value of this data trying to subpoena it.
So there have been a couple of subpoenas for recordings from Amazon Echo speakers, which again is I think I alluded to, these are — these home virtual assistants that people have in their homes or their offices and they’re supposed to start recording when or people perceive that when you say a wake word, so hi Alexa or some sort of word to wake it up.
But it’s been revealed more and more that they listen almost constantly, if not constantly to be ready to hear that wake word and they can pick up all sorts of things.
So there was a recent case in Dover, New Hampshire where a person was accused of murder and the prosecutors believe that Echo recordings, because he have an Echo device in this kitchen may have had evidence about the murder, because the police believe that the attack took place in the kitchen and when they arrived on the scene they saw that there was an Echo device in that kitchen. So they subpoenaed those records for potential evidence.
So you think about that, have you essentially created evidence against yourself, could these devices essentially be recording crimes. And there was a similar case in Arkansas a few years ago where again a person was accused of a murder where another person was found dead in his hot tub and the police wanted the recordings from his Echo device because they believed that they had picked up — the device had picked up the murder and that the body being disposed of and in that case Amazon brought the subpoena and said that it wasn’t going to turn the information over without consent from the device owner, and ultimately the defendant who is the device owner, who had maintained his innocence throughout consented to the information being turned over.
But another interesting thing in that case that defendant also had a smart water thermometer in his house and the prosecutors wanted that data as well, because they said it showed a spike in water use on the day that the victim’s body was discovered and they suggested that that was evidence that he had been cleaning up the scene. But the defense argument was that the time stamp on that data was incorrect and that water use was actually from the time that the hot tub was being filled up.
So interesting how all this technology and all this data from these devices that this gentleman had voluntarily put in his home were becoming key evidence in a criminal prosecution against him.
Sharon D. Nelson: It’s just amazing. We have heard all those cases too and it’s just astonishing how they’re continuing to pile up. But talk to us for a moment about autonomous vehicles and how they fit into the IoT world?
Gail Gottehrer: Yes, my personal obsession these days are autonomous vehicles. So, well we don’t have fully autonomous vehicles on the roads yet, ones where you’ve probably seen those pictures on the internet where they look like your living room with comfy chairs facing backwards and movies playing that’s level five technology that we’re not there yet. We do have really highly automated ones on the road and we’re moving closer to these higher levels of autonomy all the time. So if you think for example, like if you have a newer car and when your mirrors beep if you get too close to something or someone gets too close to you. That’s an example of sensors that are communicating data through the car and providing you with information that you then react to, to avoid an accident. Ultimately when we get to the highest levels of automation where people aren’t driving, the car itself will interpret that data and react accordingly.
But essentially autonomous vehicles are run by algorithms that run on data. So we’re talking about millions and millions of lines of code and tremendous amounts of data being collected and processed by these vehicles which essentially help them navigate like people do or at least when good drivers do when they drive and essentially see the environment around them. So interpret stop signs or lane markers, things like that, see them, understand what they are, put them in context and know what that means, whether that means they should brake or accelerate or change lanes, that’s all done by sensors and data. And a lot of this information interestingly has to be processed so quickly in real time that we’re going to see more of this processing being done in the vehicle, which is called Edge Computing rather than being sent to the cloud, so only some of the data will go to the cloud and we’ll have more process actually in the vehicle.
But the interesting thing is that these cars are very data dependent, they are heavily data dependent. So the way they work is relying on sensors and computers and LiDAR, Radar other sort of technology like that to make them work. So that’s kind of where — they’re the ultimate IoT device, because within this vehicle then you could plug in your smartphone and that could connect, so you could listen to music that you already have your own playlist or it could sync with your smart watch, which if you are having a medical issue, then could connect to the car which could call a hospital or move the vehicle over or drive you to the hospital potentially.
All sorts of things like that, your infotainment system could play the movies you like. You could watch Netflix through your subscription through that, through Wi-Fi you can have meetings in cars. This vehicle could become like a portable office.
So that’s kind of the vision. So all these IoT devices would come within this IoT type vehicle and it’s fascinating to think about and for those of us who have to drive into Manhattan or you guys driving into DC, every time you’re stuck in traffic, autonomous vehicles could make that a lot better and that can’t come fast enough I think for some of us.
But even for people I think who are concerned about the technology or don’t see the benefit, I think you have to think of the potential and I think this is a good point to remember when you talk about the IoT that there are just so many benefits.
So autonomous vehicles at these highest levels of autonomy could provide mobility for people who are disabled, right, so people who can’t use their hands and feet will be able to speak to the car and through voice recognition technology, it will be able to get them to their destinations or people who are legally blind or blind can do that as well because you won’t need to see at level 5, the vehicle and the sensors and the technology will do all that.
So I think that’s kind of the tension in these discussions is that this technology offers so many opportunities and so many personal societal benefits that were unimaginable years ago. But at the same time, we have these concerns about privacy and security and it’s finding that balance, I think which is really the challenge, because in the case of autonomous vehicles, right now, almost 40,000 people died on US roads every year from car accidents and that’s 94% are caused by human error.
So that’s — things like distracted driving or people texting while they’re driving, there’s so many deaths and things that could be prevented. So that’s really significant.
John W. Simek: Well, before we move on to our next segment, let’s take a quick commercial break.
Advertiser: Does your law firm need an investigator for a background check, civil investigation or other type of investigation? PInow.com is a one of a kind resource for locating investigators anywhere in the U.S. and worldwide. The professionals listed on PInow understand the legal constraints of an investigation, are up-to-date on the latest technology, and have extensive experience in many types of investigation, including workers’ compensation and surveillance. Find a prescreened private investigator today. Visit www.pinow.com.
Sharon D. Nelson: Welcome back to Digital Detectives on the Legal Talk Network. Today, our topic is Digital Dilemma: Your IoT Device May Be Testifying Against You, and our guest is Gail Gottehrer; the Founder of the Law Office of Gail Gottehrer, LLC in Stamford, Connecticut.
Her practice focuses on emergent technologies including autonomous vehicles, AI, biometrics, robots, and facial recognition technology and the privacy and security laws and ethical issues associated with the data collected and used by these technologies, that’s a mouthful.
Okay, so let me get to part of what I just said in your bio there, doesn’t all the data collected by IoT raise serious privacy concerns?
Gail Gottehrer: Yes. In one word, yes, it does. Again, just because I think we’ve given people kind of the context about this information that’s in your house, it’s on your body, it’s things about you, about your family. People probably heard the cases about baby monitors being able to be hacked and people being able to see pictures of people’s baby sleeping, webcams being able to be hacked, certain toys that were sold a couple of years ago; teddy bears were recording conversations with children and keeping them.
So I think there are significant privacy concerns. There have also been cases where Amazon Echo, there was one case in Oregon I believe it was where the Amazon Echo recorded a private conversation and then sent it to a random contact. So there is a significant privacy concern and we’re seeing more and more laws being put into place to try to address that.
So one example would be the GDPR, which I’m sure you guys covered in depth in the past, same with the CCPA in California that will go into effect in 2020 and we’re seeing more and more specific biometric laws like the ones in Illinois that BIPA that covers biometric information and how that can be used and requires written consent before that kind of information can be used.
We’re seeing similar biometric type laws come into play in New York and New Jersey. Right now those are two of the many states that are considering laws that would govern specifically this kind of biometric information. And I think there are also other laws while not specific to geolocation information, so where you are at a specific time, more and more definitions of personal information are being broadened and would encompass all the kind of information that we’re talking about.
John W. Simek: Well, Gail these IoT devices being so connected, right to the Internet and all interconnected as you’ve already described. I would imagine we’ve got some huge potential cybersecurity issues that come along with that. Do you have any comment about that?
Gail Gottehrer: Yeah, I think they’re a bit of a hackers paradise unfortunately. So the challenge there is that a lot of these devices are attractive because they’re cheap, first of all, and they’re kind of plug-and-play, you don’t need to be really technically savvy to hook them up. You just plug them in and they work.
But that in large part is because the manufacturers haven’t really built in security considerations into the design. So we’ve heard cases where a lot of routers, a very popular router was sold and they all had the same password. So once a hacker figured out one password they were able to access all these devices.
And think about that, somebody being able to access so many routers in multiple office locations, people’s homes. There have been things the same as I mentioned with the baby monitors recording children that’s really concerning, but people who bought these devices weren’t required to change the password or there was no basic security built into it.
So that’s really the concern that’s being addressed and by some of these laws that we’re going to talk about in a little bit and I think that’s really the most important thing, because once you have one of these devices and they’re connected to other devices, if one of them is kind of an entryway for a hacker, they can then get access to so much more within your home, and that’s certainly not what you want for all the reasons we’ve talked about with the sensitivity of this data.
Sharon D. Nelson: One of the things about security is that it costs money and they want to sell devices cheap, and that’s an ongoing tension. So one of the states that’s been trying to do something about that and protect their privacy is California. So tell us about what California is doing?
Gail Gottehrer: Yes California, not surprisingly, as we’ve seen very often is leading in this area and it recently passed a law called the Security of Connected Devices, otherwise known as SB-327, which will also go into effect on January 1st, 2020.
So what this does is essentially requires manufacturers of Internet connected devices to make sure they have reasonable security features. So it’s sort of like this concept of security by design, that security should be considered by companies and built in before production rather than what we frequently have now, which is devices coming out, people recognize that there are security flaws and then we patch them, kind of on the back end.
So this is an effort to make sure that security is built-in in the front end. So reasonable security features, reasonable is not a defined term, reasonable and what is reasonable is going to depend on the type of device it is and the type of data it collects.
So if it’s a baby monitor and it’s collecting information about children, that’s clearly going to be on the higher end in terms of security needed to be reasonable, other things that may collect less sensitive data may require less security, but it could range from things like requiring the owner to set a unique password on the device or making sure that the device only uses a password protected internet connection.
Basic kind of things like that and the hope is that while it applies to manufacturers of devices that are sold in California, the hope is that companies won’t want to have a California device standard and a non-California device standard, so that everybody will kind of manufacture up to the California standard since it’s such a large market and economy and that the rest of the country will benefit from that.
Also interesting to note this app does not have a private right of action and there are no monetary penalties. So it’s something that will be enforced by the Attorney General who is going to be very busy next year, also enforcing the CCPA. So we’ll see how that works out.
John W. Simek: Well Gail, I know it’s been many, many years and we’ve always talked about when we are going to see a national data breach notification law, which I don’t think is going to happen in my lifetime, but what about the laws and regulations governing IoT? Is the federal government doing anything and working on those?
Gail Gottehrer: Sue. So I think the federal government has been trying as with so many other things to address this but there’s been no legislation to date that’s passed. The most recent effort to pass a law was something called the IoT Cybersecurity Improvement Act of 2019, that was introduced in March of this year and appears to have bipartisan support we’ll see, but that aims to create standards for the federal government, for agencies of the federal government that buy IoT devices that are used by the federal government and on federal government networks.
So this would be limited to purchases made by the federal government for federal government systems and it envisions NIST, so that National Institute of Standards and Technology developing these standards and similar to what we talked about with California, the hope here is that by using the federal purchasing power it would move the market and again that companies wouldn’t design devices that would be only okay to sell to the federal government that when they manufacture devices, they’ll bring them all up to this level that would meet the federal standard.
So even non-federal government entities and purchasers would benefit from that and from the security by design concept.
So we’ll see if it becomes law, we’ll see what NIST develops in terms of standards, NIST does a very good job and they certainly have been talking about the security by design and privacy by design ideas for a long time, so we’ll see where this goes, but I guess the hope is that the federal government is following California and that maybe between California addressing private purchases and the federal law addressing government purchases, maybe the combination will really lead to significant change.
Sharon D. Nelson: I think you are Rebecca of Sunnybrook Farms.
Gail Gottehrer: Well I wanted to leave us on an upbeat you know since I’ve scared people by all the things. They’re looking around their homes now seeing all these devices that they see are collecting data on that, but at least we can go with this optimistic approach now.
Sharon D. Nelson: Well we’ll try and we certainly get this. This was very entertaining, lots of good stories, lots of good information and not everybody follows this stuff as lawyers as much as they would maybe like. So sometimes, it’s really nice to hear a podcast and get a lot of this information and you did a great job of delivering it.
So thank you again for being our guest.
Gail Gottehrer: Thank you both. It’s been a pleasure.
John W. Simek: Well that does it for this edition of Digital Detectives. And remember, you can subscribe to all the editions of this podcast at legaltalknetwork.com or in Apple Podcasts. And if you enjoyed our podcast, please rate us on Apple Podcast.
Sharon D. Nelson: And you can find out more about Sensei’s digital forensics technology, and cybersecurity services at senseient.com.
We will see you next time on Digital Detectives.
Outro: Thanks for listening to Digital Detectives on the Legal Talk Network. Check out some of our other podcasts on legaltalknetwork.com and in iTunes.
Sharon D. Nelson and John W. Simek invite experts to discuss computer forensics as well as information security issues.
Judy Selby gives a comprehensive overview of the many uses and risks associated with biometric information.
Cybersecurity expert Mike Maschke explains how penetration tests help lawyers protect themselves by identifying weak points in their security systems.
Maura Grossman discusses how TAR is used by medical researchers to support their efforts to understand and treat COVID-19.
David Ries gives an overview of work-at-home and remote access best practices.
Doug Austin surveys the current state of the eDiscovery industry and discusses emerging trends.
Ben Schorr shares tips for improving security in Microsoft products.