As more devices such as voice assistants, home security cameras, appliances and even doorbells come online, the trove of intimate data that technology companies hold is increasing exponentially. People are voluntarily bringing in devices that record their conversations, track their heart rates, and comings-and-goings -- all of which produces more intimate and real-time potential evidence that law enforcement might want to help solve crimes.
But as the companies battle backlash over privacy concerns, there's an incentive for technology companies to protect this data from anyone other than the customer. Expect the showdown between law enforcement and companies to continue to play out the courts.
“Amazon objects to overbroad or otherwise inappropriate demands as a matter of course,” an Amazon spokeswoman told me regarding the New Hampshire case. (Amazon.com founder and chief executive Jeffrey P. Bezos owns The Washington Post.)
Prosecutors in that case are trying to piece together the sequence of events that led to the deaths of two women sometime between January 27 and 29, 2017. Their bodies were found under the porch of a home with stab wounds, according to reports. Investigators believe one woman was attacked in the kitchen where an Echo device was located, and "prosecutors believe there is probable cause to believe there is evidence on the Echo, such as audio recordings of the attack and events that followed it,” according to court documents obtained by CBS.
Investigators think essential evidence to the case could be on Amazon’s servers, where it stores recordings of customer interactions with the device after they use a “wake word” that alerts the device a command is coming.
Devices such as the Amazon Echo and the Google Home are only supposed to record when they hear command words, such as the word “Alexa” or “Hey, Google.” But sometimes the devices can misinterpret a wake word and start recording anyway, as was the case in Oregon this year, when an Echo device inadvertently recorded a family’s conversation and sent it to one of their contacts.
Electronic Frontier Foundation Senior Staff Attorney Nate Cardozo said law enforcement has long asked technology companies to turn over data from connected devices. Such requests date back to at least the early 2000s, when law enforcement tried to surveil via car assistance programs. But it’s happening with greater frequency as the number of IoT devices in consumers’ homes explodes. “Now that everything has a microphone or a sensor,” Cardozo said, “the amount of data is just so many orders of magnitude greater.”
Research firm Gartner predicts there will be 20.4 billion IoT devices by 2020. That’s a significant uptick from the 11.2 billion connected devices Gartner forecasts will be in use in 2018.
Amazon resisted a previous attempt to gain recordings from an Alexa device. Last year, prosecutors in Arkansas issued a warrant calling on Amazon to turn over recordings in another murder trial. The company fought the warrant, saying user conversations were protected under the First Amendment. The company eventually turned over the recordings with the permission of the device’s owner.
And it's not only local law enforcement that is seeking to leverage Internet of Things devices. Two years ago, Director of National Intelligence James R. Clapper Jr. said the intelligence community could use smart home devices for investigations.
“In the future, intelligence services might use the [internet of things] for identification, surveillance, monitoring, location tracking, and targeting for recruitment, or to gain access to networks or user credentials,” the Guardian reported Clapper said at the time.
|You are reading The Cybersecurity 202, our must-read newsletter on cybersecurity policy news.|
|Not a regular subscriber?|
PINGED: Homeland Security Secretary Kirstjen Nielsen praised the passage by the House of a bill to turn the National Protection and Programs Directorate, the department's main cybersecurity wing, into a full-fledged agency within DHS. The bill would rename NPPD as the Cybersecurity and Infrastructure Security Agency and make DHS the main department in charge of civilian cybersecurity. “Today’s vote is a significant step to stand up a federal government cybersecurity agency,” Nielsen said in a statement. “The cyber threat landscape is constantly evolving, and we need to ensure we’re properly positioned to defend America’s infrastructure from threats digital and physical.” The bill, which was introduced by House Homeland Security Committee Chairman Michael McCaul (R-Tex.), heads to President Trump's desk for signature.
Christopher Krebs, undersecretary of NPPD, said in a statement that the legislation will help DHS “engage with industry and government stakeholders and recruit top cybersecurity talent.” The private sector also saluted the adoption of the bill. “The bill rightly gives the Department of Homeland Security the flexibility to organize its cybersecurity and critical infrastructure office to meet today’s threats and challenges, and grants the agency a name that truly matches its mission,” Ryan Gillis, vice president of cybersecurity strategy and global policy at Palo Alto Networks, said in a statement. “It will optimize the ways in which the office engages with businesses before, during and after cyber incidents, and enhance the Department’s leadership in cloud-based security deployments.”
PATCHED: “Facebook on Tuesday revealed more details about the fake Russian-linked Instagram accounts that posted politically divisive content on race and gender and on public figures such as President Donald Trump and Kanye West in a bid to influence voters in the midterm elections,” USA Today's Jessica Guynn reported. “More than 1 million people — 600,000 in the U.S. — followed at least one of the 99 Instagram accounts right up until the day before the U.S. midterm elections when the social media giant, acting on a tip from the FBI, took them down.”
Nathaniel Gleicher, head of cybersecurity policy at Facebook, said a in a blog post that the social network has shut down 36 Facebook accounts, six Facebook pages and 99 Instagram accounts. The removal of those accounts and pages followed a tip that the company received from the FBI on Nov. 4, Facebook said. “Ultimately, this effort may have been connected to the IRA, but we aren’t best placed to say definitively whether that is the case,” Gleicher said, referring to the Russian troll farm Internet Research Agency. “As multiple independent experts have pointed out, trolls have an incentive to claim that their activities are more widespread and influential than may be the case. That appears to be true here as well.”
PWNED: Trump's unsubstantiated allegations on Twitter about voter fraud in the midterm elections raise tricky questions for the tech company. “Despite Twitter's promises leading up to the election that it would ‘ensure that Twitter provides a healthy space for public conversation that voters can rely on for accurate election news and information,’ it hasn't done anything about Trump's tweets,” BuzzFeed News's Charlie Warzel reported. “Asked by BuzzFeed News if Twitter was considering updating its rules to address Trump's voter fraud claims, the company's vice president of trust and safety, Del Harvey, suggested that the company would wait until 2019 to address the issue, if at all.”
Warzel noted that it's improbable that the company would expel Trump from its platform given its “world leaders” policy of not blocking such accounts. “But as Trump uses his feed to broadcast baseless conspiracies about election fraud, there’s growing concern that Twitter’s ‘world leaders’ policy might be actively undermining its original goal and muddying the truth around electoral outcomes,” Warzel wrote. “Though Twitter currently has no rules that prohibit the spread of conspiracy theories or misinformation, the company has made recent public declarations committing itself ‘to improving the collective health, openness, and civility of the public conversation.’ ”
Here's Harvey's response to Warzel:
— “The Russian government is arguing that a federal court should dismiss a lawsuit brought by the Democratic National Committee alleging that Moscow’s military spies, the Trump campaign and the WikiLeaks organization conspired to disrupt the 2016 campaign and tilt the election to Donald Trump,” The Washington Post's Ellen Nakashima and Tom Hamburger reported. “In a letter and statement this month to the State Department and a judge in the Southern District of New York, Russia’s Ministry of Justice argued that the United States’ Foreign Sovereign Immunities Act protects the Russian government from such lawsuits. In particular, the lawsuit’s naming of the GRU military spy agency as a defendant takes the litigation out of bounds on the basis that ‘any alleged “military attack” is a quintessential sovereign act,’ said a Nov. 6 statement by the ministry’s Department for International Law and Cooperation.”
— “A top cyber official at the Defense Department on Tuesday urged companies to refrain from ‘hacking back’ when they are the victim of a cyberattack, saying it could negatively affect the already unclear rules of engagement in cyberspace,” the Hill's Jacqueline Thomsen reported. “B. Edwin Wilson, the deputy assistant secretary of defense for cyber policy, said at a Foundation for Defense of Democracies event that ‘industry, private citizens should have the ability to defend themselves.’ But he cautioned that there is a ‘unique nature in cyberspace in regards to offensive activity,’ such as a company using cyber methods to retaliate against hackers who target their networks.”
— “A commission of security and economic experts convened by Congress warned that China’s technology-manufacturing strength threatens U.S. national security and advised U.S. government agencies to be mindful of Chinese attempts to compromise government systems,” the Wall Street Journal's Kate O'Keeffe reported. “In a new report, the U.S.-China Economic and Security Review Commission found Chinese dominance of networking-equipment manufacturing threatens the security of U.S. fifth-generation, or 5G, wireless infrastructure. The panel cited Chinese telecommunications giants Huawei Technologies Co. and ZTE Corp. in particular.”
— More cybersecurity news from the public sector:
— About 20 business executives and former government officials took part in a tabletop exercise simulating a Chinese cyberattack that would hit multiple U.S. targets at once, CyberScoop's Sean Lyngaas reported. “The fictional scenario involved a confrontation between the United States and China in the Taiwan Strait, which was followed by a cascading cyberattack on multiple U.S. critical infrastructure sectors,” Lyngaas wrote. “The former defense and law enforcement officials in the room discussed with their private-sector counterparts — executives from the banking, electricity, and retail sectors — how a U.S. government and industry response to the cyberattack might play out. Participants debated everything from the government’s use of private data to attribute cyberattacks to the potential blowback of offensive U.S. operations.”
The drill, which the Foundation for Defense of Democracies hosted last month, aimed to explore how the private and public sectors would interact in the 72 hours following such a cyberattack, according to CyberScoop. Samantha Ravich of the FDD stressed the importance of including businesses in the exercise since they are prime targets for cyberattacks, Lyngaas reported. “There was ‘a good, robust discussion’ on the value of spending limited company resources on helping the government trace the origin of an attack, Ravich said,” according to CyberScoop. “Knowing which foreign government is behind an intrusion can help a company prepare for future activity, she added.”
— Nearly half of respondents in a study on cybersecurity threats to small and medium businesses said they have “no understanding of how to protect against” cyberattacks. The survey, titled “2018 State of Cybersecurity in Small and Medium Size Businesses,” was conducted by the research firm Ponemon Institute and sponsored by Keeper Security, a cybersecurity company.
— More cybersecurity news from the private sector:
— “The Norwegian Defense Ministry said Tuesday that Russian forces in the Arctic disturbed GPS location signals during a recent large NATO drill in Norway,” the Associated Press's Jan M. Olsen and Jari Tanner reported. “The ministry said that Norway’s Foreign Ministry earlier had raised the issue with Russian authorities. In an email Tuesday to The Associated Press, the ministry said it ‘was aware that jamming has been recorded between Oct. 16 and Nov. 7 from the Russian forces’ on the Arctic Kola peninsula.”
— More cybersecurity news from abroad:
- Infosecurity North America conference through tomorrow in New York.
- House Armed Services subcommittee and House Homeland Security subcommittee joint hearing on “interagency cyber cooperation.”
- Senate Armed Services subcommittee hearing on the “Department of Defense’s cybersecurity acquisition and practices from the private sector.”
Who is John Abizaid?
Non-incumbent Democrats are still demurring on Pelosi:
Here's what Crystal City commuters, residents think of Amazon coming to Virginia: