This article originally was published in The Computer & Internet Lawyer.
The Internet of Things is upon us with smartphones, smart cars, and self-sensing trash cans. The next decade will see a geometric expansion of the types of objects we fit with sensors and connect to the Web. As these objects become more and more responsive to their environments, and as they connect to more and more networks and other enabled items, they open themselves to further intrusion by anyone who may want to use these sensors to view into our lives. The smarter our devices become, the more vulnerable they are to government and hacker intrusion.
This article explores current technological advances—not a Buck Rogers futurescap, but technology issues and vulnerabilities arising today. These advances are leaving us open to deeper and more complex intrusions, and this article discusses the vulnerabilities and several current problems that can only grow in the future. It also explores the increasing networking capabilities of smart devices and analyzes how wider networks mean wider intrusion into privacy. In short, the more sophisticated we build the Internet of Things, the more it will be exploited against us.
Government Surveillance Is Moving Deeper into Our Lives Thanks to Technical Advances
Technologically based government surveillance has existed as long as we knew technology could be used for spying. Edward Snowden revealed a level of surveillance of US citizens clearly beyond statutory and Constitutional authority by the US National Security Agency (NSA), which is tasked with gleaning data about non-US citizens. But these revelations were hardly the first. Released government records and the stories of reporters over the decades have documented the use of technology to build government information files.
Britain and the United States collaborated on espionage during World War II, and by war’s end, this collaboration had morphed into a permanent intelligence-military alliance that predated the founding of the North Atlantic Treaty Organization (NATO). Advances in telecommunications technology allowed an intelligence apparatus to always be capturing electronic signals all over the planet. The secret British and US agencies responsible for cracking German and Japanese codes during the war turned toward the Soviet Union and communist countries during the cold war.
In 1946, Britain and the United States signed the United Kingdom-United States of America Agreement (UKUSA), a multilateral treaty to share signals intelligence amongst the two nations and Britain’s Commonwealth partners, Canada, Australia, and New Zealand. It is known as the “Five Eyes” agreement. In 2010, the British national archives released previously classified Government Communications Headquarters (GCHQ) files that provide an important historical overview of the agreement. Also in 2010, the NSA followed suit and published formerly classified documents from its archives. Accompanying NSA’s release was a 1955 amended version of the treaty.
Since 1968, when satellite communications became a practical reality, Project ECHELON has given the Five Eyes members the capacity to track enemies and allies alike within and outside their states. The scope has evolved in that time period from keyword lifts in intercepted faxes to its current all-encompassing data harvesting. In a piece published in The Intercept, privacy advocate Duncan Campbell describes his past few decades tracking down the elusive Project ECHELON, “the first-ever automated global mass surveillance system.” Until Snowden shone a light on activities of the NSA and other government spying agencies, ECHELON was largely just another code-name in the conspiracy theorist’s notebook. Campbell made the first references to the program in his 1988 piece, titled “Somebody’s Listening,” where he detailed a program capable of tapping into “a billion calls a year in the UK alone.”
In February of 2000, “60 Minutes” published a report detailing the existence and scope of ECHELON. Mike Frost, a former spy for Canada’s NSA-equivalent, Communications Security Establishment (CSE), told the host just how large the program’s reach really was: “Echelon covers everything that’s radiated worldwide at any given instant.” The Snowden revelations merely confirmed that such analysis had been continuing to grow as the use of communications technology grew and as the depth of different types of listening and observation devices grew. The NSA or other government surveillance organization now has access to at least four ways to confirm your location from your smartphone: (1) the GPS system; (2) Wi-Fi pinging; (3) Bluetooth location confirmation; and (4) cell-tower triangulation. Your car provides files of specific information about you, and so does your smart-grid power reading of the energy usage in your house. For example, power usage statistics have been tracked for decades to identify people illegally growing marijuana in their homes or businesses. If the technology allows for knowledge that appeals to spying or policing powers, then it will be used by government.
If the technology allows for knowledge that appeals to spying or policing powers, then it will be used by government.
New Technologies Give the Government New Avenues of Surveillance
Although the Federal Bureau of Investigation (FBI) continues to complain that it must have access to any and every type of technology used by US consumers, a new study published in February 2016 by the Berkman Center for the Internet and Society at Harvard University concludes that the dozens of new consumer technologies such as television sets with microphones and Web-connected vehicles are creating history’s largest set of options for tracking suspects.
The study, titled “Don’t Panic: Making Progress on the ‘Going Dark’ Debate” argues that the phrase “Going Dark” ignores the flood of new technologies “being packed with sensors and wireless connectivity” that are expected to become the subject of court orders and subpoenas, and already are the target of the US government as it places “implants” into networks around the world to monitor communications abroad. The products, ranging from “toasters to bedsheets, light bulbs, cameras, toothbrushes, door locks, cars, watches and other wearables,” will give the government increasing opportunities to track suspects and, in many cases, reconstruct communications and meetings. Quoted in the New York Times, Harvard University professor and former head of the National Intelligence Council Joseph Nye said, “I think what this report shows is that the world today is like living in a big field that is more illuminated than ever before. There will be dark spots—there always will be. But it’s easy to forget that there is far more data available to governments now than ever before.”
The ubiquitous smartphone, carried everywhere by everyone, is clearly the current best source of personal and private information, and therefore targeted by the government. However, pulling data off the computer storage is not the only way to spy on your smartphone. The government can clearly pull your data from your phone carrier and see all communications and location data over a several month period. In fact, the US Congress already has passed laws retroactively restricting liability of telephone providers for giving this information to law enforcement despite any Constitutional violations. Law enforcement is clearly aware of how valuable this tool can be and has asked Congress to make it more available to them.
The US Congress already has passed laws retroactively restricting liability of telephone providers for giving information to law enforcement despite any Constitutional violations.
A catalogue of surveillance tools and techniques recently was obtained by a publication called The Intercept. In the catalogue, each device is listed with guidelines about how its use must be approved—generally by a “Ground Force Commander.” Most of these technologies can be used to geolocate people, but the documents indicate that some have more advanced capabilities, such as eavesdropping on calls and spying on SMS messages. Two systems, apparently designed for use on captured phones, are touted as having the ability to extract media files, address books, and notes, and one also can retrieve deleted text messages. Some devices are in wide use, such as the Stingray surveillance technology that state and federal governments have fought for years to hide from the public. Stingrays simulate cell phone towers to trick nearby mobile phones into connecting to them, revealing the phone’s location and recording computers using open wireless networks and wireless “air cards.” The Stingray emits a stronger signal than nearby towers so that consumer equipment automatically joins their network.
Last year, Wired Magazine reported that
Now documents recently obtained by the [American Civil Liberties Union] ACLU confirm long-held suspicions that the controversial devices are also capable of recording numbers for a mobile phone’s incoming and outgoing calls, as well as intercepting the content of voice and text communications. The documents also discuss the possibility of flashing a phone’s firmware “so that you can intercept conversations using a suspect’s cell phone as a bug.”
Wired also wrote, “Local law enforcement agencies have used the equipment numerous times in secret without obtaining a warrant and have even deceived courts about the nature of the technology to obtain orders to use it. And they’ve resorted to extreme measures to prevent groups like the ACLU from obtaining documents about the technology.” The Stingray was trademarked by Harris Corp. in 2003 and initially used by the military, intelligence agencies, and federal law enforcement. Another company, Digital Receiver Technology, now owned by Boeing, developed dirt boxes—more powerful cell-site simulators—which gained favor among the NSA, Central Intelligence Agency (CIA), and US military as good tools for hunting down suspected terrorists. The devices can reportedly track more than 200 phones over a wider range than the Stingray. This technology has been used to create targeting data for drone strikes. According to released documents, the Baltimore Police Department, for example, has used Stingrays more than 4,300 times since 2007. In 2013, the Florida Department of Law Enforcement reported the purchase of two HEATR long-range surveillance devices as well as $3 million worth of Stingray devices since 2008. In California, Alameda County and police departments in Oakland and Fremont are using $180,000 in Homeland Security grant money to buy Harris’ Hailstorm cell-site simulator and the hand-held Thoracic surveillance device. The Anaheim Police Department admitted that it uses plane-mounted Stingrays in Disneyland’s backyard.
Other devices used by law enforcement can be intrusive in different manners. Automatic number plate recognition technology, also known as automatic license plate readers, are in use by a number of law enforcement agencies to simply point and click at vehicles to see whether the driver interests the police. The Long Island bedroom community of Freeport, NY, tracks every vehicle through town with 27 fixed cameras that include automatic license-plate readers. According to CBS News, after only three months, Freeport had tracked 17 million license plates and the police are “drowning in data.” In the same report, the ACLU’s Jason Starr told CBS News, “all that data can be shared. It can be pulled. It can be sent to other law enforcement agencies. It can be breached by third parties.”
Vehicle surveillance specialist Vigilant Solutions offered Texas law enforcement agencies “free” access to its massive automated license plate reader databases and analytical tools—but only if the police give Vigilant access to all of their data on outstanding court fees and hand the company a 25 percent surcharge from money collected from drivers with outstanding court fines. Vigilant also gets to keep a copy of any license-plate data collected by the police, even after the contract ends, and can retain it indefinitely. Without involving policy-makers or the public, Texas police are considering the technology, which uploads everyone’s driving patterns into a private system without any ways for these individuals to control how their data is used or shared.
In September of 2015, the FBI announced implementation of its Next Generation Identification system, expecting the database to contain 51 million photographs by 2016. The system identifies people from facial features and is available to US police forces across the country. The system produces information on more than 55,000 photo searches every day. The database contains more than mugshot photos, including video feeds from security cameras or photos from social media.
According to Forbes, computer recognition is improving quickly. “A computer is now as good as a person. Already Google’s algorithms can accurately match child and adult photos of the same person, and Facebook has an algorithm that works by recognizing hair style, body shape, and body language—and works even when it can’t see faces. And while we humans are probably as good at this as we’re ever going to get, computers will continue to improve. Over the next years, they’ll continue to get more accurate, making better matches using even worse photos.” Senator Al Franken believes that federal standards for use of computerized facial recognition technology should be passed to reduce abuse of the technology. English police are using automatic facial recognition to scan the crowds of music festivals and compare against databases of wanted criminals. The US police have done the same with Super Bowl crowds.
European countries like to think of themselves as bastions of personal privacy protection, but they are using intrusive technology, too. For example, last year France enacted one of the world’s most intrusive surveillance laws, and the French Constitutional Council ruled that all but three of its provisions meet the demands of the French Constitution. The law allows the government to monitor the phone calls and emails of suspected terrorists without prior authorization from a judge. It also calls for Internet service providers to install so‑called black boxes that sweep up and analyze metadata on millions of Web users, and forces them to make that data freely available to intelligence organizations. Intelligence agents will be able to plant micro-phones, cameras, and keystroke loggers in the homes of suspected terrorists. Under the law, the government can authorize surveillance for vaguely defined reasons such as “major foreign policy interests” and preventing “organized delinquency.” The United Nations Human Rights Council expressed concern over the law, saying it lacks sufficient oversight. The British government has implemented high-tech license plates containing microchips which can transmit unique vehicle information to data readers more than 300 feet away. Using RFID technology, the chipped license plates can help fight commuters using counterfeit plates to avoid the London congestion charge imposed on passenger vehicles in London during peak hours. Germany issues microchipped identification cards to its citizens, which enables Germans to fill out online forms faster. According to the Washington Post, German citizens have taken to boiling or microwaving their identity cards to disable the microchip technology, facing a fine or jail time for illegally modifying official documents.
The Justice Department announced a policy requiring its law enforcement agencies to obtain a warrant to deploy cell phone tracking devices in criminal investigations and inform judges when they plan to use them.
US courts and regulators are attempting to rein in government use of new technology. For example, the Justice Department announced a policy requiring its law enforcement agencies to obtain a warrant to deploy cell phone tracking devices in criminal investigations and inform judges when they plan to use them. The new policy, announced by Deputy Attorney General Sally Quillian Yates, should increase transparency around the use of the controversial technology by the FBI and other Justice Department agencies. It imposes the highest legal standard for the device’s use and a uniform standard across the department. The policy change is an acknowledgment by the Justice Department that the use of Stingray-type devices raises serious privacy concerns. Under the new policy, data gathered by authorities must be deleted as soon as the suspect’s phone is located, or if they fail to locate it, all data gathered must be deleted at least once a day. In cases in which officials know where a suspect is but do not know his or her phone number, they may set up a simulator nearby to try to identify the suspect’s phone through patterns over time. In those cases, the data gathered must be disposed of either when they’ve located the phone or at least once every 30 days. Authorities also must keep data that could help prove a suspect’s innocence.
The Fourth Circuit Court of Appeals, in U.S. v. Graham, held first that accessing cell site data without a warrant violated the defendants’ Fourth Amendment rights; but, second, that the violation did not require suppression, because it resulted from law enforcement’s good faith reliance on procedures set forth by the Stored Communications Act. The court cited the plurality opinion of the Supreme Court in the US. v. Jones automobile tracking beacon case to find that,” [t]he privacy interests affected by long-term GPS monitoring apply with equal or greater force to historical [surveillance] for an extended time period.”
Hackers Are also More Dangerous
with Smarter Targets
Recalls of Chrysler and Range Rover automobiles have demonstrated the danger behind hacking complex tools such as cars. In a videotaped test, hackers remotely turned off a Fiat Chrysler Jeep on the highway so that the driver no longer had control of his vehicle. Fiat Chrysler announced a recall of 1.4 million vehicles to fix the flaws that these hackers had found. People can die from such security breaches. Fiat Chrysler’s security chief, Scott G. Kunselman, told the hackers in the Jeep incident that it would be inappropriate and irresponsible for them to publish technical details about the breach because it would amount to a how-to guide for criminals to remotely attack a vehicle, according to a summary of the correspondence provided by the company. The company declined to make Kunselman available for an interview.
The increasing reliance on code raises questions about how these hybrids of digital and mechanical engineering are being regulated. Even officials at the National Highway Traffic Safety Administration acknowledge that the agency doesn’t have the capacity to scrutinize the millions of lines of code that now control automobiles. One option for making auto soft-ware safer is to open it to public scrutiny. Although this might sound counterintuitive, some experts say that if automakers were forced to open up their source code, many interested people—including coding experts and academics—could search for bugs and vulnerabilities. Automakers, not surprisingly, have resisted this idea.
The same is true for hacking medical devices wirelessly connected to the Web. On January 22, 2016, the federal Food and Drug Administration (FDA) issued a draft guidance outlining post‑market recommendations for medical device manufacturers to address cyber-security risks. The draft guidance details the agency’s specific recommendations, which address monitoring, identifying, and managing cybersecurity vulnerabilities in market-available medical devices that contain software or programmable components. The FDA held multiple public workshops on software vulnerability in medical devices and previously issued guidance titled “Content of Premarket Submissions for Management of Cybersecurity in Medical Devices.” The FDA recommends in this document that manufacturers should implement a structured, systematic, and comprehensive cybersecurity risk management program. Similar problems arise in consumer products. A Fitbit or any of the class of wearable items that measure a person’s vital signs could be hacked and used to monitor an entirely more intrusive level of information about the person wearing the item. Think of the divorce cases where a party would benefit from knowing that the Fitbit wearer could be placed at a certain hotel through the GPS tracker, and the increased pulse rate could only be explained by intense physical activity.
Smart devices could become an even larger risk for hacking at the end of their life cycles. As devices proliferate, thousands, then millions, will be abandoned in place, yet fully functional. The fault may simply be incompetence. A company believes it has control of its cameras or other sensing devices, but hackers have taken over. This also happens as companies placing and managing a network of cameras or microphones either make a conscious decision to ignore maintenance and security updates on the devices—because, for example, certain customers stop paying for ongoing servicing—or the maintaining company itself fails as a business. In a perfect world, children and failing companies would clean up their messes before they left the scene. We do not live in a perfect world. Entire networks of Internet-connected sensing devices will be left to rot on the vine, abandoned but fully functional.
Such networks will be—and probably already are—playgrounds for criminals. Following our every move in a store or honing in on payment transactions, the hackers can use these orphaned networks to their advantage. But disengaging them costs money, and if no one claims beneficial ownership of the device network then no one can be forced to pay to maintain security or to take it down. Local or regional governments may be pressed to spend tax dollars to dismantle some of these networks, or possibly the Homeland Security Department will set aside funds to clean out orphaned Internet-of-Things networks as a matter of critical infrastructure hygiene. But until a significant disaster occurs because of abandoned device systems, it is likely that no one will accept ownership of the problem, and public security will suffer.
Until a significant disaster occurs because of abandoned device systems, it is likely that no one will accept ownership of the problem, and public security will suffer.
The number and types of connected and reporting sensors will continue to grow over the coming decade, bringing risks and intrusions deeper into our lives. Only through awareness and a willingness to fight for privacy rights will the public avoid serious harm from this inevitable increase in government and criminal surveillance.