The Government Might Subpoena Your Toaster

Law-enforcement officials say they’re running out of ways to spy on criminals and terrorists. Maybe they’re not looking in the right places.

To hear FBI Director Jim Comey tell it, his agency is going blind: Shielded by software that uses encryption to secure text or voice communications, criminals and terrorists are planning attacks and exploits on the very same platforms that you might use to stay in touch with your mom.

But Comey’s alarm over what he likes to call the “going dark” problem, echoed by other top law-enforcement and intelligence officials, has been met with resistance from tech companies, and experts say the government’s appeal for a way to access encrypted content is unrealistic.

Instead, some have placed the onus of innovation on the government instead of the private sector. Michael McConnell, a former NSA head who went on to become the Director of National Intelligence under George W. Bush, said late last year he thinks it’s up to law enforcement to “adapt to ubiquitous encryption.”

A new report signed by technical experts, civil-liberties advocates, and former government officials backs up McConnell’s view. The authors of the report, released Monday by Harvard University’s Berkman Center and funded by the Hewlett Foundation, say there are already more than enough ways for the government to gain access to data they want—even if encryption is on the rise.

One of those ways, the authors wrote, is to rely on the fast-expanding network of sensors, microphones, and cameras that have broken free from their usual homes in computers, tablets, and smartphones, and taken up residence in smart TVs and intelligent thermostats, networked security cameras and children’s toys, car dashboards, and kitchen appliances.

Many of the gadgets in the vaunted “Internet of Things” send data streams to servers operated by their manufacturers for processing, storage, and retrieval. That’s how you can check up on the the live camera feed from your living-room Nest Cam—a popular security camera manufactured by Google’s sister company—or browse its recording history to determine how that stain got into the carpet last night.

The data that lives on these servers is generally secured and held for customers to download at their leisure. But the hosting company can access the information, too, and is sometimes compelled to do so by the government. Law enforcement often relies on subpoenas to obtain data that consumers share with companies, avoiding the need for a more burdensome search warrant, which requires a judge’s approval. They’re enabled by the third-party doctrine, a precedent which allows the government to obtain records that have already been been shared voluntarily with someone.

For police, this means less work: Why go through the trouble of gathering data on you if you’ve already given that data to a corporation, which keeps it in a nice, tidy database on a server in Iowa? The government doesn’t even need to notify the subject of a subpoena that they’re downloading his or her data from a third party.

Using subpoenas to collect Internet-of-Things data is still a relatively young practice. In its transparency report, Nest says it has received fewer than 25 government requests for user data. A spokesperson for the company would not say how many times Nest complied with those requests. A Fitbit spokesperson told BuzzFeed in November that it had received a single-digit number of requests, but would not say how many it complied with.

This sort of intelligence-gathering will only get easier as more and more Internet-of-Things devices come on line. By one estimate, the number of Internet-connected things will exceed 6 billion sometime in 2016, and will surpass 20 billion by 2020.

Law enforcement doesn’t even always have to go to companies, which may put up a fight to protect the privacy of their consumers, in order to gain access to valuable data streams. Agents can use a suspect’s own devices for surveillance if they are able to hack into them, said Candid Wueest, a threat researcher at Symantec.

The government is not afraid of hacking to get what it needs. Last year, the FBI used a hacking tool to reveal the IP addresses of hundreds of computers that visited a child-pornography site on the dark web, in a complex operation that resulted in charges for 137 people.

But in the nascent Internet of Things, one need not go to such trouble to access private data. Shodan, a search engine that trawls the Internet for connected devices and catalogs them, built a tool that allows users to browse feeds from poorly secured webcams around the world. Scrolling through the offerings, you can see into coffee shops, homes, offices, and other private places. One webcam in Vancouver, British Columbia, is trained on an ominous-looking digital control panel.

The privacy advocates and technologists that signed onto the Berkman Center report are in the curious position of reminding the government of the vast opportunities for surveillance on today’s Internet, while simultaneously warning about the civil-liberties issues that those opportunities invoke.

“Don’t panic,” the authors tell government doomsayers: There will always be ways to watch us. But by pointing out the potential for connected devices to become a vast surveillance network, they hope also to prod companies and policymakers into action to secure them.

I asked Jonathan Zittrain, a Harvard professor who was one of the report’s lead authors, if tightening up Internet-of-Things security would eventually lead to another confrontation with law enforcement. This isn’t the first time the government has tried to intervene when faced with improvements in information security, and it’s unlikely to be the last.

Zittrain says it’s essential to address privacy and security concerns on the Internet of Things before it becomes a default conduit for government data-gathering. A rehash of the going-dark debate might be avoided if Internet-of-Things security develops before “settled patterns and expectations of easy surveillance.”

Meanwhile, every week seems to bring something online that has never before been connected to the Internet. Often, manufacturers of these new “smart” devices are focusing on convenience at the expense of security, producing results like a connected kettle that leaks wi-fi passwords.

At this rate, it may not be long until a court case hinges on evidence obtained by hacking into a toaster, subpoenaing fitness-band records, or exploiting the built-in microphone in a smart TV.