One of those ways, the authors wrote, is to rely on the fast-expanding network of sensors, microphones, and cameras that have broken free from their usual homes in computers, tablets, and smartphones, and taken up residence in smart TVs and intelligent thermostats, networked security cameras and children’s toys, car dashboards, and kitchen appliances.
Many of the gadgets in the vaunted “Internet of Things” send data streams to servers operated by their manufacturers for processing, storage, and retrieval. That’s how you can check up on the the live camera feed from your living-room Nest Cam—a popular security camera manufactured by Google’s sister company—or browse its recording history to determine how that stain got into the carpet last night.
The data that lives on these servers is generally secured and held for customers to download at their leisure. But the hosting company can access the information, too, and is sometimes compelled to do so by the government. Law enforcement often relies on subpoenas to obtain data that consumers share with companies, avoiding the need for a more burdensome search warrant, which requires a judge’s approval. They’re enabled by the third-party doctrine, a precedent which allows the government to obtain records that have already been been shared voluntarily with someone.
For police, this means less work: Why go through the trouble of gathering data on you if you’ve already given that data to a corporation, which keeps it in a nice, tidy database on a server in Iowa? The government doesn’t even need to notify the subject of a subpoena that they’re downloading his or her data from a third party.
Using subpoenas to collect Internet-of-Things data is still a relatively young practice. In its transparency report, Nest says it has received fewer than 25 government requests for user data. A spokesperson for the company would not say how many times Nest complied with those requests. A Fitbit spokesperson told BuzzFeed in November that it had received a single-digit number of requests, but would not say how many it complied with.
This sort of intelligence-gathering will only get easier as more and more Internet-of-Things devices come on line. By one estimate, the number of Internet-connected things will exceed 6 billion sometime in 2016, and will surpass 20 billion by 2020.
Law enforcement doesn’t even always have to go to companies, which may put up a fight to protect the privacy of their consumers, in order to gain access to valuable data streams. Agents can use a suspect’s own devices for surveillance if they are able to hack into them, said Candid Wueest, a threat researcher at Symantec.
The government is not afraid of hacking to get what it needs. Last year, the FBI used a hacking tool to reveal the IP addresses of hundreds of computers that visited a child-pornography site on the dark web, in a complex operation that resulted in charges for 137 people.