Detectives are being trained to process data gathered from Internet of Things (IoT) “smart” devices for use in criminal investigations, Scotland Yard’s forensic head Mark Stokes has told The Times.
Internet-enabled fridges, toasters, washing machines and coffee makers have endured a mixed press – security flaws that render them potentially hackable have been a recurring theme recently – but to police the forensic opportunity is the real deal.
Consumers are slowly filling their homes with data-gathering IoT devices, which means that tomorrow’s crime scene will start with such items, claimed Stokes: “Wireless cameras within a device such as the fridge may record the movement of suspects and owners. Doorbells that connect directly to apps on a user’s phone can show who has rung the door. All these leave a log and a trace of activity.”
The story is timely, coming only days after police in the US reportedly asked Amazon to give them access to audio data from a suspect’s Echo home hub in case that yields information important to a murder investigation.
In that case, police also noted that the suspect’s smart water meter recorded 140 gallons of water as having been used between 1am and 3am in the morning, hours before victim Victor Collins was found dead in a hot tub.
It sounds like an open and shut case. In principle, police can already gather digital evidence from internet security cameras, so why not other devices too?
In the UK, requesting admissible data from IoT devices shouldn’t even require a change to the law, and should be covered under legislation going as far back as the Police and Criminal Evidence Act 1984 (PACE).
Unfortunately, things won’t be that simple for reasons The Times omits to mention
A fundamental issue is the accuracy and tamper-proofing of the data these devices gather. For example, using IoT data will almost certainly depend on accurate time-stamping and it’s not clear that how many devices can guarantee that to admissible standards of evidence.
In other cases, even accessing the data could prove difficult if that requires a suspect to grant access to a password they can’t legally be compelled to reveal.
As the Amazon Echo cases warns, going to big platform vendors to get around this could cause other problems. As Amazon responded when asked about the police Echo request: “Amazon will not release customer information without a valid and binding legal demand properly served on us. Amazon objects to overbroad or otherwise inappropriate demands as a matter of course.”
Battling wider government demands to loosen encryption, the last thing big tech companies want is to find themselves fending off another attempt to turn them (as they see it) into convenient proxies for official snooping.
Digital data, it turns out, doesn’t work like conventional forensics data such as fingerprints or DNA. Data can be in different places at once and its veracity is open to immediate challenge. Who “owns” it in terms of privacy is unclear.
The day when suspects are convicted of crimes on the basis of data recorded by the fridge or toaster may be some way off yet.