The rapid proliferation of Internet of Things (IoT) devices has transformed the way we interact with the world around us. From modern cars to smart TVs and home assistants like Google Home and Amazon Alexa, these connected devices have become an integral part of daily life. In fact, experts estimate that by 2025, there will be over 75 billion IoT devices in use globally, creating an unprecedented volume of data that continues to grow exponentially.
With IoT devices generating a constant stream of data, from voice commands and sensor readings to location tracking and usage logs, they leave behind a vast digital footprint. Ediscovery practitioners are recognizing the potential of this data, mining it for valuable electronically stored information (ESI) that can play a critical role in litigation and investigations. However, tapping into IoT data requires specialized tools and knowledge, as the format and nature of this data differ significantly from traditional ESI sources, such as emails and documents.
As IoT devices become even more embedded in our lives, legal teams must adapt and prepare for the challenges and opportunities this new frontier of digital evidence presents.
What it is: The network of physical objects (things) that are embedded with sensors and software to connect and exchange data with other devices or systems via the internet.
How many users: The IoT is an ecosystem of over 15 billion web-enabled devices, from smart refrigerators to doorbell cameras. It is predicted that more than 75 billion IoT devices will be connected by 2025.
Challenges: Balancing privacy with the need for data
The internet of bodies
There is an entire subgenre of the internet of things called the internet of bodies, which is composed of smart devices on (and sometimes inside of!) the human body. Think of devices like smart pacemakers, Oura rings, Fitbits, and insulin pumps controlled from a mobile device.
Use of wearable technology has more than tripled in the last several years, with the emergence of ever more categories, and of companies creating everything from smart glasses to smart clothing, and even e-sensor patches.
In 2022, there were over 1 billion connected smart devices recorded – and many of these devices can act as witnesses in court.
The “internet of bodies” is revolutionizing healthcare and often greatly improving quality of life – but this wealth of data poses fundamental concerns about the individual right to privacy and autonomy.
Regulations and case law are still emerging, and there are numerous legal and ethical issues practitioners should be aware of.
“When it comes to regulating the Internet of Bodies (IoB), it's the Wild West.”
IoT and IoB in Court
Several cases have been decided based upon information harvested from IoT devices, and that number is likely to grow significantly in the coming years.
Here are a few examples:
- The comprehensive biometric tracking of devices like FitBits and Apple Watches has been used as evidence to disprove personal injury claims when the claimant was exercising despite claiming grievous injuries — and even in a murder case.
- Large logistics and shipping organizations have begun employing web-enabled trackers across their fleet of vehicles over the last few years. Data from these trackers has found its way into personal injury and property damage cases, and the lack of defensible preservation of this data has resulted in claims of spoliation.
- Ever-listening devices like Amazon Echo, Dot, and Google Home are increasingly turned to as a source of evidence of crime. In the most well-known case, a combination of Amazon Alexa and a smart water meter were hotly contested sources of evidence in a murder case that hinged on the 3 a.m. draining and refilling of a hot tub.
- Doorbell cameras such as Ring and Nest routinely create videos which are often automatically stored in the cloud (and, on occasion, may be posted by users to video-sharing platforms). Such videos may capture evidence of events such as car accidents. They are admissible in court, and may even be subpoenaed by law enforcement — although the FTC has set limits on who can access these recordings, and how.
- Most cars today collect, record, and transmit potentially relevant ESI. GPS sends and receives information about car's location and speed. Google Maps, Garmin, and Waze all maintain a record of the places you have visited and the routes you took to get there. And Google Timeline maintains a record of your movements and whereabouts even if you commute on foot or via public transit, so long as your phone is in your pocket.
Considerations and best practices: IoT Devices
Don’t overlook IoT devices
For many legal practitioners, IoT data might not even be considered when scoping for ediscovery and data requests.
Expand your custodial interview and ESI scoping questions to include potentially relevant IoT data, and make sure your request is as narrow as possible to avoid being overwhelmed by data.
Most corporate legal departments have yet to include IoT data in their data governance or litigation response plans, so it is important to raise the issue and reevaluate your data governance to include it. Additionally, specificity is key in making requests for IoT data, especially because many respondents may be unfamiliar with it.
Prioritize preservation – IoT data is prone to spoliation
IoT devices have an increased susceptibility to data modification and destruction due to their dynamic nature. Actions as routine as restarting the device, interrupting its power supply, disabling its internet connection, or even just moving it out of range of its known internet access point (so that it cannot sync its data to the cloud) can all impact the data integrity.
Additionally, many IoT devices have very short windows of time before data is overwritten or automatically erased, so determining a collection approach quickly should be a top priority.
Tread carefully: IoT and IoB comprise a potential privacy minefield
IoT and IoB devices have raised privacy concerns regarding the data that can be collected and shared by these devices. A number of regulations have emerged, as well as case law coming out of related litigations.
As privacy considerations relate to ediscovery, the Stored Communications Act (SCA) generally prevents providers of electronic communication services from divulging private communications. That being said, the SCA does not preclude the court from requesting the data from the person in physical possession of a smart device (Flagg v. City of Detroit).
IoB devices have especially pressing privacy concerns because they track, record, and store things like users’ whereabouts, vital signs, and bodily functions. Some devices can even track what a user sees and hears.
Can a health insurance company deny coverage based on information from a wearable or embedded device? Determining who can access, collect, or interact with this sort of personal information and personal health information is a key consideration with any IoB device.
Plan ahead: Companies behind IoT devices may put up a fight
Large enterprises with IoT products are not always forthcoming with providing the ESI from their smart devices. In the aforementioned murder case involving Alexa data, Amazon fought for years before ultimately turning the data over — which the company did only after the suspect himself yielded his Alexa device to law enforcement officials.
It is also important to consider the device owner’s actual “possession, custody, or control” under Rule 34 — this question is complicated due to the web-enabled nature of the devices.
Choose a technology provider that can handle IoT data
Data generated by IoT devices does not always play nice with traditional ediscovery platforms.
It is important to understand the data format you are engaging with, any potential limitations, and what level of usability the technology you rely on will provide the data for you.
Ediscovery Expanded: Mastering Complex Data from Slack to Signal and Beyond
Now that you’ve mastered internet of things data, uncover the considerations and best practices for handling other complex data types in ediscovery, including:
- Mobile data
- Ephemeral messaging
- Social media platforms
- Virtual conferencing data
Download the complete guide here.
And, if you’re ready to collect from collaborative data sources with DISCO, request a demo to see what we can do for you.