How IoT is Disrupting the e-discovery World?

It’s become difficult to determine the limits of privacy in an age of ever-increasing technology. We are all aware of the tug of war going on between social media companies, such as Facebook, and its users and society in general in an attempt to determine who, and under what conditions, access to users’ private information is permitted. This is only the most newsworthy and visible part of a process of determining what data is private and what is allowed to be accessed that is going on in our world today. In this posting, I want to concentrate on an aspect of the privacy debate that is perhaps more impactful if less visible: the issue of e-discovery. “Discovery”, used as a legal term, is essentially about gathering all information that may be relevant to a legal proceeding, whether civil or criminal.

Discovery, in the law of the United States and other countries, is a pre-trial procedure in a lawsuit in which each party, through the law of civil procedure, can obtain evidence from the other party or parties by means of discovery devices such as a request for answers to interrogatories, request for production of documents, request for admissions and depositions. — Wikipedia

Until the latter part of the 20th century, discovery pertained to two types of material: written documents and personal testimony. With the advent of computers, databases, and the Internet, however, discovery grew to encompass all forms of stored data, whether physical or virtual. The issue of what constituted discoverable, electronically stored information was not fully settled in the United States until 2005, in a landmark civil case about discrimination. In Zubulake v. UBS Warburg, the court ultimately set down rules–later enshrined by Congress in a 2006 amendment to the Federal Rules of Civil Procedure–that governed what electronic data is permitted to be discovered, and who ultimately pays for the production costs. (A number of US states have their own discovery rules for cases in state courts.) This process, known as e-discovery, has become a subspecialty in the legal profession, with technical experts who are capable of commenting as experts on the complexity of the discovery process and helping defendants and plaintiffs through the legal thicket surrounding it. After 2006, it seemed clear that e-discovery was now another tool in the arsenal of the legal profession and courts, and it appeared to be a clearly defined and settled process. I think we all know the real story when it comes to technology: there’s never an end to the new ways in which technological advancements can, while making life simpler in many ways, can also complicate matters in unexpected ways. With the advent of the Internet of Things (IoT), there’s now an entirely new and fundamentally different source of data ripe for use in the judicial system. Given the wide range and a sheer number of devices that can be connected to the Internet, and which can store data that might be relevant to a judicial proceeding, things promise to get much more complex. Imagine the following scenario: a defendant in a murder trial claims he has an alibi that places him far away from the scene of the crime, but that data consists of logs contained in network routers to which he connected from his smartphone. If those logs can be made available, so his defense team would argue, this would constitute exculpatory evidence and force a finding of “not guilty” of the crime. The prosecution might argue that finding the owners of those routers, be it a coffee shop or a retailer, might present an undue burden to the court, and might well expose individuals with no relationship to the legal proceedings to exposure of what could be private information. This is only the simplest example of what could become a complex process, fraught with implications for society as a whole. What could other devices provide damning or exculpatory evidence? What if such devices do not report to a central data repository, but keep their data locally–how is the defendant to know these exist and compel production? Further, in the case of data manipulation systems that have existed since before the mid-2000s (such as email), rules are often in a place that requires archiving of data for specified periods of time or under specified conditions. What about IoT data? When designing IoT systems, the last thing on the designer’s mind (if it occurs to him/her at all) are the regulatory or corporate requirements for archiving the sensor data. Must this now become part of the system design process? Perhaps the more concerning aspect might be the use of IoT data in a criminal trial, where data presumed to be private (and which would be in non-technological situations) are opened to the e-discovery process. If this seems a somewhat farfetched concern, a few recent cases might make you rethink that stance. In the case of State v. Bates, the prosecution asked for stored voice data from an Alexa system in the suspect’s home. Amazon is fighting this on First Amendment grounds. Although Amazon dropped its case when the defendant in the murder case authorized the release of the voice data (assuming it would help his defense case), that doesn’t represent the end of the issue. In Below v. Yokohama Tire Corp., the court ruled that the pre-trial destruction of the Electronic Data Recorder system in the vehicle, which the defendant believed would provide a “shield” against the plaintiff’s claims, meant that the plaintiff’s legal team could not use the lack of information as a “shield”. Regardless of what the outcome of the case would have been should, the EDR have been preserved, the need to preserve data in a system that stores data as an operational aspect of its functioning should give pause to all designers and developers. One other example of the complexity around this topic: early IoT devices did not pay attention to best practices for security. Many devices used the same credentials, across multiple instances. Later firmware updates may have fixed this oversight, but during the time before the mitigation, data collected by the device may have permitted authorized third-parties access to data never intended to be made public. After the security updates, was the manufacturer or programmer of the IoT device required to keep copies of access logs? If so, are these subject to e-discovery as they might be relevant to an invasion of privacy suit? What it comes down to is this: IoT adds a wealth of new opportunities to provide–or hide–data that could make the judicial system more or less likely to render justice properly. Now, companies need to begin to consider IoT design and usage policies that address the coming issues, before the devices are fielded and it possibly becomes too late to deal with the consequences properly.