What do your internet of things (IoT) devices have in common with Santa Claus?
They see you when you’re sleeping, they know when you’re awake, they know if you’ve been bad or good — at least when it comes to meeting your fitness or diet goals, perhaps.
But Saint Nick won’t ever be called as a witness in a murder trial, while IoT data has already been critical to cracking several criminal prosecutions. Most recently, the police in San Jose, California, charged a 90-year-old man with murdering his stepdaughter based on a silent witness: her Fitbit Alta HR fitness tracker.
How IoT Devices Built a Case for Murder
The suspect admitted that he had visited the victim shortly before her death but said she was fine when he left. Her fitness tracker told a different story. It showed that her heart rate spiked at 3:20 p.m. before rapidly slowing and, ultimately, stopping altogether at 3:28 p.m.
The clincher, though, came from another connected device. A surveillance video showed that the suspect’s car was still at the victim’s home a full five minutes after the Fitbit stopped detecting a pulse. These witnesses had one essential factor in common. As the police noted, “Both systems were on internet time, and there was no deviation.”
This wasn’t the first use of a fitness tracker or other IoT device in a criminal investigation, and it won’t be the last. Now, our increasingly connected devices are making their way from theory into reality and from criminal prosecutions into civil litigation and internal investigations. Some of this data is already familiar from vehicle-related litigation, such as tracking systems on delivery trucks and other commercial vehicles. Expect to see additional applications limited only by the creativity of investigators and attorneys. For example, litigation of sexual harassment claims, product liability cases, employment disputes, and contract cases could all turn on IoT data for at least corroboration, if not outright proof of a claim.
And that’s going to bring a huge volume of increasingly complex and varied data into the realm of ediscovery.
More IoT Data, More Problems
There are billions of connected devices today. Gartner estimated that there would be 8.4 billion IoT devices in 2017, rising to 20.4 billion by 2020. Each device generates its own unique and independent data stream, lending more volume and greater complexity to the universe of data that ediscovery lawyers must navigate.
While electronically stored information (ESI) was defined broadly enough in Federal Rule of Civil Procedure 34 to incorporate these new technologies, the unique features of IoT devices promise to pose tremendous challenges for data management. Companies will have to find a way to access ESI from IoT devices, often from reluctant manufacturers. Law enforcement officers can — as they did in the San Jose investigation — apply for a search warrant to obtain data from device manufacturers.
Corporations may have a less direct and more treacherous path. (Remember, Amazon didn’t even want to cooperate with a search warrant when it came to turning Echo voice recordings over to law enforcement.)
Even after obtaining data, companies will have to overcome the challenges posed by its volume, format, and complexity. Every type of IoT device might generate its own proprietary form of data, in relentless quantities.
And then there are other concerns that are unique to ediscovery.
Ediscovery-Specific Issues With IoT Data
Potentially relevant data must, of course, be preserved for litigation. But each IoT device, manufacturer, and case will pose its own unique questions regarding when data is in the user’s or the device owner’s actual “possession, custody, or control” under Rule 34. Most of these devices have a limited capacity to store data themselves. Instead, they typically upload data to cloud-based accounts accessible by the user. That data may be overwritten or erased automatically, and often rapidly. Determining how to preserve data, and getting to it quickly enough to do so, will be a substantial hurdle to its use.
Nor is that the end of the data-fragility conundrum. Depending on the device, data may be subject to immediate or intentional spoliation through restarting the device, interrupting its power supply, disabling its internet connection, or perhaps even just moving it out of range of its known internet access point so that it cannot sync its data to the cloud. There’s also the potential for falsification of data or hacking of IoT devices. (That’s why Gartner estimates that by the end of 2018, worldwide spending on security for IoT devices will reach $1.5 billion.)
Proportionality under Rule 26 poses another interesting dilemma. Data from an IoT device may, at least initially, serve more often as corroborating rather than primary evidence. For example, suppose an employee reports that she was harassed in the lunchroom while waiting for her coffee to reheat in the microwave. The accused employee disputes that narrative entirely. Yes, the data from the microwave might corroborate the complainant’s account, but is it proportional to the needs of the case when considering the cost of obtaining it?
Applications of IoT data in civil investigations and litigation will require creative dissection of claims and an open mind with regard to available evidentiary sources — and that process will have to happen at light speed to ensure that data is preserved.
Still, take just a moment to imagine litigating a case today without relying on email evidence. Ten years from now, that may be exactly how we feel about investigating or litigating without IoT data.