How Internet of Things devices affect your privacy – even when they’re not yours

Some unusual witnesses helped convict Alex Murdaugh of the murders of his wife, Maggie, and son, Paul.

The first was Bubba, Maggie’s yellow Labrador retriever. Prosecutors used a recording of Bubba to place Alex at the site of the murders. Given Alex’s presence at the crime scene, other witnesses then revealed his movements, tracked his speed and explained what he had in his hands. Those other witnesses were a 2021 Chevy Suburban and Maggie, Paul and Alex’s cellphones, which all provided data. They’re all part of the Internet of Things, also known as IoT.

The privacy implications of devices connected to the internet are not often the most important consideration in solving a murder case. But outside of criminal prosecution, they affect people’s privacy in ways that should give everyone pause.

The Internet of Things

The Internet of Things includes any object or device that automatically sends and receives data via the internet. When you use your phone to message someone or social media to post something, the sharing is deliberate. But the automatic nature of connected devices effectively cuts humans out of the loop. The data from these devices can reveal a lot about the people who interact with them – and about other people around the devices.

As an assistant professor of law at the University of South Carolina, I have watched as new kinds of connected devices have entered the market. New devices mean new ways to collect data about people.

Read more:
AI tools collect and store data about you from all your devices – here’s how to be aware of what you’re revealing

Connected devices collect information from different contexts. Take your refrigerator. As a non-IoT device, your fridge generated no data about your kitchen, your food or how often you peeked inside. Your relationship with the fridge was effectively private. Only you knew about that midnight snack or whether you ogled a co-worker’s lunch.

Now, smart refrigerators can respond to voice commands, show images of the items in your fridge, track who opens it, suggest recipes, generate grocery lists and even contact your car to let you know the milk has expired. All these functions require continuous streams of data.

Device data and your privacy

Connected devices generate lots of data in contexts that have typically produced little data to make those situations “legible” to whoever can access the data.

In the past, if you wanted to monitor your heart rate, blood oxygenation, sleep patterns and stress levels, you might have undergone a battery of tests at a hospital. Specialized equipment in a controlled setting would have measured your body and make these parts of you visible to highly trained, licensed professionals. But now, devices such as the Oura Ring track and analyze all that information continuously, in non-health care contexts.

Even if you don’t mind sharing data with an Internet of Things company, there are privacy risks to using a device like this. In the health care context, a series of rules enforced by several groups make sure that connected equipment and the data the equipment generates have adequate cybersecurity protections. Away from that context, connected devices that perform similar functions don’t have to meet the same cybersecurity standards.

The U.S. Cyber Trust Mark program, administered by the Federal Communications Commission, is developing cybersecurity standards for Internet of Things devices. But the program is voluntary. In some states, such as Washington, state laws set standards for protecting health data from connected devices. But these laws don’t cover all data from all devices in all contexts. This leaves the devices, and the data they generate, particularly vulnerable to unwanted access by hackers.

Your inability to control who sees the data that connected devices gather is another privacy risk. It can give advertisers insights about potential customers. Absent a mandated opt-out, each device provider can decide what it does with customer data. Amazon, for example, recently removed the “Do Not Send Voice Recordings” option from the privacy settings of its popular smart speaker, Alexa.

Some connected-device providers participate in data markets, selling your data to the highest bidder. Sometimes those purchasers include government agencies. So, instead of needing a warrant to track your whereabouts or learn about activity in your home, they can purchase or access Internet of Things records.

A connected device can also compromise the data privacy of someone who just happens to be nearby.

Connected cars

Cars have joined the ranks of the Internet of Things. The 2021 Chevy Suburban that helped convict Alex Murdaugh simply tracked information about the vehicle. This included the vehicle’s speed, the turning radius of the steering wheel and time stamps.

Most modern vehicles also incorporate data from external sources. GPS data and infotainment systems that connect to cellphones also track the vehicle’s movements. All of this data can also be used to track the whereabouts and behavior of drivers and other people in the vehicles.

And as vehicles become increasingly automated, they need to make driving decisions in increasingly complex situations. To make safe driving decisions, they need data about the world around them. They need to know the size, speed and behavior of all the nearby vehicles on the roadway, moment to moment. They need to instantly identify the best way to avoid a pedestrian, cyclist or other object entering the roadway.

If you and I are driving in separate cars on the same roadway, it means my car is collecting information about you. And if my vehicle is connected, then data about you is being shared with other cars and car companies. In other words, if a Tesla had been present at the scene of the Murdaugh murders, its outward facing cameras could have captured footage. Bubba’s testimony might not have been necessary.

Spillover data collection

Internet of Things devices generate data from similar situations in a highly structured way. Therefore, what data collectors learn about me from my connected device may also give them insights about someone else in a similar situation.

Take smart meters that share information with the water utility every 15 minutes. Imagine a subdivision with a narrow range of house and yard sizes. Water usage should be relatively comparable for each household. Data from even just a couple of houses can give a good sense of what water use should be for everyone in the neighborhood. Without actually collecting data from each house, data from connected devices reveals potentially private information about similarly situated people.

Data from IoT devices can also fuel insights into people who never use or make contact with these devices. Aggregated data from Oura rings, for instance, could contribute to decisions a health insurer makes about you.

Connected devices are also changing. In addition to collecting data about the person using the device, a growing number of sensors collect information about the environment around that person.

Some of my research has examined what privacy means for people observed by vehicle sensor systems such as radar, lidar and sonar. These technologies capture potentially very revealing information about people and their property. Even the most comprehensive privacy laws in the United States offer people little recourse for the impact to their privacy.

Civilian drones are capable of gathering data about other people. But people observed by drones would have a tough time learning that data about them exists and an even harder time controlling how that information might be used.

Meanwhile, artificial intelligence systems are expanding the ways Internet of Things data can affect the privacy of other people by automating the process of training IoT systems. AI chipmaker Nvidia has created a digital environment, or model, where people can upload their connected device data. This environment can help train IoT devices to “predict the outcomes of the device’s interactions with other people,” according to Nvidia.

Models like this make it easy for AI devices that you don’t own to collect data or reach conclusions about you. In other words, IoT data processed by AI can make inferences about you, rendering you legible to the AI system even before you interact with an IoT device.

Looking forward

Internet of Things devices and the data they generate are here to stay. As the world becomes increasingly automated, I believe it’s important to be more aware of the way connected devices may be affecting people’s privacy.

The story of how vehicle data combined with cell data in the Murdaugh trial is a case in point. At the start of the trial, prosecutors came ready to show “phone call logs and texts, steps recorded, apps asking for information, GPS locations, changes when the phone went from vertical portrait mode to horizontal landscape mode and back, and — key to the prosecution’s case — when the camera was activated.”

But that was probably not enough to merit a conviction. During the trial, GM called and said something like “oh wait, we found something,” according to the prosecution. That vehicle data, combined with the cellphone data, told a story that Alex Murdaugh could not deny.

There are at least two lessons from this story. First, not even GM fully realized all the data it had collected in its vehicles. It’s important to be aware of just how much information IoT devices are collecting. Second, combining data from different IoT devices revealed incontestable details of Alex Murdaugh’s activities. Away from criminal court, combining data from multiple IoT devices can have a profound effect on people’s privacy.

If people’s data privacy matters, how do we address this reality? One way of potentially protecting people’s privacy is to make sure people and communities observed by connected devices have a direct say in what data the devices collect and how the data is used.

This article is part of a series on data privacy that explores who collects your data, what and how they collect, who sells and buys your data, what they all do with it, and what you can do about it.