Illinois Prohibits Police Use of Household Electronic Data
The smart house is upon us. One may be surrounding you now, with internet-enabled security systems, doorbells, air conditioner, refrigerator, mattress, windows, music speakers, and children’s toys. Your television may be pinging your smartphone and computer. Your game system likely knows your face.
I have already written about household security drones and countless threats to privacy in your home. More connected appliances and devices are coming to your house, whether you want them or not. Both manufacturers and retails will push these “upgrades” to consumers because, as we have seen with connected cars and trucks, the manufacturers and retailers use the connectivity to collect oceans of useful information about the products themselves and about your interaction with the products. In short, selling an internet enabled dishwasher may not provide significant value to the consumer, but it allows serious benefits to the appliance manufacturer who now has insight into the consumer’s house.
How can this be used to affect our private lives? Take the case of the innocuous-sounding Canadian company Standard Innovation. Five years ago Standard Innovation defended a class action lawsuit in federal court in Chicago alleging that the company illicitly accessed personal information collected by its We-Vibe sex toys, which could be remotely accessed and controlled by smartphones. White-hat hackers demonstrated how the We-Vibe could be hacked and controlled by an outside party. According to the New York Times, “About 300,000 people purchased We-Vibe devices covered by the class action, and about 100,000 downloaded and used the app, according to a memo filed with the settlement agreement.” Standard Innovation settled the case for about $3.75 million.
Teledildonics aside, we have seen German regulators ban the smart dolls from Genesis Toys, which the regulators claim can record private conversations over a Bluetooth connection. Baby monitors have been suspect for years, and now we have reports of internet enabled toilet roll holders counting the revolutions of the roll and sending the information outside the home. This from the same inventor who brought us the Internet of Things (IoT) shower valve controller. Companies and hackers could be invading our lives through these devices. What could be worse? How about the police invading your privacy by listening to your IoT enabled household?
We know that law enforcement already taps into home security system video where the security companies allow, but should officers have access to the other data being collected from by the stuff around you at home? Until recently, no legislature put limits on this kind of government surveillance.
Last summer Illinois Governor Pritzker signed into law an act limiting police access to the information collected in your house by your appliances and other personal electronic devices. Should this data already be protected in the US by the Fourth Amendment protection against search of your home, especially given that the Supreme Court has repeatedly recognized that a person’s expectation of privacy is greatest within the walls of home? Probably. But technology can outpace the law and it may be years before the courts confirm that each American has the right to household privacy of electric data collection. So the Illinois law comes as a welcome clarification.
The law is called the Protecting Household Privacy Act (PHPA) and it safeguards a class of information called household electronic data from indiscriminant collection. Equipment covered by the PHPA includes any device primarily intended for use within a household that is capable of facilitating any electronic communication, and excludes personal computers, cell phones, smartphones, tablets, and modems/routers/set-top-boxes. So it covers all the IoT boxes discussed above and all the new connected appliances, toys and fixtures soon to be invading Illinois homes.
The PHPA covers collection of this household electronic data and further storage or use of the data. The PHPA restricts law enforcement agencies from acquiring data directly from these devices or from third-parties who manage that data unless the homeowner consents to police taking the data. The other alternatives to allow such government surveillance include the police first obtaining a judicial warrant, or specific incidences relating to life-threatening emergency situations or calls for emergency services. In the case of emergencies, the law enforcement agency must still apply for a warrant within 72 hours to approve the collection of the data. If the warrant is denied, then the data is inadmissible in court. In addition, the PHPA mandates that even lawfully obtained household electronic data be destroyed within sixty days unless there is a reasonable suspicion that the information contains evidence of criminal activity or that the information is relevant to an ongoing investigation.
Illinois residents are protected, so what about the rest of us? As stated above, I expect that US courts are likely to find that intimate data, including audio and video recordings, collected by IoT devices within our homes is likely Constitutionally protected, requiring a judicially-issued warrant for police to read it. But I may be wrong. Also, we do not know when such a legal requirement will be recognized for all Americans, and in the meantime law enforcement agencies will continue to press their advantage until a court tells them to stop.
Our homes will continue to fill with more connected devices silently pulling information about our most intimate habits and activities and sending that information invisibly to be collected and analyzed elsewhere. Law enforcement may begin to count on such surveillance that was never intended for their benefit or access, and it could be harder wrenching this private data away from them. Legislatures need to follow Illinois’ lead and give us some protection from police turning our own homes into spies against us.
The East German Stasi claimed to have spies in every household, but even they did not control a network as comprehensive as the one we are building ourselves.
Copyright © 2022 Womble Bond Dickinson (US) LLP All Rights Reserved.National Law Review, Volume XII, Number 40