Bloomberg Law
Free Newsletter Sign Up
Bloomberg Law
Welcome
Go
Free Newsletter Sign Up

Law Curbing Police Access to Home Data Tests Privacy Boundaries

Dec. 23, 2021, 10:00 AM

A first-of-its-kind law in Illinois limiting law enforcement access to data from household digital devices sits at the forefront of an emerging legal debate over protecting the privacy of such records.

The state’s law, which takes effect Jan. 1, comes as law enforcement seeks to tap into consumers’ growing collection of internet-connected devices, from smart speakers to security cameras. These devices can capture conversations, movements, and other information that could be used for investigating crimes.

Known as the Protecting Household Privacy Act, the law restricts the sharing of device data by requiring a search warrant or permission from the device’s owner, with some exceptions in emergency scenarios.

The law is meant to set boundaries for when the makers of such devices turn over data to law enforcement, rather than leaving it in the hands of tech companies like Amazon.com Inc. to set their own standards, according to the American Civil Liberties Union of Illinois, which pushed for the law.

Its focus on data-sharing with police highlights a legal tension over expectations that people’s homes are a private space, even as they invite in devices that can document their social connections and record their whereabouts.

“If I plan a crime on a street corner, and someone hears me, I have no expectation of privacy there,” said Peter Hanna, legal adviser for the American Civil Liberties Union of Illinois.

Under what’s known as the third-party doctrine, the U.S. Supreme Court has ruled that people can’t expect privacy in information voluntarily shared with third parties. The doctrine emerged from a 1976 decision in United States v. Miller concerning bank records and a 1979 decision in Smith v. Maryland involving phone calls.

“Now third parties are deeply embedded into almost every aspect of our lives,” Hanna said.

Existing Protections

Despite the potentially sensitive data that home devices can collect, existing legal protections weren’t designed to cover such data, said Ángel Díaz, a lecturer at the University of California, Los Angeles Law School.

The federal Stored Communications Act governs law enforcement’s ability to seek certain types of electronically stored data, including emails, from companies such as Microsoft Corp. and Alphabet Inc.‘s Google. The 1986 law spells out circumstances where police would need to obtain a subpoena or search warrant before being able to access communications.

The law, which protects the privacy of data stored by service providers, was “written at a time when there weren’t smart home devices,” Díaz, who studies the intersection of technology and civil rights, said.

The way that connected devices collect and store information, whether locally on the device or in the so-called cloud, may place such data outside the scope of the Stored Communications Act, he said.

The Illinois law’s definition of household devices is intentionally broad so that it can account for future products introduced into people’s homes, according to the ACLU of Illinois. Its text covers connected devices within a home and its “immediately surrounding area” that are capable of electronic communication.

That would include Amazon’s Ring doorbell cameras or other similar home security cameras.

Ring has vowed not to give law enforcement data on its users without a legally valid subpoena or search warrant, depending on what kind of information is being sought. For other Amazon products such as Alexa-enabled smart speakers, the company likewise has pledged not to disclose customer information in response to government demands unless legally required to do so.

“Amazon objects to overbroad or otherwise inappropriate demands as a matter of course,” an Amazon spokesperson said in an email.

Local police and fire agencies across the U.S. can ask Ring users for recordings from devices located near an active investigation, by posting on the company’s Neighbors app.

These posts can request recordings within a limited time and area, and they must include a valid case number and agency contact information, according to Ring’s policies. Ring users can share recordings in response to a post, or they can choose not to see such requests on the app.

Complicated Compliance

The new law in Illinois could “complicate compliance efforts” for companies that are also subject to the Stored Communications Act, according to Chloe Goodwin, an associate at Covington & Burling LLP in Washington, D.C., who represents tech companies on issues including law enforcement access to digital evidence.

“The Illinois requirements don’t map neatly onto the Stored Communications Act framework,” Goodwin said.

She said that’s because the Illinois law covers data from connected devices but not computing ones, like a computer, tablet, or mobile phone. The state law also excludes “digital gateway” devices such as internet modems and routers or cable set-top boxes.

The federal law applies to stored data, regardless of what device it’s associated with, Goodwin said.

It remains to be seen what the Protecting Household Privacy Act’s permission provision means for people who own digital devices or others who may be unknowingly captured in a recording, like a child, roommate, or passerby.

Before people agree to share their household data with police, they should understand what information they’re sharing, said Odia Kagan, a partner at Fox Rothschild LLP in Philadelphia focused on privacy and data security regulations.

Kagan urged device makers to clarify in their privacy policies what information is being collected and when, whether by intentional activation or by an always-on mode.

“Transparency with these devices is an issue,” she said. “Do you know what you’re consenting to?”

To contact the reporter on this story: Andrea Vittorio in Washington at avittorio@bloomberglaw.com

To contact the editors responsible for this story: Kibkabe Araya at karaya@bloombergindustry.com; Renee Schoof at rschoof@bloombergindustry.com