Back to News & Commentary

CIA Documents Highlight Privacy Issues of the 'Internet of Things'

Camera on top of television
Camera on top of television
Jay Stanley,
Senior Policy Analyst,
ACLU Speech, Privacy, and Technology Project
Share This Page
March 9, 2017

Recent reports of a man being charged with murder based on readings from his “smart” water meter, and the efforts of police to get access to his Amazon Echo recordings, have sparked a lot of discussion about the privacy issues raised by internet of things (IoT) devices. The release of thousands of pages of CIA documents by Wikileaks yesterday casts new light on those privacy issues. (Most sources so far seem to be accepting that these documents are genuine — though all the points I make below hold true regardless.)

In a blog post about the issues raised by IoT devices like the Amazon Echo, I observed that it’s “a significant thing to allow a live microphone into your private space,” and that the chilling effects of surveillance give people a need for “ironclad assurance that their devices will not — cannot — betray them.”

In response, a lot of people made the point that, in essence, there’s no particular reason to worry about the microphone in the Amazon Echo when each of us constantly carries a computer with a microphone that can be hacked at least as easily: our cell phones. The CEO of Shotspotter — the company that puts microphones around cities to listen for gunshots — had made the same argument to me about that company’s microphones and their potential repurposing for surveillance. If you’re worried about government spies, he told me, “they’re not going to be using our sensors, they’ll be using your phone. It’s in your pocket and has a better microphone.”

It’s a fair point that there is nothing unique about smart assistants or televisions or refrigerators or any other IoT devices (or microphones on telephone poles). But, we at the ACLU are not going to ignore certain privacy vulnerabilities just because there are other, potentially bigger vulnerabilities out there as well. What the CIA documents confirm is that the government follows that same logic in reverse: just because cell phones are available to hack, does not mean the government is not engaged in figuring out how to hack every other available device. The documents suggest that the CIA not only has the ability to hijack widely used Apple and Android phones, but can invisibly turn on the microphone in smart televisions, and that it has been targeting the computer systems in cars.

There was nothing in the documents that couldn’t have been extrapolated from what we already know about technology and its vulnerabilities. But it’s still scary to see it spelled out — to receive confirmation that the CIA does in fact have tools to do these things. It brings these security threats from the somewhat theoretical speculations of security experts into the realm of the very real.

I’ve seen no mention of smart assistants like the Amazon Echo in the CIA documents, but who is going to risk anything important on the assumption that government agencies have no interest in hacking those, or home security cameras, or any other available IoT device that has a camera, microphone, or other useful sensor?

We can expect that an ever-expanding number of devices may be sold with microphones—basically, any device that people might want to control with their voices. We don’t know how much marketplace success such functionality will have; it may simply not take hold. That could be for a variety of reasons, from privacy concerns to the fact that they just turn out to not feel very necessary to people. We’ve had quite accurate voice recognition for a number of years now, after all, yet people still mostly type on keyboards.

Yet there’s a very good chance that within a few years we may find ourselves absolutely surrounded by devices that have microphones, cameras, or other sensors capable of collecting sensitive private information about us. And that will just not be a tolerable situation if nothing is done to establish some means of assuring people that their devices aren’t being hacked. The IoT field will probably still hobble along, but the cost will be that it won’t be as successful as it otherwise would be — meaning, among other things, that our society won’t achieve efficiencies it otherwise could — and/or people will limp along with a level of uncertainty and vulnerability that diminishes their quality of life. The CIA documents are a reminder that something is going to have to give.

I remember the first time, a number of years ago, that I participated in an in-person meeting with someone who had reason to believe he could be under surveillance by the U.S. national security state. As we filed into a bland conference room in the ACLU’s Manhattan headquarters, the first thing this man did was ask everyone in the room to leave their cell phones outside. This took me aback for a second in those less paranoid days because it seemed so cloak-and-dagger.

The CIA documents are a reminder why that was not crazy — but also that in the future we might have to clear out the television, coffee maker, and a bunch of other objects from the room. Depending on the stakes, we might be left wearing loincloths and sitting in a bare room with no furniture — or meeting in swimming pools like Benicio del Toro in the movie Traffic. Nobody wants to live like that — or more realistically, be constantly haunted by the feeling that they should be.