UNCLASSIFIED//LAW ENFORCEMENTSENSITIVE

FEDERAL BUREAU OF INVESTIGATION TECHNICAL ANALYSIS BULLETIN

AN

(U//FOUO)Internet of Things Devices Likely*Present-Both
Opportunities and Potential Challenges for Law Enforcement
Investigators

(U) PREPARED BY CYBER DIVISION/
TECHNOLOGY CYBER INTELLIGENCE UNIT
CO-AUTHOR OPERATIONAL TECHNOLOGY
DIVISION/TECHNICAL INTELLIGENCE UNIT

7 NOVEMBER 2019
FBI TAB039 20191107

(U) This documentis classified: Unclassified/Law EnforcementSensitive
(U) Technical Analysis Bulletin template approved for fiscal year 2020, as
of 1 October 2019.
(U) LAW ENFORCEMENT SENSITIVE: The information marked (U//LES) in this document is the property of the Federal Bureauof

Investigation andmay bedistributedwithin the federal government (andits contractors), U.S.intelligence, law enforcement, public safety or
protection officials, andindividuals with a needto know. Distribution beyondtheseentities without FBI authorizationis prohibited.
Precautions shouldbe takento ensure this informationis stored and/ordestroyedin a mannerthat precludes unauthorizedaccess. Information
bearing the LEScaveat may not beusedin legal proceedings withoutfirst receiving authorization fromthe originating agency. Recipients are
prohibitedfromsubsequently posting the information markedLESon a website onanunclassified networkwithoutfirst obtaining FBI
approval.
(U//FOUO) The FBIassessesInternet of Things (IoT)* devices very likelyprovide usefuldigital
evidenceto law enforcement(LE)investigators, as long as the evidenceis preserved and collected
by device manufacturersoris stored locally on the device. The FBIalso assesses subjects likely
use IoT devices to hinder LE investigations and possibly monitor LEactivity. The FBI makes these
assessments with medium confidence,‘ based on observationsof court proceedings, the
demonstrated impact of IoT devices in recent LE investigations, and the FBI’s ownanalysis of loT
devices.
(U//FOUO)The FBIassumesIoT devices are becoming more prevalent in homes worldwide. The
FBIassesses IoT devices will provide new opportunities and challenges for LE over the next two
years, as LE adapts to new technologies, incorporates them into operations, and uses them to aid
investigations. Additional FBI reporting on how IoT device data is used in FBIinvestigations and
the devices’ impact on operations would improve the FBI’s confidence in these assessments.

* (U) An IoTdevice, or “smart” device, is a non-traditional computing device that communicatesto the Internet to send

orreceive data.
» (U) See Appendix A: Expressionsof Likelihood.
“(U) See Appendix B: Confidence in Assessments and Judgments Based on a Body ofInformation.

UNCLASSIFIED//LAW ENFORCEMENTSENSITIVE

 UNCLASSIFIED//LAW ENFORCEMENTSENSITIVE

UNCLASSIFIED//FOR OFFICIAL USE ONLY

(U) Source Summary Statement

(U//FOUO)Reportingin this technical analysis bulletin wasderived primarily from open sources, composed of
established information technology (IT) companies, as well as local and national US news organizations, and FBI
reporting. Collection for this product occurred from July 2017 until 1 October 2019. The reporting was currentas of
1 October 2019. Open sourcereporting wascritical to the assessmentscontained herein because manystate and
local LE organizations provide the most examplesto date of IoT devices andtheir data informing LE
investigations. An increasein FBI and LE reporting regardingthe use of IoT devicesin investigations for evidence
collection and operational successes would affect the confidencelevels herein.

(U//FOUO)IoT Devices Very Likely Assist LE by Acting as Digital Witnesses
for Corroboration and Lead Generation
(U//FOUO)The FBIassesses IoT devices have the potential to provide valuable data regarding
device owners’ movements in real-time and on historic basis, which can be used to, among other
things, confirm or contradict subject alibis or statements. This data may bestored bythe device’s
manufacturers onthe deviceitself or in a cloud environment,as well as with third parties. Such
data, which can assist in the generation of leads and improvecollectionfor investigations, may be
accessible through USlegal process, similar to information produced throughthe use of computers
and mobile devices.

e

(U) Accordingto reporting from a global newsorganization with indirect access, in
September 2018, a man wasarrested for murdering his stepdaughter. The man staged the
deathas a suicide and claimedto have beenat her house for only 15 minutes; however,
police used security camera footage to show the man wasatthe victim’s house when the
victim’s fitness tracker recordedthe user’s heart rate spike and stopped beating. The data
helpedestablish the victim’s likely time of death andrefuted the suspect’salibi.!

e

(U) On 11 January 2018, a technology website with indirect access reported on a German
case, in which information associated with the subject’s smartwatch health application was
used as evidencein a rape and murderinvestigation. The subject reportedly was wearing
the watch during the crime and appeared to have dragged the victim’s body down river
embankmentand climbed back up. The health application associated with the smartwatch
categorized this activity as the user climbingstairs.”

e

(U) According to open source reporting from an IT newsorganization with indirect access,
on 29 July 2017, data from a pacemakerwasusedin an arsoninvestigation. The suspect
claimedto be asleep whenthefire started before he managedto escape with someofhis
belongings; however, the data from his pacemakerrevealed his heart rate and cardiac
rhythmsbefore, during, and after the fire were inconsistent with his version of events. The
suspect wasarrested for arson.*

2
UNCLASSIFIED//LAW ENFORCEMENT

SENSITIVE

 UNCLASSIFIED//LAW ENFORCEMENTSENSITIVE

e

(U) According to open sourcereporting from a local newsorganization with indirect
access, on 23 February 2016,data from a smartphoneand smart water andelectrical meters
wereusedto help justify the arrest of a homicide suspect. The waterandelectrical usage
data showed the home’s waterusage spiked following the victim’s death, whenthe suspect
claimed he wasasleepin bed,indicating the suspect attempted to clean up the crime scene
before notifying authorities of the victim’s death.*

(U//FOUO)Data Generated from IoT Devices Very Likely Provides Key Evidence
Collection in LE Investigations
(U//FOUO)The FBIassesses IoT devicesvery likely can be usedto identify subjects of LE
investigations by providing a newdigitaltrail of evidence leadingto subjects, resulting in more
timely arrests. loT devices are embedded with sensors and cameras;they typically are paired with a
mobile appthat requires users to register contact information and other formsof personally
identifiable information (PII).

e

(U) According to an online newspaperwith indirect access, on 1 October 2019, a Colorado
man released footage from his smart car’s nine on-board motion-detecting cameras of an
unknown womankeyinghis car. The man sharedthe footage with local LE and onsocial
mediato identify the woman anduse the videoof the incident as evidenceof the crime.°

e

(U) According to open source reporting from a newsorganization with indirect access, on
18 July 2019, a police department in Georgia worked with neighborhoodresidentsto assist
in an investigation of identity fraud and mail theft. Oneresident wasable to capture an
imageof the subject’s vehicle and tag numberusing Flock Safety license plate reader
cameras. A different Flock camera was usedto locate the vehicle in real-time and the
information led police to the subject.°

e

(U) According to open source reporting from a local newsorganization with indirect
access, as of 17 September 2018, a South Floridapolice department wasusing automated
license plate readers (ALPRs)’ installed acrossthecity and onpatrolcars to help catch
criminals. The ALPRscould run thousandsoflicenseplates at once, aid in catching unpaid
parkingticket offenders, locate stolen vehicles, or catch wantedfelons.”

e

(U) According to open sourcereporting from an IT newsorganization with indirect access,
on 29 November2017, police worked with an loT companyto deploy mobile highdefinition security camerasto assist in the investigation of a suspected serial shooter. The
cameras werelinked to a wireless, solar-powered gunshot detection system, which allowed
LEto identify the vehicle used during the shootings and makean arrest.®

“ (U) ALPRs are high-speed, computer-controlled camerasystems that are typically mounted onstreet poles,
streetlights, highway overpasses, mobile trailers, or attached to police cars. ALPRs captureall license plate numbersin
view; photos; and location, date, and time data. All data are immediately uploaded to a central server.

3
UNCLASSIFIED//LAW ENFORCEMENT

SENSITIVE

 UNCLASSIFIED//LAW ENFORCEMENTSENSITIVE

(U//FOUO)Subject Use of IoT Devices Likely Pose Challenges to LE Personnel’s Safety,
Investigations, and Evidence Collection
(U//FOUO)The FBIassesses IoT deviceslikely pose new challenges to LE personnel, negatively
affecting LE effectiveness and posesecurity challenges for LE personnel. Most IoT devices
contain sensors and cameras, which generate an alert or can be remotely accessed by the ownerto
identify activity in and around an owner’s property. If used during the execution of a search,
potential subjects could learn of LE’s presencenearby, and LE personnel could have their images
captured,thereby presenting risk to their present and future safety. Additionally, in some
instances IoT device data maybe stored only locally on a device, which can hinder LE access to
key evidenceif subjects or victimsof crimes are unwilling to cooperate with LE.

e

(U) According to open sourcereporting from local newsorganizationwith indirect
access, as of 24 August 2018, homesecurity systemsposed issues for LE, as the owners of
the systems posted images and messages aboutpossible crimeson social media before
contacting the police for a properinvestigation. This allowed individuals to post and accuse
others of crimespublicly before any formal inquiry.°

e

(U//FOUO)On 18 April 2018, the FBI released a report warningof the threat posed to LE
from the use of panoramic camerabulbs bysubjects underinvestigation due to the bulb’s
ability to surreptitiously record when motion is detected. The report addressed concerns
that the bulbs could alert subjects of LE presenceprior to entering a residence, provide the
location of LEofficers in a standoff situation, and surreptitiously record LE-executed

searches, !°

e

(U) According to open sourcereporting in January 2018 from a newsorganization with
indirect access, data from a smartphone’s health-tracking application was only saved
locally on the device and encrypted cloud backups. Becauseofthis, the phone maker could
notprovide the data if served with a warrant. In a recent German murdercase, police were
forced to hire a Munichfirm to break into the subject’s phonebecause the subject refused

to provide investigators with a password.!!
e

(U//LES) According to FBI employees with direct access, on 25 July 2017, FBI personnel
approached a residential hometo serve a search warrant and detected a video doorbell.
Throughthe Wi-Fi doorbell system, the subject of the warrant remotely viewed theactivity
at his residence from anotherlocation and contactedhis neighbor and landlord regarding

the FBI’s presencethere.

(U) Perspective
(U//FOUO)Theuseof IoT deviceshas increased exponentially the size and scope of data held by
technology companies and otherthird parties. This data includes geo-location, personal health, and
behavioral information. While some data mayreside on an IoT device, much ofthe data is
maintainedin the cloud. LE organizations seeking evidentiary information collected through loT

4
UNCLASSIFIED//LAW ENFORCEMENTSENSITIVE

 UNCLASSIFIED//LAW ENFORCEMENTSENSITIVE

devices need to consider where information is stored, whether data can be obtained throughlegal

process, and,if so, whetherthat data is available in an unencrypted format.

(U//FOUO)Overthe past couple of years, technology companies have fought LE search warrants
for IoT device data because they argue such requests can violate the device users’ Fourth
Amendment,and in somecases First Amendment,rights as the lawfully requested data may not be
easily segregated from other IoT datathat reflects expressive activity, which they argue mayfall
outside the request’s scope. Because companiesthat collect IoT data sets rely upon users’trust,
they often claim additional responsibilities to protect user information. A 2018 law review article
from a US university characterized the role of technology companiesas “surveillance
intermediaries” finding themselves situated between LE requests and the public’s personal data. As
a result, the article’s authors argue companiesare uniquely positioned to decide whether LE
requests constitute potential government overreach. They mayelect to challenge these requests
through appropriate legal channelsor, alternatively, have been observedtaking an unusually
extendedtime to process requests. Beyondthese affirmative steps such providers might take to
limit LE acquisition of IloT information,strict data retention policies and providers’ inability to
decrypt encrypted communicationsserve as additionalinhibitors to using this information to
advanceLEinvestigations.
UNCLASSIFIED

(U) IoT Companies Partnering with LE Likely Causing Additional Privacy Concernsfor USCitizens
(U) Beginningin July 2019, several online news websites reported on a partnership between oneofthe largest loT
doorbell camera companies and LE. The companygivesfree products to LE to pass out to the community to enhance
the local LE surveillance network. In return, LE is contractually obligated to promote the product and encouragethe
community members to download an appfor sharing suspiciousincidents. Additionally, if individuals acceptthe free
device, they are required to turn overthe surveillance footage wheneverLE asks. This arrangementallowsLEto obtain
footage without having to issue warrants or subpoenasto the device manufacturer. Additionally, the company provided
LEscripts to engage with the public and request footagedirectly from device owners without going through the courts.!
As of 26 September2019, the company haspartnered with morethan 400police departmentsin the country, according
to anotheronline news outlet."
(U) Onlineprivacy advocatesare concernedwith the widespread adoption of these devices, paired with social
networking applications, which are being used to share suspiciousincidents andcreate a surveillance program without
regulatory oversight. Privacy advocates believethis will resultin racial profiling issues and privacy abuseas these
camerasrecord activities up to 30 feet away and canrecord anyonewithouttheir knowledge or consent. Additionally,
the companyincludes languagein their termsofservice for the community app thatallows the companyfull
permission to the contentto do with asit seesfit without any consent or compensation from the user who generated the
content."

(U)Sources

FY 2020 TAB  1 0CT 2019

(U) Onlinenews article   Techdirt.com   “Amazon’s Free Doorbell Cameras Only Cost Law EnforcementAgencies Their Dignity and Autonomy” 
30July 2019  http:/www.techdirt.com/atticles/20190725/16252942657/amazons-free-doorbell-cameras-only-cost-law-enforcement-agenceis-theirdignity-autonomy.shtml  accessed on 2 October 2019.
*(U) Online newsarticle   Wired.com “The Ringification of SuburbanLife”   26 September 2019  http:www.wired.com/story/ring-surveillancesuburbs   accessed on 2 October 2019.
8 (U)Online newsarticle  Buzzfeed News  “Ring is UsingIts Customers’ Doorbell Camera Videofor Ads.It Says It’s AllowedTo.”  7 June 2019 
http:/www_buzzfeednews.com/article/daveyalba/amazon-ring-doorbell-company-useing-security-footage-for-ads  accessed on 2 October 2019.

5
UNCLASSIFIED//LAW ENFORCEMENTSENSITIVE

 UNCLASSIFIED//LAW ENFORCEMENTSENSITIVE

(U//FOUO)Thisis the first FBI product that addresses how IoT devices affect LE operations and
investigations. Previous FBI products on IoT devices have focused on IoT device vulnerabilities
and how cyberactors have targeted the devices. The 15 August 2017 FBIIntelligence Bulletin,
titled “(U//FOUO)IoT Devices Vulnerable to Compromise and Exploitation by Cyber Actors,”
focused on howcyberactors were exploiting IoT device vulnerabilities, how devices were used in
destructive cyberattacks, and the ease in which cyber actors could identify vulnerable devices. The
26 July 2018 FBIIntelligence Bulletin, titled “(U//FOUO) Cyber Actors Almost Certainly loT
Botnets as Proxies To Anonymize and Facilitate Malicious Cyber Activities,” highlighted how
cyber actors used compromised IoT devicesas intermediaries for Internet requests to route
malicioustraffic.

(U) Outlook
(U//FOUO)The FBIassesses IoT deviceswill provide new opportunities and challenges for LE
during the next two years, as LE continuesto adapt to new technologies, incorporate them into
operations, and use themto aid investigations. Widespread use of IoT devicedata in investigations
by LEhasyet to occur dueto limited knowledge within state, local, and federal LE agencies about
howthe devices work, how datais collected, and wheredatais stored. Multiple efforts, however,
are underwayat LE agencies to gain a better understanding of IoT device functionality, datacollected opportunities, and usefulness to future investigations. The numberofdevicesin use is
expected to rise to 20 to 50billion by 2020, and IoT devices continue to collect more information,
which canhelp LEestablish patternsoflife, identify departures from daily routines, and help
assess the accuracy ofalibis or other key investigative details.
(U//FOUO)Based on backlash from the public on privacyissues associated with data from IoT
devices being used in LE investigations in recent years, loT manufacturers may decide to
implementstronger device encryption and store data for shorter amountsof time. Both efforts
would complicate LE efforts to obtain evidenceand limit the companies’ ability to respond to
lawful LE requests, including court-ordered production of the information. Additionally, device
manufacturersare likely to continueto be reluctant to comply with LE requests for access to
password-protected devicesor applications on First and Fourth Amendmentgrounds,in an attempt
to prevent governmentoverreachandprotect user privacy.

(U)If you wouldliketo provide qualitative feedback onthis product, please send an emailto the appropriate address with the product title as the
subject line: DI_Customer_Feedback@fbi.gov; DI_Customer_Feedback@fbi.sgov.gov; or DI_Customer_Feedback@fbi.ic.gov.
(U)Cyber Division’s Technology Cyber Intelligence Unit (TCIU) and Operational Technology Division’s Technical Intelligence Unit (TIU)of the
FBI prepared this technical analysis bulletin. Comments and queries may be addressedto the TCIU Unit Chief at 1-703-633-5566 or the TIU Unit
Chief at 1-703-985-2901.

6
UNCLASSIFIED//LAW ENFORCEMENT

SENSITIVE

 UNCLASSIFIED//LAW ENFORCEMENTSENSITIVE

(U) Appendix A: Expressions of Likelihood
(U) Phrases such as “the FBI judges”and “the FBI assesses,” and terms such as “likely” and
“probably” convey analytical judgments and assessments. The chart below approximates how
expressionsoflikelihood and probability correlate with percentagesof chance. Only terms of
likelihood should appear in FBI products; the chart includes termsof probability strictly for
comparison, as they sometimesappear in reporting of other government agencies. Furthermore, the
FBIdoesnotarrive at judgmentsthroughstatistical analysis and will not use termsof probability to
convey uncertainty in FBI externalintelligence products.
UNCLASSIFIED

Almost
No
Chance

Very
rs
Unlikely

.
Unlikely

Roughly
Even
Chance

7
Likely

Very
«
Likely

Almost
A
Certain(ly)

Terms of
Probability

Remote

.
Highly
Improbable

Improbable
(Improbably)

Roughly
Even
Odds

Probable
(Probably)

.
Highly
Probable

Nearly
Certain

Percentages

15%

5-20%

Ssh

55-80%

tO Sc hsyZa

Terms of
ao
Likelihood

of Chance

(U) Table showing termsoflikelihood aligned with termsofprobability and percentages of chance.

7
UNCLASSIFIED//LAW ENFORCEMENTSENSITIVE

95-99%

 UNCLASSIFIED//LAW ENFORCEMENTSENSITIVE

(U) Appendix B: Confidence in Assessments and Judgments Based on
a Bodyof Information
(U) Confidence levels reflect the quality and quantity of the source information supporting a
judgment. Consequently, the FBIascribes high, medium,or low levels of confidence to
assessments, as follows:

(U) High confidencegenerally indicates the FBI’s judgments are based on high quality
information from multiple sources. High confidencein a judgmentdoesnot imply the assessment
is a fact or a certainty; such judgments might be wrong. While additional reporting and information
sources may change analytical judgments, such changesare mostlikely to be refinements and not
substantial in nature.
(U) Medium confidencegenerally means the information is credibly sourcedand plausible but not
of sufficient quality or corroborated sufficiently to warrant a higher level of confidence. Additional
reporting or information sources havethe potential to increase the FBI’s confidence levels or
substantively change analytical judgments.
(U) Lowconfidence generally means the information’s credibility or plausibility is uncertain, the
information is too fragmented or poorly corroborated to make solid analytic inferences, or the
reliability of the sources is questionable. Absent additional reporting or information sources,
analytical judgments should be considered preliminary in nature.

8
UNCLASSIFIED//LAW ENFORCEMENTSENSITIVE

 UNCLASSIFIED//LAW ENFORCEMENTSENSITIVE

(U) Endnotes
' (U) Online news article Fortune   “Fitbit Data Implicates Another Murder Suspect, This Time a 90-Year-Old Man

AccusedofKilling His Stepdaughter”  4 October 2018  http://fortune.com/2018/10/04/fitbit-activity-data-murder-sanjose   accessed on 19 October 2018.
2 (U) Online news article Apple Insider  “Apple’s Heath app provides key evidence in German rape & murdercase”  
11 January 2018   https://appleinsider.com/articles/18/01/11/apples-health-app-provides-key-evidence-in-german-rapemurder-case  accessed on 24 August 2019.
3 (U) Online news article Wired.com   “Your own pacemakercan nowtestify against you in court”   29 July 2017;
https://www. wired.com/story/Your-own-pacemaker-can-now-testify-against-you-in-court/   accessed on 08/24/2019.
4 (U) Online news article 5 News Online  “Bentonville PD Says Man Strangled, Drowned Former Georgia Officer”  

23 February 2016   https://Snewsonline.com/2016/02/23/bentonville-pd-says-manstrangled-drowned-former-georgia-

officer/  accessed on 24 August 2019.
5 (U) Online news article Daily Mail UK   “Woman is caught keying a Tesla in school parking lot causing $2,000
worth of damageby the car’s NINE on-board cameras”   1 October 2019   http://www.dailymail.uk/news/article7525115/Woman-caught-keying-Tesla-vehicles-nine-board-cameras.html   accessed on 1 October 2019.
® (U) Online newspaperarticle   Reporter Newspaper  “Sandy Springs Police charge man with mailtheft, identity
fraud”  18 July 2019  https://www.reporternewspapers.net/20 19/07/18/sandy-springs-police-charge-man-with-mailtheft-identity-fraud/   accessed on 27 September2019.

? (U) Online news article 7 News Miami  “Hi-tech help; Newtechnology is helping police catch crooks”  17
September 2018  https://wsvn.com/news/special-report/h-tech-help-new-technology-is-helping-police-catch-crooks/ 
accessed on 27 December2018.
® (U) Online news article loT World Today   “How IoT security devices helped nab a suspectedserial shooter”  29
November 2017   http://www.iotworldtoday.com/2017/11/29/how-iot-security-devices-helped-nab-a-suspected-serialshooter/  accessed on 24 August 2019.
° (U) Online news article Freep   “How doorbell camsarecreating dilemmasfor police, neighborhoods”  24 August
2018  https://wwww.freep.com/story/news/local/michigan/2018/08/23/doorbell-camera-videos-ringpolice/1000358002  accessed on 24 August 2018.
10 (U//FOUO) FBI   SIR   18 April 2018   18 April 2018   “(U//FOUO) Panoramic Camera Bulb Capabilities Could Pose

Potential Risk to Law Enforcement”   UNCLASSSIFIED//FOR OFFICIAL USE ONLY   UNCLASSIFIED//FOR,

OFFICIAL USE ONLY  Source is an officer of another LE agency.
11 (U) Online news article   Apple Insider  “Apple’s Heath app provides key evidence in German rape & murdercase” 
11 January 2018  https://appleinsider.com/articles/18/01/11/apples-health-app-provides-key-evidence-in-german-rapemurder-case  accessed on 24 August 2019.
12 (U) FBI   SIR  28 July 2017   25 July 2017   “(U) Video Doorbell Devices Pose Risk to Law Enforcementin New

Orleans, Louisiana as of 25 July 2017”   UNCLASSIFIED//LAW ENFORCEMENTSENSITIVE;
UNCLASSIFIED//LAW ENFORCEMENT SENSITIVE  Source is an FBI agent.

9
UNCLASSIFIED//LAW ENFORCEMENT

SENSITIVE