Evidence Collection Series: Internet of Things (IoT)
Where to begin?
This guide is a part of a series that details how to collect evidence related to the misuse of technology in domestic violence, sexual assault, and stalking cases. Before proceeding, we recommend that you read A Primer for Using the Legal Systems Toolkit: Understanding & Investigating Tech Misuse, Approaches to Evidence Collection: Survivor Considerations, and Approaches to Evidence Collection: Criminal vs. Civil Systems.
Who should use this resource?
The series is part of a Legal Systems Toolkit that includes guides to assist prosecutors, law enforcement, and civil attorneys.
IMPORTANT TIP/NOTICE FOR ADVOCATES: If you are a non-attorney survivor advocate, we strongly recommend that you do NOT gather or store evidence for survivors. You can assist survivors by giving them information to gather evidence themselves. Your participation in the process of gathering or storing evidence can lead to you being forced to testify in court, which can undermine confidentiality protections and negatively impact both the survivor and the integrity of your program. If you have questions, please contact Safety Net.
IoT: An Introduction
“Internet of Things” (IoT) refers to a wide variety of devices with different purposes, functions, and capabilities. IoT devices may be connected and controlled through Internet, Bluetooth, or other means, making them practical and efficient tools that can improve quality of life. Survivors can also use IoT devices to increase their safety. However, they can also be misused to monitor, harass, threaten, and isolate. More information about the risks and benefits of IoT devices can be found in our Technology Safety & Privacy Toolkit for Survivors.
For domestic violence, sexual assault, and stalking survivors, the intimate role IoT devices play in people’s lives can pose an especially dangerous risk. Investigating IoT abuse can be challenging since devices can be used to remotely harass or threaten victims. As with most technologies, there are many ways that IoT can be misused and the tactics of abusers also evolve with the technology.
IoT: The Technology
IoT devices are commonly in homes or worn as an accessory, and may be misused to track or monitor a victim’s movement. The following chart provides examples of common IoT items that can be misused or may contain useful evidence.
Smart Appliances: Speakers, home assistants (e.g. Amazon Alexa, Google Home), kitchen appliances, TVs, etc.
Smart Home Systems: Doorbells, thermostats, lights, security cameras, baby monitors, etc.
Wearable Items: Health trackers (e.g. FitBit), medical devices (e.g. pacemakers), sleep trackers, eye glasses, watches, panic buttons, mood sensors, clothing, etc.
Ways to Connect and Access IoT Devices
Apps and Websites: Many IoT devices communicate with other devices, like a smartphone, through apps or websites. The apps or websites enable a user to manage device settings and track activity. There are also apps, like Wink Hub, that allow users to connect all their IoT devices on a single app.
Networks: A network connects different IoT devices and allows them to “speak to each other”. This is typically someone’s home Wi-Fi. IoT devices can also connect to each other via Bluetooth. When sharing a network, each individual device is only as secure as the most vulnerable device connected to that network. Any insecure device on the network can potentially serve as entry to all other devices. It is essential to examine whether the network itself has been breached and if there are ways to increase security for all connected devices.
Multiple Device Access: Most IoT devices are designed to connect to multiple mobile devices (e.g. smartphones) at the same time. Intimate partner relationships may share access to IoT devices, which means devices may have multiple mobile devices connected to their network, with or without the knowledge of the survivor.
IOT and the Law
In many situations, existing laws that focus on abusive behavior, such as harassment, spying or surveillance, intercepting communication or eavesdropping, or stalking can be able to be applied when IoT is misused as a tactic of abuse. This may require creatively using available laws. For example, inappropriate access to a victim’s IoT device or network without permission, could result in a computer-related crime or a civil lawsuit for invasion of privacy (or similar laws). A protection order can include provisions that require the abusive person to not interfere with IoT devices or related accounts, and to remove themselves from those accounts. Proactive protective order provisions may help prevent future incidents.
There are no federal regulations specifically for IoT products and few, if any, laws that regulate IoT activity. Some devices, like those used in medical institutions, are regulated because of the laws already covering those industries.
Despite the lack of specific laws, IoT evidence is already showing up in courts. In a domestic violence homicide case, evidence from the victim’s FitBit helped prosecute her husband. The increased use of IoT technology is leading to new information that may prove indispensable in proving cases.
Investigating IoT Devices
When investigating IoT abuse, help survivors identify internet connected devices. Knowing which items are at risk can guide safety planning and evidence collection.
Look for Shared Devices and Networks
If the abusive person shares or has shared a home or any device with the survivor, they could have access to devices or the accounts that control them.
Smart speakers, TVs, or home assistant devices are commonly understood to connect through Wi-Fi. However, survivors don’t always know that other common items (like refrigerators, thermostats, cars, and toys) can also be connected to the Internet or shared networks. It can be helpful to provide a list of common IoT devices, such as the chart provided earlier. They should also consider any devices or systems that talk to them, listen for commands, has apps, or can be accessed remotely.
The router keeps a list of all connected devices, as well as what IP address they have been assigned and other related information. This will show what is connected, both wirelessly or by a cable, but it will NOT tell you what is connected to another device via Bluetooth. Another strategy is to unplug the router and see what devices and systems stop working.
An abusive person can also misuse an IoT device by downloading spyware or hacking into the actual device, network, or account linked to the device. Certain apps scan devices to see who is connected to a network or router if the user is near the victim’s network, but do not always work in locating abusive persons operating from a greater distance. An important step is to identify which devices are connected to the IoT network. Generally, that information is found by locating “settings” (Exact steps may vary. An online search for “how to find out what devices are connected to [name of IoT]” will provide further information in most cases.)
Help the survivor understand how to protect, collect, and preserve digital evidence. Read more about the importance of involving survivors in the process of collecting evidence. Survivors’ participation can lead to information that may strengthen the case, and can give survivors tools for safety and healing regardless of the outcome of the case.
Document Changes or Suspicious Activity on Account
Sometimes a simple password change, being locked out of an account, or an unusual change in a survivor’s app settings can be a sign that an abusive person has accessed or tried to access the device. A more in-depth search of the information or account by a forensic investigator may be required.
Document any changes or suspicious activity using video, photos, or screenshots, if possible. Many IoT devices have online or in-app activity logs, which can be useful in identifying misuse. Some additional options to explore for evidence are:
A notification that a password has been changed without the survivor’s doing/knowledge.
Any change in identifying information (name, address, phone number, etc.).
Changes in functional settings (e.g. temperature selected, doorbell ring option, any automatic feature by the user).
Track Usage and Timing
Changes or suspicious activity in the real-time use of IoT devices should also be documented. Are lights turning on without the survivor initiating it? Are devices making unusual noises? Does the abusive person have knowledge of any incidents involving the survivor or their private information that could have been learned through an IoT device?
Physical observations should be logged and whenever possible, a safe device should be used to take videos, photos, or recordings as proof. Strange activity can be important to understanding the full scope misuse. The timing of misuse can be compared to the normal activity of the survivor.
Screenshots or printed copies of logged information from accounts can also be compared to unusual activity captured live by videos, photos, or audio recordings. Whenever possible, screenshots or videos should include date and time. Proof of logged activity combined with physical evidence can strengthen a case.
Law Enforcement May Need to Investigate
Law enforcement are often the first to interact with survivors once a crime has been reported, which means they play a significant role in the early stages of collecting evidence. Law enforcement generally have tools to do advanced searches of devices and networks. If the survivor makes an informed decision to involve law enforcement, it may strengthen the ability to search the actual hardware of the devices, as well as their linked accounts and networks. Some examples of evidence that may be more accessible in criminal investigations include (but are not limited to):
1. Records on the abusive person’s device that show it was used to remotely control IoT.
2. IoT company records including the IP addresses of remote logins, which can be compared with the abusive person’s IP addresses.
3. The abusive person’s online activity via Wi-Fi network or ISP, that shows evidence of IoT abuse against the survivor.
Get a Court Order to Collect Records
If information is not available through the account or the survivor does not have access to the information, a court order for the records might be necessary to collect evidence of IoT activity. Gaining access to records for IoT apps, all networks, or the abusive person’s own technologies can help prove misuse and could help strengthen the case.
Differences Between Civil and Criminal Investigation
Evidence collection will be different depending on if the case is criminal or civil. Approaches to Evidence Collection: Criminal vs. Civil Systems discusses important differences in the two systems and offers tips for professionals in each system.
IoT Safety Tips
If a survivor thinks they are at risk or has already experienced IoT abuse, the following general security tips may be useful.
TIP1: Create separate networks
Learn more about Wi-Fi network security to ensure IoT devices are set up in ways that increase security.
TIP 2: Use strong passwords
Safety update settings to make sure Wi-Fi networks, accounts, and websites linked to the IoT devices have strong passwords.
TIP 3: Regularly update IoT devices
Software updates include security improvements. Users should regularly check for available updates to ensure devices have increased protection against hacking or spyware. Updating devices does not eliminate all risk, but it can significantly strengthen device and network security. Be cautious of devices that are no longer sold as they are unlikely to get security updates.
TIP 4: Hit mute and block camera
With IoT devices that record audio or images, it is generally a good idea to block the lens of cameras when not in use and to mute sound recording options. If they are accessed by an abusive person, this can prevent that person from being able to see or listen to the survivor. Note that if the mute option is a software switch, then it won’t be protection against a hacker.
TIP 5: Seek support from IoT manufacturers
Survivors may want inform the companies that build or run their IoT devices about the abuse. The company may be able to provide suggestions and help institute protections. For example, it may be possible to add security or block the abusive person’s devices, preventing them from accessing a device or account. Though not always possible or the best option for preparing evidence for court, survivors should decide what would be the best solution for their own situation.
IMPORTANT: Be sure to help the survivor to make a safety plan, in case removing access escalates an abusive person’s behavior. Refer victims to a local advocate who understands tech safety, or let them know about the resources in our Survivor Toolkit at TechSafety.org.
TIP 6: Carefully Consider Use of IoT Devices
People should carefully consider their own needs and weigh the potential risks and benefits of using IoT devices. Survivors may decide that the practical benefit of using an IoT device outweighs any possible risks. Some survivors may decide to temporarily take a break or entirely give up IoT devices until they feel safe to use them. We do not recommend telling survivors to get rid of IoT or any type of technology, but instead suggest a thoughtful conversation about the pros and cons that can help survivors weigh their needs and risks.
Next Steps in Your Investigation
Despite challenges of technology evidence, it is possible to successfully prove tech abuse cases through effective investigation and creative advocacy.
For more information, see the resources in our Evidence Collection Series.
If you have further questions about investigating tech abuse cases, please contact Safety Net, and visit TechSafety.org for more information.
Special thank you to Bryan Franke of 2CSolutions for providing expertise and guidance on the creation of this series.