by Charlie Platt - iDiscovery Solutions on August 10, 2017
This article originally appeared in Metropolitan Corporate Counsel.
Your phone records who you call and text, what websites you visit, and when you are active or asleep. Your fitness tracker records your heart rate and pace. Your GPS records your location, direction, and speed. All of this is Internet of Things (IoT) data and has three critical characteristics:
It’s objective, it’s consistent, and it’s pervasive.
Objective refers to the nature of the data. Data isn’t reliant upon a person’s ability to recall, understand, or accurately relate information. Let’s say I send a message to a colleague telling him I’m in London, when I’m actually sitting at home. The content of this message can be true or false and is subject to recollection, understanding, and veracity. However, the metadata, or the context, from my phone’s geolocation services relates the undeniable fact that I was home at the time, no matter what was recalled or said to the contrary.
Consistent refers to the nature of how the devices record and communicate. They are designed to take a sensor reading on a schedule and record and report the result. This process is automated, meaning that the schedule is consistent and results in large amounts of data being captured. Inconsistent data leads to anecdotal reporting, while consistent data over time develops a pattern and is much more compelling.
Pervasive refers to how these devices, and their sensors, are proliferating at an alarming rate. In 2015, there were an estimated 50 billion IoT sensors in the world, but that number is expected to jump to over one trillion by 2020. This pervasiveness means that IoT data is likely going to be used in the future in cases you are working on if it isn’t already. How many people do you know who don’t have some sort of smartphone, fitness tracker, smart thermostat, or other IoT device—or multiple IoT devices?
How does IoT data specifically apply itself within the litigation landscape? The three aspects—objective, consistent and pervasive—all apply and the following cases studies illustrate how they and their data can make a difference.
Case Study #1: Data Rich vs. Data Poor
Our first example is a wage and labor class action and has to do with the pervasive and consistent nature of IoT devices. A group of employees brought a class action suit alleging off-the-clock uncompensated work. In this case, employees claimed that they had to work through lunch and were not being properly compensated for their time.
As in most class action lawsuits, one party was data rich and the other party was data poor. This leads to asymmetrical discovery, where the data rich party shoulders additional risk, burden, and cost related to discovery aspects of the case, while the other party shoulders little due to their apparent lack of relevant data. In this scenario, the data rich party carries the risk of spoliation, as well as the additional cost and burden involved in preservation, review, and production of data.
In this case, with our assistance, counsel successfully argued that the employees’ cell phones contained metadata that was relevant to the litigation. The cellphones contained metadata for emails, calls, and text messages that showed the employees were engaged in non-work related activities while on the clock. Not only did this bring relevant and important data to light, but in successfully arguing this point, the responsibility for discovery became a shared burden between both parties. All parties now had a vested interest in conducting discovery smoothly and working towards a mutually beneficial solution.
Case Study #2: SEC Insider Trading Investigation
Our second example is an SEC investigation into insider trading, and primarily revolves around the pervasive and objective nature of IoT data.
We assisted the SEC with attributing a specific individual with accessing information via a computer terminal. One of the trickiest problems with forensic analysis is attribution, or more simply put, can we identify whose hands were at the keyboard? We can show that a specific terminal was used to access the information (that’s a traditional focus of digital forensics), but can we say who was actually using that terminal?
To make this argument, we brought together multiple disparate data sources, including IoT devices, social media, forensics, and online trading data. Digital forensics evidence was used to first associate a terminal in the suspect’s cubicle with unauthorized access to prerelease corporate earnings information. Since the terminal was in an unsecured cubicle, the suspect could easily argue that anyone who had access to the office building had access to the terminal and plausibly deny his involvement. We needed to put the suspect in the seat with his fingers on the keyboard.
This analysis began by pulling in data from several nontraditional sources. The first step was to analyze the building’s access swipe-card records, which indicated that, for the most part, the suspect entered the building shortly prior to the times that the sensitive information was accessed, but due to the nature of building access, and some of the inherent faults such as piggybacking, this analysis was less than conclusive. In short, there were instances where no building access existed prior to a given data access event. While this was informative, it was not in itself irrefutable.
To add more weight to the argument that the suspect was at the keyboard, we pulled online trading data for the suspect’s accounts. Aligning trade data with the known access events revealed a high correlation between trades and unauthorized access to the earnings data. While this increased the likelihood that the suspect was indeed the individual behind the keyboard, it still wasn’t conclusive.
Finally, digital forensics evidence collected from the terminal determined that, at the same time prerelease earnings data was being accessed, the terminal was also accessing the suspect’s private Facebook account.
All of these separate pieces aligned to make a compelling argument. This is a critical aspect to consider when using IoT data—one singular data point is less likely to be compelling in and of itself, but when multiple different data sources and points are brought together, a rich, factual story can be told that can be extremely difficult to refute.
Conclusion: Just the Facts, Ma’am
Knowing the facts of the story is critical. The IoT is all about consistent, objective, and pervasive metadata, which, when properly analyzed, tells a rich, fact-based story.
IoT devices are multiplying quickly, and if we understand the data available and how we can put it to work for us, we can uncover factual data related to our cases that previously either didn’t exist or was prohibitively expensive to access.
Think of the IoT as the opposite of virtual reality. Virtual reality creates an imaginary world which we can put ourselves into; conversely, the IoT records real world events in a virtual environment, allowing us, with the right skills and tools, to rewind and replay reality. This data, when expertly interpreted, replays human activity with devastating effectiveness. Using these facts, an informed litigator can build a compelling narrative. Get the data; tell the story; win the case.
Charlie Platt is a Sr. Managing Consultant with iDiscovery Solutions. Mr. Platt has over 25 years of experience consulting with corporations and clients on analytics, digital forensics, cybersecurity and incident response, and e-discovery.