Spy agencies might begin hacking into Internet-connected consumer products to collect information about suspects, the Director of National Intelligence James Clapper told the Senate on Tuesday.
This troubled civil liberties advocates who argue that surveillance laws have not kept up with the rapid pace of technological change.
"These new surveillance techniques are operating in legal darkness," Neema Singh Guliani, legislative counsel for the American Civil Liberties Union, told The Huffington Post on Wednesday. She added that it's not clear to people outside the intelligence community which laws intelligence agencies use to justify new surveillance measures or how they're interpreting those laws.
The USA Freedom Act, passed in 2015, prohibits spy agencies from gathering Americans' communication data from phone and Internet companies. But the law does not apply to all types of government surveillance, according to Guliani.
What's more, a growing number of common household items can connect to the Internet, collecting our data and transmitting it. The so-called "Internet of Things" includes gadgets -- from TVs, baby monitors and Barbies, to Google's Nest, an Internet-enabled thermostat and smoke alarm -- that are equipped with sensors for gathering audio, video, location and other data.
"The Freedom Act doesn’t cover the FBI getting information about your toaster," Guliani said. "Technology continues to develop at lightning speed and our laws have not kept pace."
The ACLU has called on Congress to update surveillance and privacy laws to reflect these advancements. Guliani said that new measures should "make clear that law enforcement officials must have a warrant to obtain an individual’s sensitive information -- whether it's location information stored on a cell phone or medical information stored on a personal device."
“The Freedom Act doesn’t cover the FBI getting information about your toaster.”
Further complicating matters, "smart home" devices tend not to be very secure. Seventy percent of Internet-enabled objects do not encrypt the data they transmit across the Internet, according to a 2015 study by Hewlett Packard.
Intelligence agencies can remotely intercept data from these smart home devices and use it to track down targets, according to the intelligence director's Tuesday testimony.
“Intelligence services might use the [Internet of things] for identification, surveillance, monitoring, location tracking and targeting for recruitment, or to gain access to networks or user credentials,” Clapper told the Senate.
His statements echo a report released this month from Harvard's Berkman Center for Internet and Society that describes how spying on Internet-connected devices could allow intelligence officials to get the information they need, as opposed to cracking through encrypted communications sent via a more secure device, like a smartphone.
It's not just the authorities who know this, either. Hackers have hijacked Internet-connected baby monitors to spy on children. There's even a search engine to help you locate unsecured Internet-connected devices.
The government is taking steps to protect consumers' Internet-enabled products from hacking, however. The White House unveiled a new government cybersecurity program on Tuesday that will "test and certify networked devices within the 'Internet of Things,'" to make sure they're insulated from cyberattacks, according to a post on the official White House blog.
But, if the government wants to protect Americans' privacy, Guliani says, it should encourage them to encrypt their data.
"Congress should be doing everything in its power to increase the use of encryption and other security functions to protect people's privacy and communications," she said.