I never really had to worry about cleaning or finishing household chores until I moved to the US – for all the wrong reasons, the cost of labor (especially in the informal sector) is alarmingly inexpensive in India. Once I moved to the US, I quickly discovered how expensive it is to hire cleaners and how arduous it is to clean the entire house myself, even if it is just twice a month. A friend of mine recommended that I purchase the iRobot Roomba, which needs little to no human intervention – it cleans the entire apartment on a pre-determined schedule, docks itself to a charger when its batteries are low, draws up a map of my apartment, and avoids areas that I mark as no-go zones.

Admittedly, for a second there, I was very tempted to pay an exorbitant $800 as a one-time expense for at least a few years of convenience. But on second thought, I wondered if the cost I paid for my convenience was limited to $800. Despite how innocuous it seems, the data collected by the Roomba can be used to determine my income-level, relationship status and my behavior patterns based on the maps of my apartment drawn by the Roomba alone (see: NYTimes). The implications of the sale or of such data cannot be overemphasized.

IoT: Privacy and Security Concerns

I can say with at least some amount of certainty that the Roomba will make my life easier. However, the Roomba, like most ‘smart’ technology forming part of the Internet of Things (IoT) ecosystem, poses serious security and privacy concerns for its users. There is a demonstrable lack of clarity with respect to how the data collected by IoT? devices will be used. The Privacy Policy and Data Security Policy of the iRobot Roomba are vague at their best and distressing at their worst (see especially ‘Robot environment information’ and ‘Disclosure of personal information’ in the Privacy Policy). iRobot relies on the click-wrap consent of its users for disclosing their data to an array of entities, including its group companies, service providers, and law enforcement, leaving a wide window open for misuse.

The data collected by IoT? devices is already being utilized in judicial and law enforcement proceedings. In 2014, data regarding the effects of an accident gathered by a Fitbit tracker was used as evidence in a personal injury lawsuit. Similarly, geofence warrants also rely on use of stored user data and information by companies such as Google in law enforcement proceedings. Considering the growing acceptance of tech-collected evidence in judicial processes, it may be prudent to err on the side of caution while deciding to purchase an IoT? device, even one as seemingly harmless as the Roomba.

In addition to these privacy concerns, one of the largest shadows looming over IoT? devices currently is inadequate security measures in place. As per a study conducted by McKinsey, all its respondents’ number one concern with IoT? devices was security. Mirai, a malware designed to scan the internet for IP addresses of IoT? devices, is a prime example of the gaping loopholes in the existing IoT? devices.

Further, the pace at which the number of IoT? devices is growing, there is a glaring deficit in the regulatory measures in place to ensure that personal data is (at least to some extent) secure. The IoT? Cybersecurity Improvement Act of 2020 was enacted late last year to prescribe the minimum security standards to be adopted by IoT? devices deployed by the federal government. The scope of this, however, is limited. The accountability of private companies with respect to their utilization of personal data collected by IoT? devices is still relatively uncertain and self-determined.

Fourth Amendment Concerns?

While the right to privacy of each person can be found in the US Constitution, it is not absolute. In 1976, US Supreme Court established the third-party doctrine in US v. Miller, which provides that information provided by a person to a third party voluntarily is no longer covered by a legitimate expectation of privacy. This has grave implications with respect to the data collected by any IoT? device, including the Roomba. Having said that, the Fourth Amendment jurisprudence surrounding the third-party doctrine has evolved considerably since Miller. More recently, Justice Sotomayor wrote in her concurring opinion in US v. Jones, “More fundamentally, it may be necessary to reconsider the premise that an individual has no reasonable expectation of privacy in information voluntarily disclosed to third parties. This approach is ill suited to the digital age, in which people reveal a great deal of information about themselves to third parties in the course of carrying out mundane tasks.” This speaks directly to the concerns that are raised by the ongoing IoT? revolution.

To summarize, will the data stored by my Roomba vis-à-vis my apartment specifications be used in violation of my Fourth Amendment rights? Given the existing Fourth Amendment jurisprudence, probably not. However, short of proper protections being put in place, it very well could be.

Will I buy the Roomba?

The IoT? and Fourth Amendment concerns, to me, far outweigh the purported paybacks of the Roomba. While I reanalyze each of my other ‘smart’ devices and the potential privacy concerns with them, no, I will not be purchasing the Roomba. I’ll stick to the manual vacuum cleaner and mop that won’t store information about how big my room is and what furniture I am yet to buy. I probably need the workout anyway.