You know that you’re in store for something every time a fellow attorney calls out of the blue to have “coffee” and field some technical questions about digital evidence.  It’s happened a little more frequently to me since the end of the pandemic when the Florida court more fully re-opened and aligned their dockets back to trials.  Common to most of these “coffees” lately is the attorney finding some interesting detail in the discovery exchange that a device was present (at the time whatever occurred) and there was some relevant digital information that might tend to prove the merits of their claims or defense.  Most often these are Internet of Things (IoT) devices and platform data.  While the attorney typically thinks this device is “nifty” and “cool” from an evidentiary perspective, bringing that evidence into the ultimate trial is somewhat of a stumper.  Truth be said IoT is somewhat new to the world of evidence.  Even though IoT tech and systems have been around for more than a decade, their adoption into everyday personal life and business has been slow but ever ongoing.  IoT devices and systems are now being used by ordinary folks, retail, logistics business, manufacturing, government and even marketing.  They are deployed everywhere if you look.   This is a good point too pause and expand a bit upon what is and isn’t an IoT device or system.

Internet of Things (IoT) data as relevant evidence

Internet of Things (IoT) devices refers to the digital information and data collected by interconnected devices in an ecosystem that resides between the real world and the digital.  What that means is information, devices and information services that don’ live exclusively on the IP cloud.  They are the practical and operative working tools leveraging the Internet.   IoT devices are everyday use technology embedded with sensors, software, and connectivity features, enabling them to collect and exchange data and provide it to the user. They are not simply mobile phones or smartphone devices. although a mobile app may be used for access to IoT, and that app resides on the mobile device. It’s often asked if A.I. is involved, the answer is sometimes, it depends.  These devices can learn preferences or be programmed to learn and adjust, not Sometimes analytics is used too.  It really depends on the IoT Device’s utility and purpose.

Here are some examples of ioT devices and systems currently deployed.

•  Smart Home Systems:

Smart Thermostats: Devices that learn user preferences and adjust the temperature accordingly.

Smart Lighting: Automated lighting systems that can be controlled remotely.

Smart Security Cameras: Cameras with motion detection and remote monitoring capabilities.

• Wearable Technology:

Smartwatches: Devices that monitor health metrics, track physical activity, and provide notifications.

Fitness Trackers: Devices that monitor and record fitness-related data, such as steps taken and heart rate.

Monitoring Devices: Devices used to monitor and record geolocation of a detained person or for probation by law enforcement

• Industrial IoT:

Smart Manufacturing: Connected sensors and devices in manufacturing plants to optimize processes and monitor equipment health.

Predictive Maintenance Systems: Sensors on machinery that collect data to predict when maintenance is needed.

• Smart Cities:

Traffic Management Systems: IoT-enabled traffic lights and sensors for optimizing traffic flow.

Smart Parking: Sensors that monitor parking spaces and provide real-time information to drivers.

Smart Waste Removal: IoT enables cameras and systems that identify high volumes of waste in an area and route quicker removal

• Healthcare IoT:

Remote Patient Monitoring: Devices that allow healthcare providers to monitor patients’ health remotely.

Smart Pills: Medication with embedded sensors that transmit data when ingested.

• IoT Connected Vehicles:

Car Telematics: Systems in vehicles that collect and transmit data related to vehicle mechanics, performance, location, and driver behavior.

Fleet Tracking:  Geo tracking and telematics of rental cars, ride share, cars, police vehicles,

 Intelligent Transportation Systems: IoT solutions for traffic management and road safety.

Trucking and Shipping Systems: Measures metrics of milage, destinations times, destination routes, driver rest requirements, fuel consumption and cargo loads,

• Retail IoT:

Smart Shelves: Shelves equipped with sensors to monitor product availability and inventory levels.

Beacon Technology: Location-based technology for personalized marketing and in-store navigation.

• Agricultural IoT:

Precision Agriculture: IoT devices in agriculture for monitoring soil conditions, crop health, and irrigation systems.

Livestock Monitoring: Wearable devices for tracking the health and behavior of livestock.

• Environmental Monitoring:

Air Quality Sensors: Devices that measure air pollution levels and provide real-time data.

Water Quality Monitoring: Sensors for monitoring the quality of water sources.

• Energy Management:

Smart Grids: IoT-enabled energy grids for efficient energy distribution.

Home Energy Management Systems: Devices that optimize energy consumption in households.

Types IoT Device data that may be “evidence” of something.

Use of data and information yielded from IoT devices can be exponential in all types of legal matters that can come before the criminal and civil courts.  The data from these devices locates, samples, measures, records, analyzes, and reports feedback of some sort of another that is useful to the user. The user also consents to the use of the technology by virtue of its placement or wear. This kind of information can be a treasure trove of evidence. The electronic evidence from these devices can be diverse and may include:

• Logs and Timestamps: IoT devices generate logs containing information about their activities, interactions, and events; a chronological record of when specific events occurred.
• Device Pings to Network: IoT devices can have preset interactions with its network via the internet or constantly connect or “ping” the network at regular times.
• Sensor Data: Temperature, motion, GPS that capture environmental data.
• Communication Records: Information about data exchanges between IoT devices and external servers or other devices, including communication protocols and network logs.
• Device Metadata: Details about the device itself by way of unique identifier in a location, firmware version, and configuration settings.
• User Interaction Data: Interactions with the IoT device and specific user, such as settings adjustments, commands given, or user authentication logs.
• Location Data: IoT devices with location-aware features can provide information about the physical whereabouts of the device at specific times.

The use of this information, when an IoT device is present, is limited only by the creativity of the lawyer and the relevancy that jurist is seeking to prove or disprove for the court. It can be quite useful even in depositions for Impeachment when witness memories fade, are fuzzy, or the witness psychologically has blocked some or all of the recollection correctly.

Discovery is not Trial – Fitting it into the Federal Rules of Evidence.

ESI is most often wrestled with between respective counsel in the discovery process, should not lose focus on its ultimate use: as evidence is a trial.  Is it admissible? Is it relevant? Can you authenticate it? Is it possible to sell authenticate it? Can it survive hearsay objections? Is it really a business record? These are all considerations the practitioner must face when trying to get any digital evidence before the finders of fact. To keep it clean, let’s discuss the Federal Rules of Evidence first.  (I will address Florida rules of Evidence in a later post on another subject matter, let’s look at it from the federal level first.)  The Rules would be FRE 104, 401, 403, 901, 902, 801, and perhaps 1001 two 1008 (Best Evidence). These rules govern admissibility (typically a judge question), relevance (whether it has sufficient tendency to prove or disprove A consequential fact in the litigation), authenticity (through prima facie showing that it is what it is directly or by extrinsic evidence.), or does it self-authenticate because of sufficient signs tags labels or regular practices that’s a business record. 

One of the major problems that many internees accounted as they find a neat and nifty piece of electronic evidence or information, but it involves a person to give testimony about seeing or reviewing the data and the Hearsay Trap is sprung.  Hearsay is a statement being made to prove the truth of what is asserted That is generally not reliable unless certain exceptions are made under recognized rules hey important in the hearsay exceptions our FRE 803, 804, and 807, which are often advanced when trying to bring in electronic evidence and electronically stored information.

We could take a deep dive into rules of evidence and electronically stored information digital evidence, but that wouldn’t result in a book not a blog. For purposes here I mentioned them only to put them in the mine of attorneys reading this who will face the pragmatic thought process of how to get that Electronically Stored Information (ESI) and digital evidence in.  Probably the most daunting area for digital evidence is not so much relevancy, but authenticity and authentication. The common practitioner questions. “Yeah, the data reads X, so how can I introduce it and what kind of testimony would support this?”

IoT electronic evidence that’s an extra layer of thought to this process. Here, we are dealing with data being collected on a device, through wireless or wired access transiting through the Internet, reaching a platform where data collection, integration, and analysis are being applied (not to mention the use of AI in that process for performance purposes) and then giving a reading on the device as well as within the platform. How do you attack that? Well, it really goes back to the rules of evidence and the skill of the attorney to understand the rules and their bases. Here’s where the conversation gets fun.

Would the IoT data information be authentic and relevant to a jury concluding a fact? FRE 104 considerations

The  fact that you discovered something confirmable through IoT data about the case, will it be useful or confusing to a jury or judge and will they find it authentic enough to find it as a fact of the matter?  This is a strategically important question.  If the IoT data is from a leg monitoring device used to manage a condition of bond that a Defendant be restricted to destined to home confinement, well that IoT evidence is important.  Data form a Remote Patient Monitor Device in a telehealth malpractice case, that’s important.  IoT Fleet Tracking data from an interstate trucking company whose drivers are claiming class action FLSA overtime payment owed, again it seems important if  an authentic record of time as to road time vs rest, yes.  Data from Retail Smart  Shelves devices in a trademark infringement case on units of inventory sold, sure measurable occurrence and damages. The fact  that the lights were turned off at certain hours at a place of business in a contract breach case, yeah not really going to causation and breach. Choices as to the use and authentication of IoT data at trial really goes back to the basics of lawyering and the fundamental question of what I’m proving here.   For the sake of argument, let’s say you have a gem of IoT data going right to what you have to prove, now FRE 104 needs to be address.

Super-simply stated, FRE 104 puts to the court to determine if the foundation of the evidence’s authenticity (and its chain) and relevancy are enough to make it admissible to jury to ultimately find it authentic or not in their findings of fact.  Judges guard this gate because juries are not tasked with applying the rules and exceptions to the law or the FRE, lawyers and judges are.  This is often called “conditional relevancy”  as it’s a question of whether its presented to the jury or not under the Rules of the Court and Evidence.

Traditionally, IoT Data and Device information is brought in as a business record from the IoT provider.   However, such business records tend to be raw data and explanation of the marketed IoT function or end-user’s use.   If the IoT data is being reviewed and brought in by an Expert, there may be some latitude, but FRE 104 foundation does not go away by simply handing it to an expert.  As the saying goes, “garbage in – garbage out” can be argued to the jury by opposing counsel when it comes to ultimate consideration as fact.   A multilayered approach may need to be advanced with FRE 104 considerations of IoT data and evidence.

Now here’s where you may have to think for yourself within the Box of the Federal Rules of Evidence.

There is no magic book where you can turn the pages or look up online how to get IoT evidence in.  Wish there were, but not at least yet.  There are a few rules of thumb that should be considered from the prior experience of our peers, including myself.  These are more rules of thumb, and by no means exhaustive, but our good point of venture to peak your mind and creativity when looking at this form of electronic evidence, or any form more or less. My plan is to blog further on some of the other types of electronic evidence and the same issues looking at Florida and federal law but for now let’s just consider IoT evidence.

Now I’ve talked a little about the types of records that can be generated from IoT. And I’ve briefly discussed some of the relevant issues related to the FRE. So, I figured it’d be a good time to introduce a very basic chart that I’ve used in the past. I suggest you make your own depending upon your case, but the idea is pretty simple because you can visualize it. This can be quite helpful when being first challenged with FRE 104. It also can be helpful for planning out ultimately how you will introduce the evidence at trial. So, take it as such. It’s a practice merely a tip for use in your own work as an attorney and in your own way based on the civil or criminal case or matter at hand.

Here’s how I would breakdown a chart for considering the various types of IoT and authentication under FRE Rule 104:

As you can see from the chart above , the stalwart ways for IoT evidence are generally:

• FRE 902(5): When government publishes the information or report on Smart Cities program or process for its citizens or the General Public.  If the Gov’t publishes something online you can take notice of it for foundational support as to the material published not necessarily whole system and data.  
• FRE 907(7):  When sensor reading data is performed in stable process and when unimpaired is the content of the data. Strong if supported additionally by Rule 30(b)(6) testimony or affidavit.
• FRE 902(11) Regular Business Record of the IoT Service Provide supported by Rule 30(b)(6) witnesses – Strongest foundational support.
• FRE 901(b)(1): Regular Business Record of the IoT Service Provide supported by Rule 30(b)(6) Technical Witness on device, system, or data – Strongest foundational support.
• FRE 901(b)(3): Expert Witness analysis of device when Business Records are not available (sampling of similar systems)- Complicated, because of a lack of direct authentication support, so a weaker foundational support form depending on the expert and the Dauber qualifications.
• FRE 901(b)(4): Catchall on circumstantial evidence because of unique identifiers in the device, encryption, data, origination point or reading of the particular IoT service and device associated with it.  Although available for authentication purposes, in the context of IoT this is the weakest foundational support.

Now every IoT system, and every circumstance, is unique. The above chart is not absolute. However, it is a good point of venture for your legal eagle thought process. It causes you as a trial lawyer to make early consideration of how ultimately, you’ll get through FRE 104, and ultimately get the IoT data in front of a jury who will decide if it’s relevant and authentic as to the facts you seek to prove.  My recommendation is that when you find a piece of IoT evidence that may be a gem to the success of your case, you make your own chart like the above (on paper or spreadsheet) and map out the options based on the circumstances of the case.

Data accuracy and integrity in regularly conducted business of the IoT – Homing in on FRE 902(11)

One last consideration related to business records and regularly conducted business. IoT providers are not in the business of preserving your evidence. They are technology companies with a focused purpose and device. Some are established companies and some are upstarts. Some have comprehensive record retention policies, making testimony under FRE 902(11) seamless; and, some simply addressed those issues on the fly. Overlaid into this are secured personal information requirements. Personal privacy law and regulation may cause the IoT provider to divide or disperse the data and its network and carry separate policies for how it is stored. This can create some layering and what needs to be brought forth in the evidence foundation to demonstrate that the information is accurate.

Likewise asking about any recent data breaches or hacking events to the network of the IoT service is important. Compromises such as these can cast doubt and the integrity of the data and records that are available from the service provider. It is also a perilous opening for cross examination of a 30(b)(6) IoT provider witness. Basically, you laid down a proper foundation under FRE 104 via records and testimony but opposing side attacks its accuracy as junk because its integrity has been compromised.  Inquiry into any recent data breaches or hacks should be one of the preliminary questions to the service providers witness, before any deposition or trial.

Don’t drop the IoT foundation ball and assume foundation of authenticity.

Sometimes we’re dealing with IoT and we don’t even realize it.  Departments of Corrections and Probation have been using  ankle monitoring devices for home detention for years. Those devices are IoT, even though their use preceded the more modern use of the term IoT. The courts are accustomed to dealing with these types of devices when it comes to proceedings and application of the rules of evidence.  Ankle monitoring devices cases are an ample source of examples where the pitfalls where not laying a proper foundation can frustrate your IoT evidence. R.L.G. v. State is a good example of this from the state level in the Florida courts. Although it’s not federal, the appellate decision on the rules of evidence demonstrates the issues and process with IoT evidence.  A little context/backdrop is necessary to see this.

Fist, in Florida, the admission of an electronic business record must have the predicate foundation of a witness who understands the business record to qualifying under Section 90.803(6) to be admitted.  See, Waterfall Vict. Grantor Tr. II v. McDonald, No. 4D19-3536 (Fla. Dist. Ct. App. Aug. 25, 2021)- for more context.  This includes personal knowledge of the parameters and limits of the record keeping system, methods, rendition of the business record, and software automation for the intended purpose of the systems used. Affidavits alone can fall short in this – if challenged.

 R.L.G. v. State, 322 So. 3d 721 (Fla. Dist. Ct. App. 2021) originated during a Probation Violation Hearing of a juvenile who was wearing a GPS ankle monitoring device placed by the Department of Corrections.  The device was procured from a service provider who provided no testimony in the hearing and provided no business records as to the system and its functionality more data results. Such evidence was not presented against the juvenile as to record of violation, instead testimony from a probation officer that he got an e-mail alert from the platform that monitors the device that the juvenile had left his home address. The officer testified that the juvenile violated probation based upon the fact he received and read an e-mail alert from the IoT company.   The State relied on no further information or support the concussion of the juvenile’s violation.  The Miami-Dade Public Defender (obviously) objected and challenged the email and testimony as Hearsay during proceedings.

Not sure if this whole “just read the email” thing was a trial mishap by the State or it was planned. Nonetheless, the State argued the email from the system was an exception to Hearsay Rule under a theory of an out of court statement “by a machine,” and not a Hearsay statement from an out of court person.  Hearsay, the State argued, encompasses only the out-of-court “statements of persons.” (Emphasis added by the State) The State then argued that machines can make out-of-court statements because the statement was “automatically generated without manual input from any person.” Problematic for the State was that no corporate Representative supported that fact of the system’s atomization or operation (either by testimony or affidavit) in the proceedings. The proposition assumed that because it came from a “computer system” its functions were all automatic from a mechanical machine and Hearsay application only applies to persons. (Sounds a lot like the South Park Wookie defense to me.)  Apparently, it also did to the Florida 3RD DCA, who caboshed the whole “out of court statement by a machine” theory and looked to the record with an eye to the Rules of Evidence.  “As the juvenile accurately notes… the factual claim underpinning the State’s argument is “essentially a raw guess by the State because the record contains no information to what extent the information given to the probation officer by the [GPS monitoring service] was automatically generated.”  The court then found the testimony Hearsay and dispatched it accordingly in its Decision.

R.L.G. v. State illustrates that absence of a solid foundation to admit IoT device evidence under traditional evidence rules can be disastrous. You could have the golden arrow of relevant information from IoT data to prove your case, but it may get excluded from the jury because you haven’t prepared and preserved it sufficiently. Watch out for this.

Takeaways from this post.

The point of me penning this post is to provoke the well-abled legal mind of attorneys when looking at available IoT or electronic evidence and asking how you’ll to bring it to a jury.  It’s a tough task and there is no “special sauce” with this. Appeals and case law in this area of evidence are constantly changing because IoT technology is old in existence but new in its everyday innovations. How it’s set to expand as electronic evidence will undoubtably expand. Every day new IoT devices and services are being brought to market by startups or major companies acquiring and remodeling legacy IoT services. This can create layers of complications when trying to bring such evidence in under the Federal Rules of Evidence.  Be mindful of this.

Should you have a case or matter involving IoT digital evidence, it doesn’t hurt to ask a digital jurist first. that’s our practice area. Sometimes it’s just a peer-to-peer chat over a cup of coffee. Sometimes more is required because of the nature of things. But don’t be afraid to ask. Don’t be afraid to research. And most importantly, don’t be afraid to think for yourself and create little tools like the above to help you in the thought process.

I look forward to questions and comments on this topic.