This article is more than 1 year old
If you like to play along with the illusion of privacy, smart devices are a dumb idea
You're just giving manufacturers carte blanche to profit off personal data
Updated Depressingly predictable research from Which? serves as another reminder, if one was needed, that furnishing your home with internet-connected "smart" devices could be a dumb idea if you'd rather try to preserve your privacy.
The consumer rights organization's analysis of a number of IoT products – from speakers and security cameras to TVs and washing machines – found that they all demand customer data above and beyond what is needed for the product to perform its function, and then distribute that information to a horde of faceless corporations.
Consumer campaign group Which? pointed out that this means consumers are not only in many cases paying thousands for the product itself, with all its "smart" connected bells and whistles, but continue to pay in the form of their personal data.
The outfit broke down what information is required to set up an account with the product manufacturers, what permissions the associated apps request, and what customer activity companies are tapping into.
Spoiler alert: it's all for ads and marketing.
Disturbingly, every single brand examined required both exact and approximate location data – as though your fancy washing machine needed to "know" where it is to clean your clothes.
And while smart speakers are only supposed to listen after being invoked with a "wake" phrase, their data collection and who they share that with may surprise. For instance, researchers found that Bose products are shuffling info off to the Meta social media empire, meaning owners are giving data to Zuckercorp regardless of whether they have a Facebook account. And if they do? Well, expect eerily targeted ads.
A profound difference was also found in the amount of data requested from smart device owners depending on whether the associated app was installed on an Android or iOS phone. "For example, Google Nest products request contacts and location on Android, but neither on Apple's iOS," Which? said. "The app functions the same on both, so the additional data collected on Android does not appear to be essential."
The consumer champ confessed it did not understand why such information was necessary, but pointed to the fact that advertising underpins Google's entire business model, while Apple is all about selling overpriced hardware. Food for thought if your phone runs on the Android operating system, the most widely used version of which is primarily developed by Google.
Of all IoT devices, smart cameras and doorbells are perhaps among the most desired because people value the additional security these may provide for their home. But what they trade for that peace of mind is having their data funneled to other companies.
Ezviz, a brand of Hikvision, which is owned by the Chinese state, was singled out as a particularly egregious offender for tracking firms, including TikTok's business marketing unit, mobile app advertising platform Pangle, Huawei, Google, and Meta. Hikvision cameras are also believed to be used by the Chinese government to persecute the country's Uyghur minority – although the company denies this.
Again, Google was found to be sucking up data from every smart camera or doorbell Which? looked at, while Blink and Ring devices also beamed it back to the Amazon mothership. "Google's Nest product demands full name, email, date of birth and gender," the charity said.
- UK drops 'spy clause' for scanning encrypted messages, admits it's not 'feasible'
- Norway court upholds miniscule fine against Meta for flouting privacy rules
- Mozilla calls cars from 25 automakers 'data privacy nightmares on wheels'
- Google Chrome pushes ahead with targeted ads based on your browser history
Once more, Euly, Arlo, and Ring were demanding to know Android owners' background location. Which? observed that this is unnecessary in the event that a home security system is triggered and means that users could be tracked even when not using the app. "All permissions are activated by default. Consumers can opt out, but this requires changing the settings and could lead to aspects of the device or app no longer working," it said.
Washing machines are smart now too, apparently, and the things they want to know about their owners have nothing to do with spin cycles. For example, LG and Hoover products don't allow use of their apps without knowing how old you are. LG was the worst for prying, wanting "name, date of birth, email, phone contact book, precise location and phone number," while Hoover demanded "users' contacts and phone numbers on Android devices." For Miele products, precise location tracking is enabled by default and required to use the app.
Which? also took aim at smart TVs, which, while possessing phone-like operating systems themselves and not requiring a phone app to use, also track user behavior to flood their menus with ads. LG, Samsung, and Sony were put on blast for their "accept all" list of trackers, which otherwise requires owners to manually decline access one by one.
"Under the General Data Protection Regulations (GDPR), companies must be transparent about the data they collect and how it is processed. The data collected must also be relevant and limited to what is necessary for the processing to take place," Which? concluded.
"However, the reasons for taking information are often too broad for consumers to appreciate, with companies claiming 'legitimate interests'. While it all should be listed in a privacy policy, the reality is that when consumers come to click 'accept', unless they closely analyse the fine print, they have little to no idea what will actually happen next with their data."
Rocio Concha, Which? Director of Policy and Advocacy, commented: "Consumers have already paid for smart products, in some cases thousands of pounds, so it is excessive that they have to continue to 'pay' with their personal information.
"Firms should not collect more data than they need to provide the service that's on offer, particularly if they are going to bury this important information in lengthy terms and conditions."
She added that government data watchdogs "should consider updating guidelines to better protect consumers from accidentally giving up huge swathes of their own data without realising."
We've asked the ICO to comment.
With reference to Echo, Blink and Ring devices, a spokesperson at Amazon claimed: "We design our products to protect our customers' privacy and security to put our customers in control of their experience." The company added it "never" sells the personal data of its users.
In a rather more brief statement, Google said it "fully complies with applicable privacy laws and provides transparency to our users regarding the data we collect."
German appliance maker Miele claimed the data it collects is to "optimise appliance usage and to offer customers additional features and functionalities." Asking punters to specify their location is to provide customers with "relevant services", it further asserted.
Samsung too claimed privacy is only ever "top-of-mind" when it is creating stuff, "our customers are given the option to view, download or delete any personal data that Samsung has stored across any product or app that requires a Samsung account."
We have asked Apple, Bose, Hoover, Hikvision, LG, Beko, and Sony to comment.
Which? provides a number of tips on how to improve your data privacy, including caring about what you share, checking permissions, denying access, deleting recordings, and reading privacy policies.
But The Reg says that if you're really concerned about privacy, you'd do better to not buy these things, throw away your mobile phone, and move to a shack in the wilderness. ®
Updated at 16.31 UTC on September 7 2023 to add:
Stephen Almond, ICO Executive Director – Regulatory Risk told us: "People should be able to enjoy the benefits of using their connected devices without having excessive amounts of their personal data gathered. This simply isn't a price we expect to pay.
"To maintain trust in these products companies must be transparent about the data they collect and how they use it, and ensure that the data is not used or shared in ways that people would not expect. The ICO is developing guidance on data protection and Internet of Things devices and we will act where we don't see the rules being followed."