It’s everywhere in the news this week, the consumer group Which? reported that smart devices are asking consumers for personal data, and consumers are giving it up. From there, the manufacturer can use that data shared by their device as stated in the device’s use policies that you read. Right?
This can be data like where you live, your birthdate, TV viewing habits on a smart TV, and more. Smart cameras and doorbells were found to send videos back to the manufacturers, allowing those manufacturers to share those videos with the police. Smart speakers were found to send recordings to the manufacturer. Basically, any data that these devices touch should be considered suspect of being sent back to the manufacturer. From there, the manufacturer may use that data for things as innocuous as fixing issues in the device’s software. Or the manufacturer can use that data to target you with ads to buy more of their devices, or things you saw on TV or mentioned. It’s really up to the manufacturer and their ethics.
Since virtually no one reads these policies, most consumers aren’t aware of this. However, it’s not new news. Smart devices and manufacturers have been doing this since before smart devices even existed. Facebook’s Pixel and Google Ads tracked you everywhere for your data. Is it any wonder that makers of physical devices are getting in on the game now?
How to fix this?
There are a couple of things in the works to address this data issue. I’ll go over them below.
Connectivity Standards Alliance Data Privacy Working Group
The Connectivity Standards Alliance ( CSA ) is the group that brought us the Matter standard, for making communication between all of our smart devices standardized and more secure. The CSA announced earlier this year that they are working on a specification and certification program for manufacturers to disclose what data is being collected, how it is used, and if it complies with best practice for handling user information. For instance, user data should be anonymized so you can’t tell who it came from in the first place and you should only store the bare minimum amount of data that you need – not someone’s birthdate to use a washing machine.
There are a couple of issues with this that I see. First, this new standard would be optional for manufacturers. There would be no obligation to actually comply with the standard. For instance, the Matter standard isn’t something that device makers have to use or include. However, since most of the main smart home controllers use it ( Google Home, Amazon Alexa, Apple HomeKit ) it makes it easier for those vendors to integrate with those controllers, and integration makes their devices more appealing to consumers. For this new privacy standard, there is no direct benefit to the manufacturer. There are requirements and obligations, and a reduction in the amount of data that they can collect. So I am concerned that there won’t be a large adoption of the new privacy standard unless the big names in smart home controllers enforce it’s use.
The next issue that I see is that this new standard only makes it so that companies have to be transparent about the data they collect and have to use and store it responsibly. This won’t stop a TV from sending your viewing history home – it’ll just make it so that you’re more aware that it’s doing it. So this doesn’t actually stop the sharing of personal data from smart devices. Just makes it a bit more transparent and makes your data a bit safer.
Go Local with your Smart Home
A more technically complex but safer approach is to take your smart home purely local. As I said, this is more technically complex. It requires using something like Home Assistant as your smart home controller and making sure all of your devices only communicate locally. This can be as easy as sticking with a local only communication standard like Zigbee or Z-wave. Or it may involve more technically complex things like blocking web traffic out by subnet / IP / destination.
This really is the safer route – taking your data privacy into your own hands and making sure that your devices are not sending data home by not allowing them that functionality. But you do lose things from this. You wouldn’t be able to control your devices remotely without going through your local smart home controller. If your smart home controller isn’t exposed to the internet, then you won’t be able to control them whenever you are away from home. Also, if you restrict yourself to just Zigbee or Z-wave devices, then you miss out on many great Wi-fi based devices. Finally, managing and maintaining the traffic block rules can be complex, technically challenging, and something that needs to be updated regularly. It’s really just a hassle.
So, while devices sending your private data home to their manufacturers for them to use is not actually new news, it is something that should stay in the news. Without people paying attention to it and calling it out as the bad practice that it is, nothing will be done about it and nothing should change.
And it really should change.