/ Technology

Are you being spied on by your smart home devices?

Smart device internet privacy

More people are filling their homes with smart devices without giving a second thought to who is capturing information about them or who they will share it with next.

This is a guest post by Solana Larsen, Editor of the Mozilla Foundation’s Internet Health Report.  All views expressed are Solana’s own, and not necessarily shared by Which?. 

It’s the holiday season, and we can expect that many of the gifts unwrapped this year will be ‘smart’ things that connect to the internet or can be controlled by an app on a phone.

The best known of these are probably smart speakers like the Amazon Echo or Google Home. But this is just the tip of the iceberg.

Among the products joyfully marketed by retailers, will be everything from smart scales to cat litter trays. Meow!

There is a lot that is fun about the idea of the ‘smart home’ and connected gadgets and robots that cater to our whims. But there can be a dark side too.

Watched in your own home?

While the variety of smart devices on offer is rapidly increasing, so are the number of products that pay no heed to even basic security measures.

For instance, some don’t require strong passwords, making it easy for them to be hacked or controlled by strangers.  And privacy? Even big companies who do security well are among those who most disregard it.

Now that more and more companies collect personal data about you, including audio and video of your family, and sensitive biometric and health information, like your heart rate and sleeping habits, it’s worrying that more are not upfront about the privacy and security of their products.

To address this, we at Mozilla publish a ‘*Privacy Not Included’, buyer’s guide every year to assess whether popular smart devices meet our five Minimum Security Standards. This year, we examine 76 popular products, and encourage you to judge for yourself what you think.

It gets creepy

What we’ve found is that while many of the most popular devices are becoming more secure, there are still a lot with worrying and potentially dangerous flaws.

For example:

  • New types of smart devices like doorbells, which have been criticised for lack of encryption, security vulnerabilities, and privacy issues. 
  • Fitness trackers designed for kids as young as 4 years old, raise questions about what we are teaching our children about how much digital surveillance in their lives is normal.
  • A whole range of pet-focused products entering homes are disturbingly weak on both privacy and security.

Recently Which? released its own investigation into cheap security cameras which showed how this whole category of products has its own similar problems.

What we can do

To explain why privacy and security is such a challenge in the market for connected devices, and offer advice on what can be done, Mozilla’s Internet Health Report has released a special edition as a companion to the buyer’s guide this year.

It’s based on conversations with dozens of experts, most of whom hesitate to recommend products. We also talk to developers of more secure and private alternatives around the world, and get their take on what needs to happen.

Our findings: we could do a lot to correct course.

For example:

  • Start rating products on their privacy and security.  Wherever we rate the price and performance of products, let’s start rating them on privacy and security too.
  • Push for better privacy laws and regulations. In Europe, and beyond, we need to urge politicians to pass robust data privacy regulations — and enforce them!

Read the full Internet Health Report article “How smart homes could be wiser.

Clearly it makes sense to do some research before you buy, whether for yourself, or as a gift.

Just because something on your wishlist this year connects to the internet, doesn’t mean you have to compromise on privacy and security.

This was a guest post by Solana Larsen, Editor of the Mozilla Foundation’s Internet Health Report.  All views expressed are Solana’s own, and not necessarily shared by Which?. 

How essential is data privacy to you when buying a new device?
Loading ... Loading ...

Do you own any smart devices like those examined in the guide, or are you considering them as gifts? Have you ever considered the security and privacy settings? Does the way they can gather your information change your feelings about them?

Tell us your story in the comments.

 

Comments

I’ve just been playing with an amazingly cheap 360Eyes Pro camera which my friend bought via Wish for £7 plus £3 shipping.

In my case, I’ve only tried in its local wifi access point mode, which should prevent it from having internet access.

For only £10, it is a really nice toy and has quite good video performance.

For serious home security use – especially with remote access – I think it would be worth spending more, not least to get access to more complete documentation. Or you could build your own unique system and then put as much effort as you want into internet security.

360 Eyes ? that’s a step up from the original 5 Eyes Derek .
The reality is that this is news because of the impending VoIP making the IoT very viable.
This is a massive issue on many tech and business websites –how to talk the general public into going “Smart ” when its patently obvious and yes I have a mass of figures on how easily those pieces of usually useless pieces of kit which in olden times would sell well in Woolworths -high street can be hacked and their data -personal actions in their own homes can be harvested.
So its a propaganda exercise to gain massive profit mainly for US companies .
America which is always ahead of us now has to cope with criminals gathering info from every household appliance- “smart ” -gas and electric and water meters so they know when to break in and selling the data to every company wanting to sell something .
Cameras on IoT are worse many ,many blackmail cases and “revenge actions ” taking place .

The 360 refers to the cameras available azimuth range and it can also point up or down by roughly +/- 45 degrees.

We had a bit of bother getting it to recognise an SD card, but with that fitted it defaulted to recording its images, so it then recorded our departure as we left to go shopping.

How do you feel about being recorded Derek and I see its Chinese made ?
In China its $10/$12 /item but you buy at 100 items /order.
Sorry my “jokes ” are a bit subtle and I take it that its “wi-fi ” enabled ?

Duncan, being recorded is a fact of life in modern Britain, as CCTV surveillance is now ubiquitous.

One reason for trying that camera offline was to stop any video getting online.

Also, a funny thing about cameras is that they can only see in one direction at a time. So keeping out of the field of view is a good trick.

And, actually, when I do crop up in the crowd on YouTube or Facebook videos of public events that I’ve attended, I quite like that.

None of my devices talk to each other except my phone to car and my computer to the router via a password. I have no intention of getting any other device that interacts in this way as I don’t need them. This might make me less up to date than others, but I don’t feel left out. It is a life-style choice, and mine works well, unconnected. I can see the dangers of open networks that allow entry to the entire system, and I hope that this is sorted soon for all who need these smart devices. There doesn’t seem to be much the consumer can do if the device is insecure on purchase. I wouldn’t know how to put a password on a smart kettle or fridge.

As usual another “coincidence ” which I don’t believe in .
Talking to Derek about surveillance cameras and guess what ?–got email telling me about Amazon Ring –direct quote-

Police can keep Ring camera video forever and share with whomever they’d like, Amazon tells senator

Police officers who download videos captured by homeowners’ Ring doorbell cameras can keep them forever and share them with whomever they’d like without providing evidence of a crime, the Amazon-owned firm told a lawmaker this month.
As American say-“Nice !” —not.

Duncan – do you get a lot of these emails out-of-the-blue or do they come from services that you’ve subscribed to?

I seldom ever get spam to my protonmail or gmail accounts – I suspect they’ve both got very good spam blockers – but I am getting some spam at one of my clients’ workplaces, in spite of their blockers, which have sometimes blocked legitimate emails from international colleagues.

I’ve never had spam on my proton mail accounts but do get a tiny amount on my own domain.

I too have Proton Mail but hardly use it unless I had to use end to end encryption which the NSA/GCHQ are very unhappy about and have attacked it several times .
I just found it “unusual ” to get information a day after discussing it on Which –I am not blaming Which by the way, it came via the EFF which I will not be blocking or sending to “delete ” .
But it seems I am still upsetting some hackers as I got a quite good replica of a BT email , I said they were amateurish a while back so the young guys have improved .
This is a consequence of using BT Mail which is US run and because in US eyes I am not paying for it they leave me more open to scam emails –its called “Enterprise ” you pay and get good –don’t pay and–tough !

As my comment on Ring by Amazon doesn’t seem to have sunk in and this convo is all about privacy here is EFF,s comment on it-
https://www.eff.org/ring
Here are 5 US Senators expressing concern about Ring and contacting Amazon.-
https://www.eff.org/deeplinks/2019/11/five-senators-join-fight-learn-just-how-bad-ring-really

I find the arguments about Ring to be largely specious in the UK, given the ubiquitous nature of CCTV through the country. We’re constantly being recorded wherever we are. I really don’t see a problem with Ring per se.

I don’t know why you think your comment on the Ring doorbell system “hasn’t sunk in”, Duncan. I don’t know what you were expecting but since it is only a few hours since you posted it, and there don’t seem to be many people visiting today, I think you should be patient – or accept that people have read it and have nothing more to say on it.

My view is that most people in the UK have made their own private risk assessment on such features and rated them fairly low on the scale of things to worry about. I expect they have concluded that the consequences of possible misuse of smart connectivity developments are far less concerning than the failure of banks and other organisation to protect people’s private data. What on earth are agents going to find by spending vast resources mining the trace records of ordinary people’s door bell history?

I certainly do Ian along with a large number of the worlds population, not a “Sam Lowry” type then (Brazil-the Movie ) more a Jack LInt ? I am more a Archibald Tuttle without the violence.
See –
https://www.theverge.com/2016/11/23/13718768/uk-surveillance-laws-explained-investigatory-powers-bill
Even the UN has criticised this country along with Amnesty.org-
https://www.amnestyusa.org/unfollowme-5-reasons-we-should-all-be-concerned-about-government-surveillance/

Yet a few weeks ago— GCHQ spokesman-
People should stop complaining Google has more information than we do.
Why are we so docile and accepting of any and all restrictions on our Liberty–oh yes I forgot “terrorists ” , you know it will get worse don’t you Ian ?

Shouldn’t your critique be- answering the literally 100,s of posts here on scammers getting away with removing UK citizens money and the reply from HMG/several NGO,s /banks /our SS etc -sorry we have not the money and resources to trace the scammers (unless you are a prominent citizen /MP/ £millionaire ) as they certainly do store and mine all our data from online use of any sort –that costs John .

Yes, Duncan, that might be a better point off comparison but it is difficult to allocate responsibility for successful scams as it is generally a personal thing between the scammer and the individual; the banks etc only come into play if they have misused personal data or acted negligently. I agree that scammers do mine and store personal data that they have hacked from people’s internet activity – but again, it is difficult to pin responsibility for that on the organisations with whom they deal. It is people’s primary duty to protect their own data through security controls and strong passwords but many do not do so despite innumerable warnings having been issued. It’s like going to bed and leaving the front door open. My point was that hacking people’s doorbell history was not going to prove terribly fruitful for serious criminals when there are better sources off information more easily obtained.

Getting back to the Ring doorbell system and the concerns over police use of the images in the USA, for historical reasons the way the police operate in America is very different from the way they operate here. In most towns and counties in America a significant proportion of the population could name their local police chief and the sheriff for their area; the police operate far more autonomously than here because of the greater dispersal of the population outside major cities and the extensive areas to be covered. They have established law enforcement partnerships in order to strengthen the intelligence gathering and crime detection response, but there are more opportunities for police officers in America to act independently than here and there are concerns that some of them are not entirely scrupulous over what they do with the material they have obtained. I think there is a higher proportion of law-abiding people in the UK who are quite happy to share any images from their home security systems with the police if they are investigating a crime in the neighbourhood and it does not need a local enforcement partnership to underpin it. There could also be a higher degree of trust of the police in this country due to the differences in operational standards and discipline.

I have criticised Google once to often on Which a probable paid bot has just this minute emailed me -“Sign in ” (to Google ) attempt was blocked –somebody just used your password check activity in a big -click on this box.
To the hacker — keep them coming I enjoy this it keeps my mind alert .
Its got a DKIM internal error ,in any case I have nothing Google on both my working PC,s and not even my dead body would rise up and become a Google Account holder.

While this is a “home device ” when its in the home I think its relevant here .
This is very relevant to females –Stalker Apps are available on the web which are being used by spouses or intimate partners making it domestic abuse .
Apps seemingly for “watching children ” etc on Google store have been removed due to their use as stalking instruments so for those with Android my favourite virus company has an app that changes the “recognition ” from non threatening to –Malware –
https://www.kaspersky.com/about/press-releases/2019_could-someone-be-spying-on-you-through-your-phone
Ladies– use Android ?– visit Google Play Store and download the app.
It alerts you to devious apps you might want to download .

I have, if I remember rightly, 16 IP cameras of various vintages (the most recent acquired 2 months’ ago and the earliest probably 5 years’ ago). I have looked at traffic at the lowest level (to see if they “phone home” – or attempt so to do) and set them all up from first principles using a browser, turning off any “back doors” that are turn-offable and re-sniffing the traffic . Whilst this doesn’t make me a world expert, I do have some experience – and advice to offer in this field.

Nobody says:
1 December 2019

Our data is worth a great deal to business, sadly it will be impossible to do anything without data being collected. Credit cards, loyalty cards, competitions, freebies, mobile phones etc.have been feeding the marketing departments for decades. Every app and smart device is just working it’s way deeper into our lives. Even Which is asking whether we see it as essential that we know what data is collected etc. knowing that it would be impossible to ask that our privacy is respected and no data is collected – which I believe is what we should be insisting on.

Which does collect data Nobody but most of it is FIRST PARTY but it pales into insignificance compared to the majority of websites, if you don’t want your data collected stay away from online newspapers and don’t use Google anything and MS Edge browser .
Amazon knows where you are located and all your online buying habits and a long list I could mention .
Get a VPN — remove ALL cookies at browser close-down- don’t allow automatic login ,use Tor and even then its just skimming the surface , sad to say its much too late now to make changes to the web you can only make it harder for them to take your data ,your ISP has all your data as well .
I would go through several webpages to list everything you need to do especially in Windows 10.
There is uproar in America over –
https://www.theguardian.com/technology/2019/nov/12/google-medical-data-project-nightingale-secret-transfer-us-health-information
and don’t think the UK isn’t involved the NHS apologised for sending vast amounts of UK patients data to America , they are building an AI system that will take the place of doctors to give advise to the public thereby saving $millions and yes -quote -we will of course give access to our “partners ” .