/ Technology

Are you being spied on by your smart home devices?

Smart device internet privacy

More people are filling their homes with smart devices without giving a second thought to who is capturing information about them or who they will share it with next.

This is a guest post by Solana Larsen, Editor of the Mozilla Foundation’s Internet Health Report.  All views expressed are Solana’s own, and not necessarily shared by Which?. 

It’s the holiday season, and we can expect that many of the gifts unwrapped this year will be ‘smart’ things that connect to the internet or can be controlled by an app on a phone.

The best known of these are probably smart speakers like the Amazon Echo or Google Home. But this is just the tip of the iceberg.

Among the products joyfully marketed by retailers, will be everything from smart scales to cat litter trays. Meow!

There is a lot that is fun about the idea of the ‘smart home’ and connected gadgets and robots that cater to our whims. But there can be a dark side too.

Watched in your own home?

While the variety of smart devices on offer is rapidly increasing, so are the number of products that pay no heed to even basic security measures.

For instance, some don’t require strong passwords, making it easy for them to be hacked or controlled by strangers.  And privacy? Even big companies who do security well are among those who most disregard it.

Now that more and more companies collect personal data about you, including audio and video of your family, and sensitive biometric and health information, like your heart rate and sleeping habits, it’s worrying that more are not upfront about the privacy and security of their products.

To address this, we at Mozilla publish a ‘*Privacy Not Included’, buyer’s guide every year to assess whether popular smart devices meet our five Minimum Security Standards. This year, we examine 76 popular products, and encourage you to judge for yourself what you think.

It gets creepy

What we’ve found is that while many of the most popular devices are becoming more secure, there are still a lot with worrying and potentially dangerous flaws.

For example:

  • New types of smart devices like doorbells, which have been criticised for lack of encryption, security vulnerabilities, and privacy issues. 
  • Fitness trackers designed for kids as young as 4 years old, raise questions about what we are teaching our children about how much digital surveillance in their lives is normal.
  • A whole range of pet-focused products entering homes are disturbingly weak on both privacy and security.

Recently Which? released its own investigation into cheap security cameras which showed how this whole category of products has its own similar problems.

What we can do

To explain why privacy and security is such a challenge in the market for connected devices, and offer advice on what can be done, Mozilla’s Internet Health Report has released a special edition as a companion to the buyer’s guide this year.

It’s based on conversations with dozens of experts, most of whom hesitate to recommend products. We also talk to developers of more secure and private alternatives around the world, and get their take on what needs to happen.

Our findings: we could do a lot to correct course.

For example:

  • Start rating products on their privacy and security.  Wherever we rate the price and performance of products, let’s start rating them on privacy and security too.
  • Push for better privacy laws and regulations. In Europe, and beyond, we need to urge politicians to pass robust data privacy regulations — and enforce them!

Read the full Internet Health Report article “How smart homes could be wiser.

Clearly it makes sense to do some research before you buy, whether for yourself, or as a gift.

Just because something on your wishlist this year connects to the internet, doesn’t mean you have to compromise on privacy and security.

This was a guest post by Solana Larsen, Editor of the Mozilla Foundation’s Internet Health Report.  All views expressed are Solana’s own, and not necessarily shared by Which?. 

How essential is data privacy to you when buying a new device?
Loading ... Loading ...

Do you own any smart devices like those examined in the guide, or are you considering them as gifts? Have you ever considered the security and privacy settings? Does the way they can gather your information change your feelings about them?

Tell us your story in the comments.



I’ve just been playing with an amazingly cheap 360Eyes Pro camera which my friend bought via Wish for £7 plus £3 shipping.

In my case, I’ve only tried in its local wifi access point mode, which should prevent it from having internet access.

For only £10, it is a really nice toy and has quite good video performance.

For serious home security use – especially with remote access – I think it would be worth spending more, not least to get access to more complete documentation. Or you could build your own unique system and then put as much effort as you want into internet security.

360 Eyes ? that’s a step up from the original 5 Eyes Derek .
The reality is that this is news because of the impending VoIP making the IoT very viable.
This is a massive issue on many tech and business websites –how to talk the general public into going “Smart ” when its patently obvious and yes I have a mass of figures on how easily those pieces of usually useless pieces of kit which in olden times would sell well in Woolworths -high street can be hacked and their data -personal actions in their own homes can be harvested.
So its a propaganda exercise to gain massive profit mainly for US companies .
America which is always ahead of us now has to cope with criminals gathering info from every household appliance- “smart ” -gas and electric and water meters so they know when to break in and selling the data to every company wanting to sell something .
Cameras on IoT are worse many ,many blackmail cases and “revenge actions ” taking place .

The 360 refers to the cameras available azimuth range and it can also point up or down by roughly +/- 45 degrees.

We had a bit of bother getting it to recognise an SD card, but with that fitted it defaulted to recording its images, so it then recorded our departure as we left to go shopping.

How do you feel about being recorded Derek and I see its Chinese made ?
In China its $10/$12 /item but you buy at 100 items /order.
Sorry my “jokes ” are a bit subtle and I take it that its “wi-fi ” enabled ?

Duncan, being recorded is a fact of life in modern Britain, as CCTV surveillance is now ubiquitous.

One reason for trying that camera offline was to stop any video getting online.

Also, a funny thing about cameras is that they can only see in one direction at a time. So keeping out of the field of view is a good trick.

And, actually, when I do crop up in the crowd on YouTube or Facebook videos of public events that I’ve attended, I quite like that.

None of my devices talk to each other except my phone to car and my computer to the router via a password. I have no intention of getting any other device that interacts in this way as I don’t need them. This might make me less up to date than others, but I don’t feel left out. It is a life-style choice, and mine works well, unconnected. I can see the dangers of open networks that allow entry to the entire system, and I hope that this is sorted soon for all who need these smart devices. There doesn’t seem to be much the consumer can do if the device is insecure on purchase. I wouldn’t know how to put a password on a smart kettle or fridge.

As usual another “coincidence ” which I don’t believe in .
Talking to Derek about surveillance cameras and guess what ?–got email telling me about Amazon Ring –direct quote-

Police can keep Ring camera video forever and share with whomever they’d like, Amazon tells senator

Police officers who download videos captured by homeowners’ Ring doorbell cameras can keep them forever and share them with whomever they’d like without providing evidence of a crime, the Amazon-owned firm told a lawmaker this month.
As American say-“Nice !” —not.

Duncan – do you get a lot of these emails out-of-the-blue or do they come from services that you’ve subscribed to?

I seldom ever get spam to my protonmail or gmail accounts – I suspect they’ve both got very good spam blockers – but I am getting some spam at one of my clients’ workplaces, in spite of their blockers, which have sometimes blocked legitimate emails from international colleagues.

I’ve never had spam on my proton mail accounts but do get a tiny amount on my own domain.

I too have Proton Mail but hardly use it unless I had to use end to end encryption which the NSA/GCHQ are very unhappy about and have attacked it several times .
I just found it “unusual ” to get information a day after discussing it on Which –I am not blaming Which by the way, it came via the EFF which I will not be blocking or sending to “delete ” .
But it seems I am still upsetting some hackers as I got a quite good replica of a BT email , I said they were amateurish a while back so the young guys have improved .
This is a consequence of using BT Mail which is US run and because in US eyes I am not paying for it they leave me more open to scam emails –its called “Enterprise ” you pay and get good –don’t pay and–tough !

As my comment on Ring by Amazon doesn’t seem to have sunk in and this convo is all about privacy here is EFF,s comment on it-
Here are 5 US Senators expressing concern about Ring and contacting Amazon.-

I find the arguments about Ring to be largely specious in the UK, given the ubiquitous nature of CCTV through the country. We’re constantly being recorded wherever we are. I really don’t see a problem with Ring per se.

I don’t know why you think your comment on the Ring doorbell system “hasn’t sunk in”, Duncan. I don’t know what you were expecting but since it is only a few hours since you posted it, and there don’t seem to be many people visiting today, I think you should be patient – or accept that people have read it and have nothing more to say on it.

My view is that most people in the UK have made their own private risk assessment on such features and rated them fairly low on the scale of things to worry about. I expect they have concluded that the consequences of possible misuse of smart connectivity developments are far less concerning than the failure of banks and other organisation to protect people’s private data. What on earth are agents going to find by spending vast resources mining the trace records of ordinary people’s door bell history?

I certainly do Ian along with a large number of the worlds population, not a “Sam Lowry” type then (Brazil-the Movie ) more a Jack LInt ? I am more a Archibald Tuttle without the violence.
See –
Even the UN has criticised this country along with Amnesty.org-

Yet a few weeks ago— GCHQ spokesman-
People should stop complaining Google has more information than we do.
Why are we so docile and accepting of any and all restrictions on our Liberty–oh yes I forgot “terrorists ” , you know it will get worse don’t you Ian ?

Shouldn’t your critique be- answering the literally 100,s of posts here on scammers getting away with removing UK citizens money and the reply from HMG/several NGO,s /banks /our SS etc -sorry we have not the money and resources to trace the scammers (unless you are a prominent citizen /MP/ £millionaire ) as they certainly do store and mine all our data from online use of any sort –that costs John .

Yes, Duncan, that might be a better point off comparison but it is difficult to allocate responsibility for successful scams as it is generally a personal thing between the scammer and the individual; the banks etc only come into play if they have misused personal data or acted negligently. I agree that scammers do mine and store personal data that they have hacked from people’s internet activity – but again, it is difficult to pin responsibility for that on the organisations with whom they deal. It is people’s primary duty to protect their own data through security controls and strong passwords but many do not do so despite innumerable warnings having been issued. It’s like going to bed and leaving the front door open. My point was that hacking people’s doorbell history was not going to prove terribly fruitful for serious criminals when there are better sources off information more easily obtained.

Getting back to the Ring doorbell system and the concerns over police use of the images in the USA, for historical reasons the way the police operate in America is very different from the way they operate here. In most towns and counties in America a significant proportion of the population could name their local police chief and the sheriff for their area; the police operate far more autonomously than here because of the greater dispersal of the population outside major cities and the extensive areas to be covered. They have established law enforcement partnerships in order to strengthen the intelligence gathering and crime detection response, but there are more opportunities for police officers in America to act independently than here and there are concerns that some of them are not entirely scrupulous over what they do with the material they have obtained. I think there is a higher proportion of law-abiding people in the UK who are quite happy to share any images from their home security systems with the police if they are investigating a crime in the neighbourhood and it does not need a local enforcement partnership to underpin it. There could also be a higher degree of trust of the police in this country due to the differences in operational standards and discipline.

I have criticised Google once to often on Which a probable paid bot has just this minute emailed me -“Sign in ” (to Google ) attempt was blocked –somebody just used your password check activity in a big -click on this box.
To the hacker — keep them coming I enjoy this it keeps my mind alert .
Its got a DKIM internal error ,in any case I have nothing Google on both my working PC,s and not even my dead body would rise up and become a Google Account holder.

While this is a “home device ” when its in the home I think its relevant here .
This is very relevant to females –Stalker Apps are available on the web which are being used by spouses or intimate partners making it domestic abuse .
Apps seemingly for “watching children ” etc on Google store have been removed due to their use as stalking instruments so for those with Android my favourite virus company has an app that changes the “recognition ” from non threatening to –Malware –
Ladies– use Android ?– visit Google Play Store and download the app.
It alerts you to devious apps you might want to download .

I have, if I remember rightly, 16 IP cameras of various vintages (the most recent acquired 2 months’ ago and the earliest probably 5 years’ ago). I have looked at traffic at the lowest level (to see if they “phone home” – or attempt so to do) and set them all up from first principles using a browser, turning off any “back doors” that are turn-offable and re-sniffing the traffic . Whilst this doesn’t make me a world expert, I do have some experience – and advice to offer in this field.

Nobody says:
1 December 2019

Our data is worth a great deal to business, sadly it will be impossible to do anything without data being collected. Credit cards, loyalty cards, competitions, freebies, mobile phones etc.have been feeding the marketing departments for decades. Every app and smart device is just working it’s way deeper into our lives. Even Which is asking whether we see it as essential that we know what data is collected etc. knowing that it would be impossible to ask that our privacy is respected and no data is collected – which I believe is what we should be insisting on.

Which does collect data Nobody but most of it is FIRST PARTY but it pales into insignificance compared to the majority of websites, if you don’t want your data collected stay away from online newspapers and don’t use Google anything and MS Edge browser .
Amazon knows where you are located and all your online buying habits and a long list I could mention .
Get a VPN — remove ALL cookies at browser close-down- don’t allow automatic login ,use Tor and even then its just skimming the surface , sad to say its much too late now to make changes to the web you can only make it harder for them to take your data ,your ISP has all your data as well .
I would go through several webpages to list everything you need to do especially in Windows 10.
There is uproar in America over –
and don’t think the UK isn’t involved the NHS apologised for sending vast amounts of UK patients data to America , they are building an AI system that will take the place of doctors to give advise to the public thereby saving $millions and yes -quote -we will of course give access to our “partners ” .

The US data transfer involved US patients’ names and addresses. I understand the UK data was anonymous. Simply giving such anonymised information seems to me to be acceptable, particularly if the NHS was paid for it. Progress in healthcare depends upon information being made available to researchers. However, if there was more to this than I have assumed then please put me right. 🙂

I also got emailed by another contact Malcolm — the NHS in “partnership” with Google ALEXA —think about it , I have the full ( well think redacted Corbyn NHS Papers ) now think — NHS /ALEXA — redacted Papers.
I told you Malcolm NHS being privatised –slowly at first not to arouse the British public eventually the first words at the reception desk will be — can you pay ?
Forgot to mention in the USA they are DE- anonymising the data .
Malcolm using a US VPN I have found a US website where it says UK NHS data is being stored on US Cloud Servers before I say any more on that ask Roger if he trusts public cloud servers and do you know all the legal ramifications as related to US “Government Authorities “–you know the ones having full legal access to FOREIGN countries cloud storage using US territory –I do I have seen the US government documents relating to it and on the Ring subject I have startling news and means of access on who has full access to US Cloud servers –third parties .

I actually have no reason to distrust public cloud servers. However, I can envisage some pretty black scenarios so don’t want to tempt fate. To that end – exacerbated by an impossibly slow upload speed thanks to being out in the sticks, I choose to have my own “cloud” – in the form of a multi-terabyte RAID5 array – and with important data backed up in a third place – in an outbuilding on a separate PC (running W7 ).

I can get at my RAID array from the web via port 80, but only if I turn the facility on (and I only do that on infrequent occasions for defined periods when I know I am going to want access from afar).

Yes my RAID array – a WD proprietary piece of kit – may well have a back door in it waiting to be sprung by a UDP awakening signal. If anyone is so desperate to read my archive of correspondence or see my myriad of holiday photos – or take my music, good luck to them!

Not that I have anything above “unclassified” any more, if I did have, it would not be connected at all. The best firewall by a country mile is unplugged with no power in an innocuous drawer.

Duncan, the public will not be asked to pay for normal NHS services whatever your contacts might tell you. That is my view and I think until we have evidence presented to the contrary we should stop just scaremongering. Just as with “loss if cash” it seems to me it is all pure speculation that has no sound basis. Things do change but that should not be extrapolated to the ultimate.

If I am “scaremongering ” Malcolm then so are many well above me in station and intellect in this country.
Its natural for the public to be concerned about something that is –in reality , the “lifeblood ” of the country ,its the one thing I hold dear that distinguishes us from America , once the USA gets its hands on it then it wont auger well for those not in the top layers of society.

Kevin says:
12 December 2019

Malcolm, NHS (or other) anonymised data is not necessarily anonymous, it’s quite dificult to create a truly anonymous data set where identities can’t be rebuilt, I’ve seen examples where they leave all or substantial part of the postcode in for instance. In short, you need to know who is doing the anonymising and whether they know what they are doing, or are they just ticking a box, and if they have a financial incentive in providing the data. The amount of collateral data Google etc already have on everyone makes this an even greater risk.

The NHS does use cloud services, and sadly some of the people commissioning them have little idea of data privacy, security, or territorial requirements. The kind of ‘professionals’ who think it’s a good idea to direct their mental health (or STD) NHS patients to Facebook for information on the NHS trust. Having said that, Microsoft some years ago introduced a feature allowing customers to specify a geographical restriction for the host servers, I’m guessing with GDPR the other major players will offer this too.

Roger, I hope you have a good monitoring system for your RAID 5, if one disk goes you are at a much higher risk of total loss than if you just had a single disk, until you replace the bad disk or have a hot spare. I prefer disk mirroring, RAID 1 or 10, with a spare given the cost of disks these days. You can also ‘break’ the mirror and stick that disk in a draw for an easy ‘point in time’ backup with RAID 1.

Just got emailed on this subject , any regulars here bought the Jeff Beddows (Amazon ) Ring doorbell camera ?
If not –good.

Not me, Duncan. I will only have cameras that I can fully configure, where cloud is entirely optional – and where I can satisfy myself with appropriate traffic monitoring that phoning home turn-off really works.

How did you know (Cloud ) Roger or should I not ask ?
Little do the public know what going on behind it.

Read this-

Despite the legal and regulatory safeguards, transfers of health care information come with a heavy dose of suspicion. Most data sharing between healthcare and technology companies involve de-identified data. But certain forms of data, such as information from fitness devices and search engines, are often unregulated and have identities and addresses attached. But there is a competing tension as the data provides researchers and companies a chance to advance medical science.

NHS and Amazon recently entered into a Master Content License Agreement, which provides Amazon with “a non-exclusive, worldwide, perpetual, irrevocable and royalty-free license to use, distribute, reproduce, display, transmit, perform, excerpt, reformat, adapt or otherwise create derivative works” from the NHS Direct website. Amazon also insists that this information will not be used for marketing purposes.
Yes sure (my words )

Dated 2 days ago.

How did [I] know (Cloud)..

I didn’t – but I assume something would show in traffic within the first few minutes of connecting up trying to phone home (all of them certainly do until the channels actively switched off, even if only to provide a DNS lookup). I sent back, I think, 3 over the years to Amazon for full refund on the basis of faulty (as far as I’m concerned, if you can’t stop them contacting third parties, that’s exactly what they are).

I expect, with a decent modem (which I do not have, only the ISP’s freebie), I could control return traffic with clever filtering. However, that is a whole lot of work, so I just rejected the ones I was unable to gag.

Duncan, the DFM outlined the Ring Heat Map. Was that the nub of your e-mail?

Hi All,

There is a story going around that users of Avast internet security software are being spied upon by those products.

These stories have been repeated by many sources, even the Daily Mail, see:-https://www.dailymail.co.uk/sciencetech/article-7936115/Popular-anti-virus-company-revealed-selling-web-history-porn-searches-location-users.html

Most of the articles seem to cite two primary sources, here:-https://www.pcmag.com/news/the-cost-of-avasts-free-antivirus-companies-can-spy-on-your-clicks and here:-https://www.vice.com/en_us/article/qjdkq7/avast-antivirus-sells-user-browsing-data-investigation

I have free Avast installed on some of my physical and virtual Windows XP machines, but I don’t go on the internet with those, so I’m not too bothered.