/ Technology

Are you being spied on by your smart home devices?

Smart device internet privacy

More people are filling their homes with smart devices without giving a second thought to who is capturing information about them or who they will share it with next.

This is a guest post by Solana Larsen, Editor of the Mozilla Foundation’s Internet Health Report.  All views expressed are Solana’s own, and not necessarily shared by Which?. 

It’s the holiday season, and we can expect that many of the gifts unwrapped this year will be ‘smart’ things that connect to the internet or can be controlled by an app on a phone.

The best known of these are probably smart speakers like the Amazon Echo or Google Home. But this is just the tip of the iceberg.

Among the products joyfully marketed by retailers, will be everything from smart scales to cat litter trays. Meow!

There is a lot that is fun about the idea of the ‘smart home’ and connected gadgets and robots that cater to our whims. But there can be a dark side too.

Watched in your own home?

While the variety of smart devices on offer is rapidly increasing, so are the number of products that pay no heed to even basic security measures.

For instance, some don’t require strong passwords, making it easy for them to be hacked or controlled by strangers.  And privacy? Even big companies who do security well are among those who most disregard it.

Now that more and more companies collect personal data about you, including audio and video of your family, and sensitive biometric and health information, like your heart rate and sleeping habits, it’s worrying that more are not upfront about the privacy and security of their products.

To address this, we at Mozilla publish a ‘*Privacy Not Included’, buyer’s guide every year to assess whether popular smart devices meet our five Minimum Security Standards. This year, we examine 76 popular products, and encourage you to judge for yourself what you think.

It gets creepy

What we’ve found is that while many of the most popular devices are becoming more secure, there are still a lot with worrying and potentially dangerous flaws.

For example:

  • New types of smart devices like doorbells, which have been criticised for lack of encryption, security vulnerabilities, and privacy issues. 
  • Fitness trackers designed for kids as young as 4 years old, raise questions about what we are teaching our children about how much digital surveillance in their lives is normal.
  • A whole range of pet-focused products entering homes are disturbingly weak on both privacy and security.

Recently Which? released its own investigation into cheap security cameras which showed how this whole category of products has its own similar problems.

What we can do

To explain why privacy and security is such a challenge in the market for connected devices, and offer advice on what can be done, Mozilla’s Internet Health Report has released a special edition as a companion to the buyer’s guide this year.

It’s based on conversations with dozens of experts, most of whom hesitate to recommend products. We also talk to developers of more secure and private alternatives around the world, and get their take on what needs to happen.

Our findings: we could do a lot to correct course.

For example:

  • Start rating products on their privacy and security.  Wherever we rate the price and performance of products, let’s start rating them on privacy and security too.
  • Push for better privacy laws and regulations. In Europe, and beyond, we need to urge politicians to pass robust data privacy regulations — and enforce them!

Read the full Internet Health Report article “How smart homes could be wiser.

Clearly it makes sense to do some research before you buy, whether for yourself, or as a gift.

Just because something on your wishlist this year connects to the internet, doesn’t mean you have to compromise on privacy and security.

This was a guest post by Solana Larsen, Editor of the Mozilla Foundation’s Internet Health Report.  All views expressed are Solana’s own, and not necessarily shared by Which?. 

How essential is data privacy to you when buying a new device?
Loading ... Loading ...

Do you own any smart devices like those examined in the guide, or are you considering them as gifts? Have you ever considered the security and privacy settings? Does the way they can gather your information change your feelings about them?

Tell us your story in the comments.



I’ve just been playing with an amazingly cheap 360Eyes Pro camera which my friend bought via Wish for £7 plus £3 shipping.

In my case, I’ve only tried in its local wifi access point mode, which should prevent it from having internet access.

For only £10, it is a really nice toy and has quite good video performance.

For serious home security use – especially with remote access – I think it would be worth spending more, not least to get access to more complete documentation. Or you could build your own unique system and then put as much effort as you want into internet security.

This comment was removed at the request of the user

The 360 refers to the cameras available azimuth range and it can also point up or down by roughly +/- 45 degrees.

We had a bit of bother getting it to recognise an SD card, but with that fitted it defaulted to recording its images, so it then recorded our departure as we left to go shopping.

This comment was removed at the request of the user

Duncan, being recorded is a fact of life in modern Britain, as CCTV surveillance is now ubiquitous.

One reason for trying that camera offline was to stop any video getting online.

Also, a funny thing about cameras is that they can only see in one direction at a time. So keeping out of the field of view is a good trick.

And, actually, when I do crop up in the crowd on YouTube or Facebook videos of public events that I’ve attended, I quite like that.

None of my devices talk to each other except my phone to car and my computer to the router via a password. I have no intention of getting any other device that interacts in this way as I don’t need them. This might make me less up to date than others, but I don’t feel left out. It is a life-style choice, and mine works well, unconnected. I can see the dangers of open networks that allow entry to the entire system, and I hope that this is sorted soon for all who need these smart devices. There doesn’t seem to be much the consumer can do if the device is insecure on purchase. I wouldn’t know how to put a password on a smart kettle or fridge.

This comment was removed at the request of the user

Duncan – do you get a lot of these emails out-of-the-blue or do they come from services that you’ve subscribed to?

I seldom ever get spam to my protonmail or gmail accounts – I suspect they’ve both got very good spam blockers – but I am getting some spam at one of my clients’ workplaces, in spite of their blockers, which have sometimes blocked legitimate emails from international colleagues.

I’ve never had spam on my proton mail accounts but do get a tiny amount on my own domain.

This comment was removed at the request of the user

This comment was removed at the request of the user

I find the arguments about Ring to be largely specious in the UK, given the ubiquitous nature of CCTV through the country. We’re constantly being recorded wherever we are. I really don’t see a problem with Ring per se.

I don’t know why you think your comment on the Ring doorbell system “hasn’t sunk in”, Duncan. I don’t know what you were expecting but since it is only a few hours since you posted it, and there don’t seem to be many people visiting today, I think you should be patient – or accept that people have read it and have nothing more to say on it.

My view is that most people in the UK have made their own private risk assessment on such features and rated them fairly low on the scale of things to worry about. I expect they have concluded that the consequences of possible misuse of smart connectivity developments are far less concerning than the failure of banks and other organisation to protect people’s private data. What on earth are agents going to find by spending vast resources mining the trace records of ordinary people’s door bell history?

This comment was removed at the request of the user

This comment was removed at the request of the user

Yes, Duncan, that might be a better point off comparison but it is difficult to allocate responsibility for successful scams as it is generally a personal thing between the scammer and the individual; the banks etc only come into play if they have misused personal data or acted negligently. I agree that scammers do mine and store personal data that they have hacked from people’s internet activity – but again, it is difficult to pin responsibility for that on the organisations with whom they deal. It is people’s primary duty to protect their own data through security controls and strong passwords but many do not do so despite innumerable warnings having been issued. It’s like going to bed and leaving the front door open. My point was that hacking people’s doorbell history was not going to prove terribly fruitful for serious criminals when there are better sources off information more easily obtained.

Getting back to the Ring doorbell system and the concerns over police use of the images in the USA, for historical reasons the way the police operate in America is very different from the way they operate here. In most towns and counties in America a significant proportion of the population could name their local police chief and the sheriff for their area; the police operate far more autonomously than here because of the greater dispersal of the population outside major cities and the extensive areas to be covered. They have established law enforcement partnerships in order to strengthen the intelligence gathering and crime detection response, but there are more opportunities for police officers in America to act independently than here and there are concerns that some of them are not entirely scrupulous over what they do with the material they have obtained. I think there is a higher proportion of law-abiding people in the UK who are quite happy to share any images from their home security systems with the police if they are investigating a crime in the neighbourhood and it does not need a local enforcement partnership to underpin it. There could also be a higher degree of trust of the police in this country due to the differences in operational standards and discipline.

This comment was removed at the request of the user

This comment was removed at the request of the user

I have, if I remember rightly, 16 IP cameras of various vintages (the most recent acquired 2 months’ ago and the earliest probably 5 years’ ago). I have looked at traffic at the lowest level (to see if they “phone home” – or attempt so to do) and set them all up from first principles using a browser, turning off any “back doors” that are turn-offable and re-sniffing the traffic . Whilst this doesn’t make me a world expert, I do have some experience – and advice to offer in this field.

Nobody says:
1 December 2019

Our data is worth a great deal to business, sadly it will be impossible to do anything without data being collected. Credit cards, loyalty cards, competitions, freebies, mobile phones etc.have been feeding the marketing departments for decades. Every app and smart device is just working it’s way deeper into our lives. Even Which is asking whether we see it as essential that we know what data is collected etc. knowing that it would be impossible to ask that our privacy is respected and no data is collected – which I believe is what we should be insisting on.

This comment was removed at the request of the user

The US data transfer involved US patients’ names and addresses. I understand the UK data was anonymous. Simply giving such anonymised information seems to me to be acceptable, particularly if the NHS was paid for it. Progress in healthcare depends upon information being made available to researchers. However, if there was more to this than I have assumed then please put me right. 🙂

This comment was removed at the request of the user

I actually have no reason to distrust public cloud servers. However, I can envisage some pretty black scenarios so don’t want to tempt fate. To that end – exacerbated by an impossibly slow upload speed thanks to being out in the sticks, I choose to have my own “cloud” – in the form of a multi-terabyte RAID5 array – and with important data backed up in a third place – in an outbuilding on a separate PC (running W7 ).

I can get at my RAID array from the web via port 80, but only if I turn the facility on (and I only do that on infrequent occasions for defined periods when I know I am going to want access from afar).

Yes my RAID array – a WD proprietary piece of kit – may well have a back door in it waiting to be sprung by a UDP awakening signal. If anyone is so desperate to read my archive of correspondence or see my myriad of holiday photos – or take my music, good luck to them!

Not that I have anything above “unclassified” any more, if I did have, it would not be connected at all. The best firewall by a country mile is unplugged with no power in an innocuous drawer.

Duncan, the public will not be asked to pay for normal NHS services whatever your contacts might tell you. That is my view and I think until we have evidence presented to the contrary we should stop just scaremongering. Just as with “loss if cash” it seems to me it is all pure speculation that has no sound basis. Things do change but that should not be extrapolated to the ultimate.

This comment was removed at the request of the user

Kevin says:
12 December 2019

Malcolm, NHS (or other) anonymised data is not necessarily anonymous, it’s quite dificult to create a truly anonymous data set where identities can’t be rebuilt, I’ve seen examples where they leave all or substantial part of the postcode in for instance. In short, you need to know who is doing the anonymising and whether they know what they are doing, or are they just ticking a box, and if they have a financial incentive in providing the data. The amount of collateral data Google etc already have on everyone makes this an even greater risk.

The NHS does use cloud services, and sadly some of the people commissioning them have little idea of data privacy, security, or territorial requirements. The kind of ‘professionals’ who think it’s a good idea to direct their mental health (or STD) NHS patients to Facebook for information on the NHS trust. Having said that, Microsoft some years ago introduced a feature allowing customers to specify a geographical restriction for the host servers, I’m guessing with GDPR the other major players will offer this too.

Roger, I hope you have a good monitoring system for your RAID 5, if one disk goes you are at a much higher risk of total loss than if you just had a single disk, until you replace the bad disk or have a hot spare. I prefer disk mirroring, RAID 1 or 10, with a spare given the cost of disks these days. You can also ‘break’ the mirror and stick that disk in a draw for an easy ‘point in time’ backup with RAID 1.

This comment was removed at the request of the user

Not me, Duncan. I will only have cameras that I can fully configure, where cloud is entirely optional – and where I can satisfy myself with appropriate traffic monitoring that phoning home turn-off really works.

This comment was removed at the request of the user

This comment was removed at the request of the user

How did [I] know (Cloud)..

I didn’t – but I assume something would show in traffic within the first few minutes of connecting up trying to phone home (all of them certainly do until the channels actively switched off, even if only to provide a DNS lookup). I sent back, I think, 3 over the years to Amazon for full refund on the basis of faulty (as far as I’m concerned, if you can’t stop them contacting third parties, that’s exactly what they are).

I expect, with a decent modem (which I do not have, only the ISP’s freebie), I could control return traffic with clever filtering. However, that is a whole lot of work, so I just rejected the ones I was unable to gag.

Duncan, the DFM outlined the Ring Heat Map. Was that the nub of your e-mail?

Hi All,

There is a story going around that users of Avast internet security software are being spied upon by those products.

These stories have been repeated by many sources, even the Daily Mail, see:-https://www.dailymail.co.uk/sciencetech/article-7936115/Popular-anti-virus-company-revealed-selling-web-history-porn-searches-location-users.html

Most of the articles seem to cite two primary sources, here:-https://www.pcmag.com/news/the-cost-of-avasts-free-antivirus-companies-can-spy-on-your-clicks and here:-https://www.vice.com/en_us/article/qjdkq7/avast-antivirus-sells-user-browsing-data-investigation

I have free Avast installed on some of my physical and virtual Windows XP machines, but I don’t go on the internet with those, so I’m not too bothered.