Consumers’ Association publication Which? has revealed the results of an investigation into the extent to which smart-home products are collecting and passing on user data to manufacturers.
The findings confirm what many suspected: that “corporate surveillance”, as Which? calls it, goes well beyond tracking consumers’ search engine inputs and social media interactions.
Which? studied 19 separate smart devices, including a connected toothbrush, a television, and a printer, from manufacturers including Philips and HP.
Delving into data transfers
With help from cybersecurity consultants Context IS, Which? was able to analyse the data being collected and transferred by the various smart home devices during everyday use, as well by their companion applications.
The majority of these apps asked for permission to access user information to varying degrees. At this point, however, Which? found a number of signs that manufacturers were gathering inappropriate levels of data.
For example, Which? discovered a smart watch that asked for permission to reboot its connected smartphone, and a vacuum cleaner that wanted access to the audio recording capabilities of the smartphone.
There were also concerns raised by Which? over the use of location data. “Far too often, specific information is requested about you when the justification seems arguable at best,” said the report.
Which? also criticised “the galaxy of other companies busily working in the background of your smart gadgets”, which included marketing companies behind the scenes. On one occasion, a smart TV was connected to the internet for 15 minutes, during which time it sent data packets to 700 distinct IP addresses.
Alex Neill, Which? managing director of home products and services, said, “Smart home gadgets and devices can bring huge benefits to our daily lives, but our investigation shows they can collect vast amounts of data about us.
“Companies should be clear about how they are collecting and using data and ensure consumers feel in control about what they are sharing – without having to trawl through impenetrable terms and conditions.”
Smart home security flaws
In carrying out the investigation, Which? accidentally uncovered another risk that comes with smart home devices: data security.
While testing the ieGeek 1080p IP smart home camera, Which? discovered a flaw in the camera’s companion application that gave the researchers access to more than 200,000 passwords and device IDs for other ieGeek cameras. The result was the exposure of other users’ live video feeds and even the ability to talk to those users via their cameras’ microphones.
Internet of Business says
These kinds of data practices will have to be reformed in light of the recent GDPR implementation. It’s not clear to what extent users can give informed consent over their devices’ data transfers, when the relevant terms and conditions are buried in the small print.
Companies are now also required to have remedial systems in place in the case of data breaches and inform customers when they occur.
There are now, on average, 10 connected devices in every UK home – a figure that’s expected to rise to 15 over the next two years. It appears as though there’s a lot of work to be done before users can enjoy their smart home devices without feeling uneasy over how their data is being managed.