https://www.theregister.com/2023/09/07/smart_devices_privacy/

If you like to play along with the illusion of privacy, smart devices
are a dumb idea

You're just giving manufacturers carte blanche to profit off personal
data

Richard Currie
Thu 7 Sep 2023 // 12:11 UTC

Updated Depressingly predictable research from Which?* serves as
another reminder, if one was needed, that furnishing your home with
internet-connected "smart" devices could be a dumb idea if you'd rather
try to preserve your privacy.

*https://www.which.co.uk/

The consumer rights organization's analysis of a number of IoT products
� from speakers and security cameras to TVs and washing machines �
found that they all demand customer data above and beyond what is
needed for the product to perform its function, and then distribute
that information to a horde of faceless corporations.

Consumer campaign group Which? pointed out that this means consumers
are not only in many cases paying thousands for the product itself,
with all its "smart" connected bells and whistles, but continue to pay
in the form of their personal data.

The outfit broke down what information is required to set up an account
with the product manufacturers, what permissions the associated apps
request, and what customer activity companies are tapping into.

Spoiler alert: it's all for ads and marketing.

Disturbingly, every single brand examined required both exact and
approximate location data � as though your fancy washing machine needed
to "know" where it is to clean your clothes.

And while smart speakers are only supposed to listen after being
invoked with a "wake" phrase, their data collection and who they share
that with may surprise. For instance, researchers found that Bose
products are shuffling info off to the Meta social media empire,
meaning owners are giving data to Zuckercorp regardless of whether they
have a Facebook account. And if they do? Well, expect eerily targeted
ads.

A profound difference was also found in the amount of data requested
from smart device owners depending on whether the associated app was
installed on an Android or iOS phone. "For example, Google Nest
products request contacts and location on Android, but neither on
Apple's iOS," Which? said. "The app functions the same on both, so the
additional data collected on Android does not appear to be essential."

The consumer champ confessed it did not understand why such information
was necessary, but pointed to the fact that advertising underpins
Google's entire business model, while Apple is all about selling
overpriced hardware. Food for thought if your phone runs on the Android
operating system, the most widely used version of which is primarily
developed by Google.

Of all IoT devices, smart cameras and doorbells are perhaps among the
most desired because people value the additional security these may
provide for their home. But what they trade for that peace of mind is
having their data funneled to other companies.

Ezviz, a brand of Hikvision, which is owned by the Chinese state, was
singled out as a particularly egregious offender for tracking firms,
including TikTok's business marketing unit, mobile app advertising
platform Pangle, Huawei, Google, and Meta. Hikvision cameras are also
believed to be used by the Chinese government to persecute the
country's Uyghur minority � although the company denies this.

Again, Google was found to be sucking up data from every smart camera
or doorbell Which? looked at, while Blink and Ring devices also beamed
it back to the Amazon mothership. "Google's Nest product demands full
name, email, date of birth and gender," the charity said.

Once more, Euly, Arlo, and Ring were demanding to know Android owners'
background location. Which? observed that this is unnecessary in the
event that a home security system is triggered and means that users
could be tracked even when not using the app. "All permissions are
activated by default. Consumers can opt out, but this requires changing
the settings and could lead to aspects of the device or app no longer
working," it said.

Washing machines are smart now too, apparently, and the things they
want to know about their owners have nothing to do with spin cycles.
For example, LG and Hoover products don't allow use of their apps
without knowing how old you are. LG was the worst for prying, wanting
"name, date of birth, email, phone contact book, precise location and
phone number," while Hoover demanded "users' contacts and phone numbers
on Android devices." For Miele products, precise location tracking is
enabled by default and required to use the app.

Which? also took aim at smart TVs, which, while possessing phone-like
operating systems themselves and not requiring a phone app to use, also
track user behavior to flood their menus with ads. LG, Samsung, and
Sony were put on blast for their "accept all" list of trackers, which
otherwise requires owners to manually decline access one by one.

"Under the General Data Protection Regulations (GDPR), companies must
be transparent about the data they collect and how it is processed. The
data collected must also be relevant and limited to what is necessary
for the processing to take place," Which? concluded.

"However, the reasons for taking information are often too broad for
consumers to appreciate, with companies claiming 'legitimate
interests'. While it all should be listed in a privacy policy, the
reality is that when consumers come to click 'accept', unless they
closely analyse the fine print, they have little to no idea what will
actually happen next with their data."

Rocio Concha, Which? Director of Policy and Advocacy, commented:
"Consumers have already paid for smart products, in some cases
thousands of pounds, so it is excessive that they have to continue to
'pay' with their personal information.

"Firms should not collect more data than they need to provide the
service that's on offer, particularly if they are going to bury this
important information in lengthy terms and conditions."

She added that government data watchdogs "should consider updating
guidelines to better protect consumers from accidentally giving up huge
swathes of their own data without realising."

We've asked the ICO to comment.

With reference to Echo, Blink and Ring devices, a spokesperson at
Amazon claimed: "We design our products to protect our customers'
privacy and security to put our customers in control of their
experience." The company added it "never" sells the personal data of
its users.

In a rather more brief statement, Google said it "fully complies with
applicable privacy laws and provides transparency to our users
regarding the data we collect."

German appliance maker Miele claimed the data it collects is to
"optimise appliance usage and to offer customers additional features
and functionalities." Asking punters to specify their location is to
provide customers with "relevant services", it further asserted.

Samsung too claimed privacy is only ever "top-of-mind" when it is
creating stuff, "our customers are given the option to view, download
or delete any personal data that Samsung has stored across any product
or app that requires a Samsung account."

We have asked Apple, Bose, Hoover, Hikvision, LG, Beko, and Sony to
comment.

Which? provides a number of tips on how to improve your data privacy,
including caring about what you share, checking permissions, denying
access, deleting recordings, and reading privacy policies.

But The Reg says that if you're really concerned about privacy, you'd
do better to not buy these things, throw away your mobile phone, and
move to a shack in the wilderness. �

Updated at 16.31 UTC on September 7 2023 to add:

Stephen Almond, ICO Executive Director � Regulatory Risk told us:
"People should be able to enjoy the benefits of using their connected
devices without having excessive amounts of their personal data
gathered. This simply isn't a price we expect to pay.

"To maintain trust in these products companies must be transparent
about the data they collect and how they use it, and ensure that the
data is not used or shared in ways that people would not expect. The
ICO is developing guidance on data protection and Internet of Things
devices and we will act where we don't see the rules being followed."