‘Ask all the time: why do I need this?’ How to stop your vacuum from spying on you
Even if you’re not gadget-obsessed, the odds are you’ve got at least one smart device at home. So how do you limit the internet of things from listening in?
This month, Amazon inked a deal to acquire smart vacuum company iRobot – the makers of Roomba – for a tidy US$1.7bn. As some see it, if the purchase goes through, that should worry us.
“It’s all about the data,” says David Vaile from the Australian Privacy Foundation.
Privacy advocates such as Vaile are concerned the robot vacuum cleaner will give Amazon access to floor plans of users’ homes, using mapping features some iRobot products already offer.
Amazon are yet to release details about what existing and future iRobot data will be used for; and the company told Reuters that they safeguard customer privacy and do not sell their data.
But Vaile says of big tech companies: “They’re about collecting data, and the products and services are really just bait to lure and hopefully lock in unsuspecting data subjects.
“Their opportunities for manipulating you and exploiting you, once they’ve spied on you, are more or less open-ended and getting broader all the time.”
At its gentlest, data gathered by smart devices can be used by manufacturers to figure out how to more effectively sell you products. At worst, it can mean staff listening to conversations recorded by your smart speakers or sharing your doorbell camera videos with the police. And as with anything internet-connected, there is also a risk of hackers gaining access to your private information.
But despite the risks, smart home technology is booming. Even if you’re not inclined to purchase an internet-connected fish tank or a toilet that tracks and analyses your stool samples, odds are you’ve got at least one smart device at home. It could be the TV you stream Netflix on, your baby monitor or the air conditioner you control with an app.
So is it possible to have a smart home and not be spied on? Well, sort of.
The big decisions
From a data privacy perspective, the smartest home is a dumb home.
“That’s the real answer: don’t do it,” Vaile says. Failing that, he recommends paring back your system as much as possible.
“Just ask all the time: why do I need this?” he says. “Because every one of the fancy new tricks will come with both a privacy and a data security cost.” The simpler the system, “the better off you’ll be”.
Simplifying means disabling certain features on existing devices and being judicious about what you buy.
Andre Lackmann, an IT professional from Sydney, has many smart devices at home – but not security cameras. This limits his privacy and security risk to a level he is comfortable with.
To do this yourself, he suggests imagining the consequences of a data breach. “If they get some information about when my lights went on and off, or what temperature it is in the living room, that’s not a big deal,” Lackmann says. “But if they can get a video feed of the bedroom, that’s a bit of a problem, right?”
It’s also a matter of determining what data you’re willing to trade in return for greater convenience. For instance, Lackmann has Phillips Hue smart lights – but has disabled the feature that allows him to control them remotely. That function requires an internet connection, and switching the lights off when he’s out feels like a small reward for letting a company into his home.
Lackmann does, however, allow his air conditioner remote access, because for him, being able to set the temperature before he comes home is useful enough to make his data sacrifice worthwhile.
When you’re at the decision-making stage, you might also like to consult the Mozilla “privacy not included” guide before you buy, to get an idea of just how creepy different products are.
You will also need to balance your risk of being hacked with data privacy concerns. If there is a security risk, bigger companies such as Google and Amazon will roll out updates that fix the problem quickly. A security camera fished from the bargain bin may not, Lackmann says.
“[With] smaller, no-name brands, it’s not that the devices are bad, per se. It is generally that they don’t get a lot of after-sale support,” he says. “[Smaller brands] are much less likely to get any security updates.” To that end, it is also important to regularly install the updates for your products once they’re in your home.
For Matt Furnell and Justin Kern from JFK Automation, a company that installs smart home systems, the key to data privacy is avoiding cloud-based services and internet-connected devices as much as possible.
“As soon as you connect the internet, from a data privacy point of view, you are in the hands of the manufacturers,” says Furnell. “So you should give them the least amount possible to work with.”
In many products, the pair say, cloud connectivity is unavoidable, but others will allow for workarounds – for instance, sending security camera footage to a hard drive in your house.
If you are trying to stay off the cloud, you’ll need to skip the assistant function on speakers. Whether you’re asking Alexa, Siri or Google, Kern and Furnell say that every voice command product currently available in Australia connects to the cloud.
For customers who are particularly privacy-conscious, JFK Automation doesn’t connect the system to the internet at all. That means customers sacrifice the ability to control their devices remotely and instead operate everything using an offline app.
Putting your smart home devices on a separate internet network to your computers and phones can help with security, but not data privacy.
This is what Lackmann does. “I have one network that has all of the home automation gear on it and another network that has all of my personal information – our laptops, computer storage, files and stuff like that,” he says. That way if his smart devices are compromised, “they’re segregated from the more important information”.
Already got smart devices at home? You can still minimise what companies collect and what hackers can get.
To understand just how many of your home gadgets rely on the internet, Furnell and Kern recommend switching off your router to see what stops working. From there, you might decide to kick devices off your wifi if you don’t feel they need to be online.
You can also turn off any voice-assistant functionalities and cover up cameras you don’t need – for instance, sticking paper over your baby monitors when they’re not in use.
Be particularly mindful of home assistant products with screens. “People don’t necessarily think that the cameras are doing anything,” Kern says. “But they probably are watching what you’re doing.”
Some devices may allow you to opt out of sharing analytics back to the manufacturers during the set-up process. However, Furnell says, they’ll still be storing your data – which you should be able to log on and delete.
Once every three months or so, Furnell will log into his devices to see what they have collected and what they are doing with the data, then he deletes the stored data.
However, Vaile cautions that playing around with your privacy preferences gives a “misleading feeling of … control”.
“The metadata analysis – the data collection that’s unaffected by preferences – is probably much more important to them, and much more significant to you.”
Ultimately, if you want a smart home, you will have to accept that convenience comes with a privacy trade-off.
“You can’t have your cake and eat it too,” says Kern. “If you want to have all these functions and features … you have to be connected to the internet, and there is a risk of someone having your data.”