Is Your IoT Leaking Data?

Voice control-using apps such as Siri, Alexa, Google, and others as well as hardware devices to control home automation are all the rage. And, admittedly, having the garage door open as your car approaches, or lights turn on in your home while you are away, are definitely great modern conveniences made possible by these devices. But all of these conveniences may come with a hefty price tag. And I’m not talking about the purchase price.

Many of these virtual assistants and automation devices are designed to literally hang on your every word. They listen for a particular keyword or phrase and the command that follows to trigger an action handler for a predetermined event, such as turning on the lights or playing music. This begs the question, ‘What are the companies behind these devices doing with all of that captured audio data?”

Stories like this one from Time in 2019 seem to indicate that companies are doing anything they want with your audio data. Thankfully, shortly after this story broke through multiple news outlets, Amazon stepped up privacy efforts and made new features available to allow users to opt out of allowing their recordings to be used, or even stored. Articles such as the Android Lockbox lawsuit seem to be appearing more frequently in the news. And, although Google won that particular case, others abound such as this one from Kiplinger’s where Google agreed to $600M in a series of related privacy settlements. Or this one where Amazon recently settled a suit brought forth by the FTC, for a $25M child privacy settlement pertaining to Alexa devices. Given these allegations, is it safe to assume these companies have modified their monitoring behaviors? Who’s watching these watchers? And do they truly have your best interests at heart?

The truth is, these companies are in business to make money.  This article claims as much as 80% of Google’s revenue comes from the ads it sells while Meta’s percentage is closer to 90%. Our personal data is worth lots of money to these companies, because, they believe, it will help them produce more and better ads.  Despite appearances of altruistic intent or pledges to change their ways, it’s unlikely companies driven by monetizing personal data for advertising revenues are going to stop collecting and monetizing that data anytime soon.  Rather, there are steps users can take to protect themselves, or at least make the intrusions more manageable.

If you absolutely can’t live without the home automation or voice controlled features of your smart phone, the privacy watchdogs over at the Electronic Frontier Foundation (EFF) have some great suggestions for improving your privacy. These include using a home automation hub device instead of individual apps for those smart Internet of Things (IoT) devices such as smart plugs and thermostats.  This often avoids the need to manage privacy settings across a multitude of individual vendor apps.  Another great suggestion, where possible, is to disable Internet connectivity for many IoT devices.  Unless cloud connectivity is required, many of the devices will work perfectly fine on an isolated network without Internet reach back, effectively nullifying their ability to capture and retransmit your personal data.

Black Kilt researchers further recommend enabling smart phone privacy settings, including advanced configurations such as rotating mac addresses, and enabling do not track settings or disabling custom advertising IDs where available. In addition, we highly recommend considering the Pi-Hole project for your home.  In addition to blocking a significant percentage of advertising traffic, it has the added benefit of improving your home Internet speeds by removing all of the ad related traffic from your network.  It’s surprising just how much traffic is devoted to serving up ads.

All of this information begs the question, why should I care about what data is being collected and what the companies are doing with my data?

On a personal level, the more data that can be collected equates to ads that are very focused to your personal behaviors.  This isn’t necessarily a bad thing.  No need to waste time watching ads for baby products when there are no children in the house, for example.  But, where this becomes more troubling is in the way these ads can influence or even change buying habits and personal behavior.   This article in the Harvard Business Review outlines a study using graduate students as subjects and demonstrates likely influence on both buying habits and behaviors based on the ads served and perceptions about why those particular ads were served.  More research is needed with larger study groups before more definitive conclusions can be drawn.

On a business level, users should also be concerned. With work from home becoming the norm, especially in tech sector jobs, those smart devices might be leaking company data to competitors. Although it’s unlikely the big data companies care about zoom meeting discussions or even that big presentation you rehearsed in front of the bathroom mirror, it’s possible there might be other actors attempting to leverage these firms to get to your company data. Despite the best of intentions, this story about FaceBook leaking data to third party developers clearly shows that determined parties will eventually find their way to your data, even if it wasn’t allowed or intended.

The takeaway from all of this information is clear. Large companies definitely have access to personal data through our smart phones and devices. And despite the best of good intentions and promises to safeguard your information, it has already been used in the past, and will likely be used in the future, in order to drive company revenues. As such, the average user should take proactive steps to limit what data can be collected and be willing to voice objections to where and how data can be collected and used.

Related Posts