by Casey J. Bastian

The Surveillance Technology Oversight Project (“STOP”) released a review of smart devices entitled: “The Trojan House.” The revelations are concerning. If you like your privacy and don’t want strangers, hackers, and law enforcement surveilling you, especially in your home, “smart” devices are a dumb idea. Smart devices facilitate “predatory data collection,” while subtly diminishing constitutional protections concerning your privacy.

Various forms of smart technology have been integrated into nearly every aspect of modern life. The theory is that these devices make home life easier than ever. Devices that have become “smart” include televisions; speakers and home assistants; thermostats and meters; vacuums and mops; beds; security cameras and home appliances like coffeemakers, refrigerators, washers and dryers; and countertop ovens. It’s pervasive and almost ridiculous. How “smart” does a mop really need to be? If you ask data brokers, hackers, and law enforcement, the “smarter” the better — for them.

A smart speaker, or home assistant, is actually a bug (surveillance equipment) that “activates” when it “hears” a phrase or “wake word” like “Alexa” or “Hey Google.” To hear commands and appropriately respond, it must be constantly listening — a fact that doesn’t occur to most people. And when awoken, these devices begin analyzing and recording everything. Apple devices collect up to “six months of transcripts from a user’s conversations with Siri.” Each also maps a user’s relationships based on “contacts, household members, and people named in photos.” This is in addition to cataloging users’ interests based on apps, music, and podcast performances.

STOP warns that using smart speakers to implement preprogrammed routines for lights, thermostats, and other devices amounts to a user “effectively sharing their daily schedules” with multiple third parties. Telling Siri to “turn the heat on at 5:00 p.m.” means you’ll be gone until then to those listening. If a consumer opts out of these invasive functions, the devices will limit capabilities. Over-riding Amazon’s default settings and refusing to upload exchanges with Alexa to the cloud causes Alexa to cease providing tailored responses to the user. Who knew these devices were programmed with attitude?

Companies unceasingly compile and share user data with government agencies and private entities. Amazon, Apple, and Google receive thousands of federal, state, and local authority requests for access to this data. In the first six months of 2022, Goggle received 47,000 government requests for user information— 84 percent were granted. Apple received 7,000 law enforcement requests in the same period, approving 90 percent of them. Amazon fielded 3,500 court orders, search warrants, and subpoenas for U.S. user data. This number does not include national security requests, which are exempt from reporting.

Private contractors also have access to user’s voice assistants’ audio recordings through Amazon, Apple, and Google policy. These contractors are given access to “excruciatingly sensitive personal, financial, and health details” revealed in recordings. Amazon has a team in Bucharest, Romania, that monitors Alexa recordings. These Romanian contractors have “eavesdropped on family rows, financial and health discussions, kids and guests speaking, and even couples having sex.” Apple’s Siri is often accidentally triggered, allowing their contractors to access similar private information.

Smart speakers create entry points for hackers to control households and access personal information. Cybersecurity specialists insist that “hacking a virtual assistant in millions of people’s homes is what malicious actors dream of doing.” These devices work in conjunction with other smart devices like thermostats and meters. Immigrations and Customs Enforcement pursues people through utility usage records, which reveal where and when people might be based on usage patterns. Many of these devices have “geofencing mode” to track user’s locations for purposes of adjusting related components.

The problem is that police, prosecutors, and private parties use these functions to monitor personal activity, too. This information has been used to identify protestors and harass those with differing political ideologies on some issues. Problems with smart thermostats and meters are growing. As of 2018, more than 50 percent of all U.S. homes use these devices to monitor usage and report to utility companies. In New York state, water consumption data will soon be made public allowing the police and malevolent actors to track your daily patterns. One could ask: “Who cares if someone knows about my water usage?” But if it is not important, why do they want the data so badly? At a minimum, could the future entail water consumption enforcement? Will “water police” dictate the duration of your shower, how often you wash your clothes, and the number of times you can flush your toilet in a day?

One of the most invasive smart devices are vacuums. Specifically, iRobot’s Roomba creates a “comprehensive digital floor plan” of the user’s home. Like a burglar, the Roomba will “routinely case the joint” it’s cleaning. While this is to avoid obstacles in theory, it allows others to know the exact layout of your home in practice. The device also collects unnecessary information such as demographics and age of the user, if there are children present, and what other apps are being used. Amazon has acquired iRobot, adding more ability to expand the company’s Orwellian tracking of consumer patterns.

Smart beds like Sleep Number collect “biometric, respiration, and heart rate data” and then make confidential health information publicly available by providing it to third-party companies. Home surveillance companies are scrambling to collect sleep data, so it can be monetized. Your privacy takes a back seat to capitalistic pursuits as well as law enforcement usage.

Hackers have used seemingly benign household appliances to launch cyberattacks, used refrigerators to spam email accounts, and stolen email credentials from various smart technologies. In 2016, the “largest distributed denial of service attack” in history was conducted using a network of smart devices. IBM claims that such attacks rose by 500 percent in 2020, and there were more than “900 million cyberattacks involving smart devices in 2021.” This trend will continue with 1.8 billion devices expected to be online by 2025.

STOP identified surveillance cameras, like Amazon-owned Ring doorbell system, as one of the most dangerous devices. These devices collect an “unprecedented” quantity of information, and law enforcement has not failed to notice. By 2021, nearly 1 in 10 U.S. police departments had established a partnership with Ring. Raw footage is routinely supplied to law enforcement. STOP argues that this “perpetuates unsubstantiated fears of neighborhood crime.” Hackers gained control of these devices and voiced obscenities, requested ransoms, and threatened murder and sexual assault. Thirty Ring users sued the company in 2020 after this occurred.

Considering that more than 25 percent of all households have purchased at least one of these devices, it is important to know how to protect your privacy and rights. STOP suggests using a virtual private network (“VPN”) enabled router. These routers do two things. First, Internet traffic from a device is rerouted through a dispersed network masking the user’s location. VPNs also encrypt the users’ Internet traffic. This makes it much harder for hackers and third parties to steal your information. However, the makers of these devices like Amazon, Apple, Google, iRobot, and Sleep number, can still gather your personal user data. VPNs are “not a complete privacy shield.”

The Electronic Communications Privacy Act (“ECPA”) protects some information sent to another person or company. The ECPA is divided into three sections: the Wiretap Act, Pen Register Act, and the Stored Communications Act. The Wiretap Act protects real-time communications, such as those transmitted through a smart speaker. Law enforcement is still required to “to demonstrate a reasonable need and probable cause before listening to conversations as they take place.”

The Pen Register Act protects secondary information like IP addresses, telephone numbers, and website URLs. However, government agencies can still compel the release of data by showing only that the information is “relevant to an investigation.” And the ECPA still allows companies to voluntarily share your data. Third parties can then sell it to the government or other entities.

The Stored Communications Act protects information like emails that have been uploaded and stored on a cloud device. The government is held back by a very low bar to compel production of emails and similar information that has been stored over 180 days or compel remote storage providers to “produce communications with notice to the user.”

Some states, including Illinois, California, Texas, and Michigan, have expanded the ECPA to require a warrant for all pertinent information. Illinois’ Protecting Household Privacy Act “applies to any information or input provided by a person to a household electronic device.” This does not include phones, tablets, personal computers, or routers. Nearly every state is considering such protections though.

On the federal level, the Federal Trade Commission (“FTC”) provides regulatory oversight of smart device companies that “engage in unfair and deceptive business practices.” The FTC has announced that it is considering updating its regulatory protections by creating comprehensive privacy legislation. This would allow users of smart devices to “opt out” and delete their data, which would make it unavailable to hackers, third parties, and the government.

Until then, just because technology might make our life easier doesn’t make its use a smart move. If your privacy matters to you, then “dumb” devices really do outperform “smart” ones.

Source: STOPSpying.org

Subscribe today

Already a subscriber? Login