The people that can find ~ an information, data and privacy blog
Have you started your holiday gift buying yet? With Thanksgiving behind, for many of us its time for that seasonal shopping. Thanks to the Internet of Things (IoT), many will consider giving ‘smart’ devices to family and friends. Yet a word of warning: some gifts aren’t always as jolly as they appear.
Before spending big bucks on these gifts, best check the fine print, and in some cases, industry reports. There’s nothing like invasive spy tech to make one long for a lump of coal; at least the coal keeps you warm. Below are several popular types of IoT devices that might look good wrapped up, but have unpleasant surprises hiding within.
Will that Teddy bear tell your child’s secrets?
Looking to get something more high technical for your child this year? A word of warning: some items may let total strangers listen in during playtime.
Security is still too often lax in IoT product design, and sadly, smart toys are no exception. A well-known example is the CloudPets toy line. The connected stuffed animals were capturing children’s names, passwords, and voice recordings, ... all without encryption. Now CloudPets are off of store shelves. Since the vulnerability's discovery, major retailers refuse to carry the products. It was later joined by the Fisher Price smart bear. This time, the toy pulled by the manufacturer.
Yet despite the setbacks and pulled products, smart toys also aren’t going away. An online search will provide parents with a variety of options for children ‘smart watches’. These an App Store, but still include audio, video, and...location tracking pedometer. The Enow YL Kids Smart Watch, for example, includes a camera that can be remotely activated using the app. A search for voice recognition and dolls show that market still in business, despite known hacks such as the one that affected ‘my friend Cayla’. Even if the device isn’t vulnerable, there are serious ethics of dolls that can listen in to conversations. What if police request access to the doll’s voice logs? What if the AI picks up on something sensitive? These are the questions asked by Mattel’s staff for Hello Barbie before it was pulled from sales.
So what’s a parent to do? For now, consider this advice from the FTC: Search online for the toy’s name, the company that makes it, plus the words “complaint,” “security,” and “privacy.”
DNA testing: giving away more than you bargained on
DNA sequencing is popular for a lot of reasons. It’s fun to find out who we’re related to or where we might come from. It can even be life-saving, providing early awareness of genetical health predispositions. Family trees have been a popular hobby for eons, so it makes sense that digital variant is even more in demand. Usually they also don’t need blood: for most DNA kits, spit or saliva will do. But before sending in that sample, you should know the trade-off isn’t always worth it.
For starters, who owns your DNA? Reading the Terms of Service and you might see a surprise. Ancestry.com for example, states that:
By submitting DNA to AncestryDNA, you grant AncestryDNA and the Ancestry Group Companies a royalty-free, worldwide, sublicensable, transferable license to host, transfer, process, analyze, distribute, and communicate your Genetic Information for the purposes of providing you products and services, conducting Ancestry’s research and product development, enhancing Ancestry’s user experience, and making and offering personalized products and services.
These types of clauses are common in contracts. Their purpose is to protect companies from what they would feel is fair use to improve their products and practices. For consumers however, it also means there's more than meets the eye. Your information is likely shared with more than a computer, with no guarantee you’ll agree on 'why'.
So your DNA has been hacked.. now what?
There are other, significant concerns with the commercialization of DNA testing. In January of 2019, FamilyTreeDNA came under fire for allowing FBI access to its labs and DNA samples. Less than a month ago, a detective in Florida revealed a warrant to search GEDMatch’s full servers. With one broad warrant out, experts suggest it’s only a matter of time before similar warrants are out for other databases. Worse, many of us may find our information in these databases even if we never took the test. The nature of DNA testing is that the information it holds is both personal and familial. DNA testing marks us as individuals and can track down relatives. As CNET's Jason Ryan speculates, with commercial DNA testing as a service it's a whole new world:
"Now that even our DNA is being digitized and stored in the infinite online filing cabinet of the World Wide Web, we must confront a reality in which our own genetic makeup can be hacked, stolen or used against us."
Least you think these fears are still a while off, remember: there have already been breaches. Most recently startup Veritas Genetics, hacked in November. Suffice to say, this is bad news. Twitter commenter Troy Hunt said it best: “Your DNA has been breached. Please change your DNA.”
Smart hubs and speakers listening in
First, kudos where kudos is due: smart home devices are an impressive feat. Hands-free ambience, temperature control and phone calls are all slick tech. More importantly, they are enabling. As a colleague and parent of a disabled child informed me, hands-free is a game changer. If you have a family member facing mobility issues, smart home devices don’t make life a little easier, they make the home more inclusive. Products that assist the most vulnerable are worth celebrating.
Problem is, these devices are also gateways for more invasive, practices. In exchange for access and convenience, we’re allowing manufacturers into our homes for data collection. How much data do they collect? Lots: voice, video, location... who is in your home, what they look like and what everyone's saying.
Already Google is putting restrictions on Nest, for fear of becoming the next Cambridge Analytica. The company is moving to a system that more rigorously checks when other devices and apps work with its products. As Russell Brandom with The Verge reports:
In part, it’s an acknowledgment of how sensitive home data really is. These devices can tell when you leave your house, when you fall asleep, and what you cook for dinner. In a fully connected home, it’s hard to do anything without leaving some kind of digital trace. And in most cases, that data is spread across multiple companies, leaving lots of opportunities for it to leak out. If that happened in a Nest-connected home, Nest would be on the hook for the privacy fallout — even if users had given permission to share the data.
That Google is looking into these connections now is disturbing. How many companies have access to our information now while we're unawares?
Not only third parties...
It’s worth highlighting that even when users agree upon data processing, such as for internal business purposes, privacy is at stake. Alexa made headlines this year when in April when reports came out on internal listening. For technologists, engineers, and designers, this was hardly a surprise. As great as strides are in machine learning, human oversight is still critical for product improvement. Having humans listen in to correct nuance makes sense on the manufacturing floor. Yet for buyers, it’s unthinkable. We invite these products into our homes to talk to friends. We're not expecting a potential wiretap on every conversation.
There’s also a question of law enforcement access. If a device records information and stores it in the cloud, the company who holds it may be subject to police warrants and access requests. In the United States both Echo and Nest data are becoming subject to regularly requests for data. Most recently, FBI in Florida successfully gained a warrant to device audio recordings that they hope will solve a murder. Against police access, even strict privacy legislations may offer little defence. Already police in Germany are discussing access to Alexa and Siri. The GDPR, currently the world’s most robust privacy law, still makes exemptions for law enforcement requests.
If a home port would make the difference in someone you care about’s life, do your homework. While no device is 100% secure, some devices are more committed to privacy by design than others. Hubitat Inc.'s Elevation by is a good example. Getting good reviews, the device stores data locally rather than via the cloud, and limits geolocation tracking.
When your TV is watching you
With streaming services like Netflix, Amazon Prime, and the new Disney+, so-called ‘smart’ TVs are in-demand. In fact, if shopping for a new television set, you may find it difficult to buy a television that doesn’t have online capabilities. You know it’s bad when consumer reports issues an entire article on how to turn off device data collection.
So who are the worst offenders? Honestly, it’s a toss up. According to consumer reports Sony and Vizio, for example, demand agreeing to data collection policies before use. Devices that use Google Android TV offer no opt-out. Samsung smart TVs aren't quite so blatant, but not by much. They still collect viewing and voice data unless its deliberately turned off. If using a smaller manufacturer, such as Sanyo or JVC, check the box: most use the Roku TV platform to offer smart TV access. This platform regularly sends viewing information to third parties for advertising. As Fast Company Jared Newman reports, cutting the cord is a privacy minefield.
What about T.V attachments & peripherals?
Even side hook-up devices aren’t safe. Last year thousands of Chromecast, which stream from phone to television, were successfully hacked. Or take Facebook Portal, which connects to your television to become a family entertainment centre even when family is far away. Portal advertises itself with messaging services, movie sharing, and children's story ambiance. Unfortunately, reviewing the data portal collects is chilling. According to Rani Molla of Vox, Portal collects audio, video, and environmental data, it’s knowledge as detailed as how many people are in the room and where they are. Least this appear hype, the FBI itself now warns against the hacking of smart television sets.
Unfortunately, if you’re in a market for a ‘stupid’ television, you’re likely out of luck. T.Vs without smart features are no longer manufactured, unless you go second hand. Hopefully as more reports come out companies will provide better options, but for now? Look at how to turn off IoT data collection, and pick your poison.
Digital doorbells, making not-so-nice neighbours
In Lord of the Rings, Tolken's Gandalf rejects the One Ring for the corrupting influence on its bearers. Amazon’s Ring might not be forged by a Dark Lord, but from a privacy perspective? Wow, is this thing evil. The idea of a camera at your door might sound like something to ease security fears. The reality is a device that turns us all into the protagonist of Rear Window: paranoid snoops. Ring isn’t sold to encourage trust; according to the Electronic Frontier Foundation vendors market ring is the premise we cannot trust our neighbours. Fear, not friends and family, sell Ring.
There’s so much bad with Ring, it’s hard to decide where to start. This is a consumer-mounted facial recognition device mounted to watch your neighbours. It records and saves nonconsensual data of individuals who happen to walk by, including children trick or treating. The security of the sensitive data is nonexistent. For example until a recent fix, Ring was allowing hackers access to other home data, such as the passwords for household WiFi. For a device that captures sensitive data, Ring plays loose with security.
Most damning for Ring is the company’s partnership with law enforcement. That’s right: depending on where you’re located, police may have access to ring security footage anytime. Adam Clark Estes from Gizmodo states it best in his article: Don't by Anyone a Ring Camera.
Will a digital doorbell that respects privacy please come forward?
At present, very little is available on the relationships between Nest, Eufy and police departments. Odds If these cameras are accessible by police, they’re not saying, or perhaps ideally, data is not provided without a warrant.
Ultimately, privacy is a very personal thing, that will matter more to some of those on your list than others. However, there's nothing unsettling like buying a gift only to discover it creeps out the recipient. If you want to avoid the gift of corporate and legal surveillance this year, don't touch these presents with a thirty-nine-and-a-half foot pole.
- Dancing, but Not Prancing: 2019’s Worst Gifts for Personal PrivacyDecember 3, 2019
- A Security Tip a Day: 2019 Cybersecurity Awareness Month!November 1, 2019
- Six Ways to Save Money for Information SecurityOctober 3, 2019
- As Seen on Twitter: Time to Wake up on SIM SwappingSeptember 6, 2019
- Four ways phishing attacks are like vampiresAugust 5, 2019