Smart Device Data Sharing

The Register has summarised a Which report indicating that many Smart or IoT devices are harvesting data that is far from necessary for the operation of those devices.  As an extreme example LG washing machines requiring a ‘name, date of birth, email, phone contact book, precise location and phone number’.  None of which would be of any help in washing clothes.  Smart doorbells and televisions were amongst the other defaulters.  In September 2023 Mozilla reported that cars were amongst the worst culprits for harvesting data that is not strictly necessary.  They surveyed 25 car brands and only 2, Dacia and Renault (owned by the same parent company) passed the Mozilla privacy tests and admitted that drivers had a right to have their private data deleted.  This exception is almost certainly because these 2 brands are only available in Europe and hence need to be heedful of GDPR legislation.

Money is a key incentive in gathering this information.  84% of the car brands researched by Mozilla indicated that they share or sell the data they gather.  Another factor is the source and nature of the underlying software.  Few manufacturers will be creating their own bespoke systems from scratch.  Many devices such as Smart TVs are based on the Android operating systems.  The underlying aim of Android is to gather data enabling mobile communications.  Your phone may need to know where you are; it could be life-saving in an emergency.  The same would be hard to argue in the case of a washing machine.  Privacy options in the code can be locked down or opened up and it is possible that inappropriate settings are left in place when code is adapted for multiple products.

Amazon based devices are also rooted in Android with the additional sting of being linked to the Amazon sales algorithm.  Amazon wants to know what you have been doing to better build up a profile and offer goods and services that you might be interested in.  The better its ability to create such profiles the more likely that Amazon will make a sale.  Apple based devices are more likely to be trustworthy as Apple has less incentive to sell data outside of its own organisation.

The Mozilla ‘Privacy Not Included’ incentive looks at commercial devices and  rates their privacy.  It avoids obviously business devices such as routers and printers but does cover some that might come under the category of ‘Shadow It’ such as video calling devices including the Amazon Echo Show and Google Nest Hub Max.  While this list is never going to be exhaustive it does show up the privacy data each can collect and offers advice on reducing the risk.

While there is no ‘one size fits all’ solution any reputable device should offer some means to reduce the personal data that it harvests.  This might not be the case with some grey import devices which could be re-using sloppy or outdated programming.  Kindus suggest the following actions:

  • Avoid grey import devices.
  • When creating an account do not agree to tracking or data sharing.
  • If the device requires some common account such as Google turn off any ad personalisation in your account hub.
  • If a device is controlled by an App, update the App regularly. If the App is no longer used request that the provider delete all data associated with that App.

It is possible that setting some of these features will result in a device not working or disabling some desirable functionality.  The only options available to the user would be to live with the consequences or return the device.  The best approach is to consider data sharing concerns before making the purchase.

More from Security

04/12/2024

Sitting Duck Attacks

The Sitting Duck attack revolves around taking control of a domain and then using it to distribute malware or as a source for phishing …

Read post

25/11/2024

Developers Hit By Compromised Software Packages

A Typosquat campaign uses slight variations on well-known names to mislead a user to access a rogue rather than genuine asset.  It is well …

Read post

04/11/2024

UK Data (Use and Access) Bill

The Data (Use and Access) Bill had its first reading in the Lords on 23 October 2024.  This step is merely a formal introduction …

Read post

28/10/2024

Zero-Day Attacks

In October 2024 Google Mandiant reported on 138 exploited vulnerabilities since 2023.  They concluded there had been an increase in the number and speed …

Read post

Sign Up

Sign up to our newsletter list here.

    Successful sign up

    Thank you for signing up to our newsletter list.

    Check your inbox for all the latest information from Kindus

    Categories