IoT reality: no alternative or acceptable outcome

How have Amazon employees bugged users for years and keep silent about it? What can you tell about a person by knowing their floor temperature and humidity level in their home? Why do insurance companies want to break into your refrigerator? Let's find out how a smart home works, what privacy risks are associated with it and ways of how not to lose your sense of security in your own home.

The now-cult series "Love. Death and Robots" presents dystopian short stories in which robots and gadgets claim equal subject status with humans.

In the second episode of the first season, we see the life of an affluent pensioner, unencumbered by worries - most of the work is done by a cleaning robot, combining the functions of 10 smart devices and controlling all the systems of the house. When the woman interferes with the cleaning process by moving the family photo to another place, the idyll comes to an end - the robot perceives the actions of the homeowner as an encroachment on the system and arranges a "hunt" for her.

Let's take this example as a cross-cutting theme of our narrative today - how power over technology turns into power of technology within our domestic space.
What is a smart home?
Different types of sensors. Source CircuitDiqwst
The emergence of automated home control systems is caused by the advent of Internet of Things ("IoT") technology. IoT involves building a data network between physical objects ("things") equipped with the means and technology to interact with each other or with the environment.

Devices that are part of an IoT network generate information through all sorts of sensors, for instance, sensors for light, humidity, motion, temperature, touch, etc. Such devices use Internet protocols for communication. They are connected to a single control center (controller), which is, for example, the router or a smartphone. The information processed and localized at the home then leaves the home and can be processed by the manufacturing company, for example, in cloud storage.
The development of IoT technologies has led to the emergence of the concept of "smart home", which means that household processes are being automated and controlled. Today there are many products for building a "smart home" especially from Yandex, Sber, Google, Amazon and other digital giants. All of them are built on the introduction of devices into the home space. They are greatly simplify everyday life through remote control, which is implemented by the owner through his devices (smartphone or computer) or special centers.
What are the benefits of a smart home?

Typically, a "smart home" includes many connected devices related to various areas of application - entertainment, energy, security and health:
  • entertainment devices enhance residents' comfort and convenience by providing personalized content and communication;
  • energy optimization devices are designed for efficient consumption of energy, managing its sources;
  • security devices offer services designed to monitor, detect and control security threats;
  • health devices help track user activity, sleep patterns, and in some cases even counseling users.

One example of such "smart device," is a light bulb announced by Sengled. It is designed to track sleep and other measurements like heart rate and body temperature. The company claim that the light bulb determines whether a person has fallen or not, and if a fall is life-threatening, to call an ambulance.

The undeniable benefits offered by IoT technologies, however, come with security and privacy risks. The emergence of innovative developments not only "shakes" public opinion, but also changes the idea of "technology ethics". According to a survey of residents in the United States, Canada, Japan, Australia, France and the United Kingdom, about 63% of people perceive them as "creepy" and 75% do not trust the way these devices handle personal data.

At the same time, consumers' wariness does not stop them from continuing to buy devices (the same survey showed that 70% of respondents have smart devices). This contradiction was also documented in a study conducted by Consumers International and the Internet Society.

A report by Fortune Business Insights indicates that the global Internet of Things market, valued at $190 billion in 2018, will reach $1.11 trillion by 2026.

Most of the questions remain unresolved. Will "smart devices" respect the right to privacy of our lives? Who has a stake in this? Have standards of secure IoT devices been created?

Smart Home: What Risks Does the IoT Bring?
Consumer wariness about smart home technology is easy to understand because IoT systems interfere with the essence of our private life. Below we present the main problems caused by the use of smart devices from a privacy perspective.
Regulatory gaps

The data collected by smart devices, whether it's light levels, refrigerator fullness or air humidity, hardly fits within the concept of personal data because it doesn't relate to a person's identity. At the same time, the huge sets of data collected by the devices on a daily basis make it possible to fully build a person's schedule and find out their eating habits, sleeping habits, sex life and interests. Thus, companies that have possibilities to correlate or enhance data (data enhancement) gain virtually limitless power over the individual, evading the requirements of privacy and personal data protection laws. In this regard, it is increasingly possible to hear calls for a large-scale revision of the fundamental principles of privacy protection and the definition of personal data.

Moreover, the activities of IoT-system operators are not licensed because they do not fall under the provision of communication services or data protection, as indicated by Roskomnadzor in its response to an appeal by the Internet of Things Association. The lack of licensing requirements and standards negatively affects the security characteristics of "smart" devices. For example, many devices can communicate with each other either through weakly protected networks or through shared WiFi networks to which all mobile and stationary devices are connected

— Unauthorized collection of redundant data by companies

It's no secret that for most people home is a space of security and privacy. In practice, however, the situation is different: it turns out that when you buy a smart device in your home, you simultaneously invite an "uninvited guest" — a person from the think tank of the company-developer. In April 2019, it was revealed that millions of recordings from Alex's smart speaker had been tapped by Amazon employees to improve the home station:

“I think we’ve been conditioned to the assumption that these machines are just doing magic machine learning. But the fact is there is still manual processing involved.” — said Florian Schaub, a professor at the University of Michigan who has researched privacy issues in smart speakers.

This isn't the only case of corporations hiding privacy violations. Google, for example, admitted that it did not notify users about the presence of a hidden microphone. With the next update of the smart station Nest Guard, the company announced that the smart speaker will be able to be controlled by voice. Users were perplexed because they were unaware of the presence of a microphone inside the device when they purchased it.

Other manufacturers' devices also have built-in microphones, which are constantly waiting for code words that trigger algorithms inside. Some companies assure that the device does not record surrounding sounds until the code phrase is uttered. At the same time, this assertion is distrusted against the backdrop of other cases of illegal recording of people's privacy. For example, unprotected video transmissions from baby monitors or unauthorized downloads of voice recordings, emails and passwords by children's toys.
The "sensitive" nature of the information collected

The information that smart devices collect at home identifies a person in the most comprehensive way. While search queries or visited websites provide scattered data, a smart speaker can hear directly about your dreams and desires. What's more, the nature of the information itself (thoughts spoken aloud or dialogue with family members) tells you many times more about a person than their online behavioral patterns. A Federal Trade Commission report titled "Internet of Things: Privacy and Security in a Connected World" found that fewer than 10,000 households can generate 150 million discrete data points daily.

This information may be recognized as a special category of personal data, as it may reveal nuances of health, intimate life, behavior, race and political preferences of an individual. As such, the processing of sensitive data is generally prohibited, except on strictly defined grounds. Some "smart devices" manufacturers claim that they do not handle sensitive data, but there is no reason to believe that the claims are true.

Moreover, according to a recent decision of the EU Court of Justice in "OT v Vyriausioji tarnybinės etikos komisija" in order to be recognized as sensitive data, such data need not in itself indicate the above characteristics of a person - it is sufficient that such hypothetical possibility exists when enhancing or comparing the data.
—  Threats to data privacy by third parties

Imagine that a smart home detected that you are absent-minded and often forget to lock your door or leave your keys when leaving your apartment. Upon learning this, smart home operators may illegally sell data to insurance companies interested in obtaining information on potential customers. When you apply to an insurance company for car insurance, the insurance risks will be assessed already. And fact that you are a distracted person will be taking into account.

Another example, the developers of Siri or Alexa voice assistants explicitly state that the devices can record and transmit information which they receive during interactions with the owner to third parties. Thus, if you ask the assistant the weather before you leave the house in rainy weather, you are likely to see advertisements for umbrellas and waterproof clothing. Many people take this as a given, not realizing that in this way advertising companies and manufacturers of smart devices can deliberately influence your desires, needs and purchases, pushing you to a particular decision.

Privacy Tips
Above we've outlined the basic privacy issues of IoT systems, now it's appropriate to move on to offer practical tips that won't prevent, but will help avoid excessive and redundant collection of personal data in our homes:

"Yandex's Smart Column

  • Be careful when buying smart devices

One of the best ways to keep your "smart home" safe is to do research before purchasing new devices and not shop on a whim. If you're thinking about buying a new connected speaker or smart refrigerator, search the Internet for that device and see if other consumers have had problems with it. For example, you can learn about Yandex's most popular station in the CIS, Alice, in Roscomsvoboda materials. You can also explore privacy policies. Many smart home device manufacturers have them.

  • Don't rely on passwords and default settings

Many smart devices come with short and simple passwords that must be reset after purchase. It's important that you take the time to change them.

When you choose a new password, make sure it consists of symbols, numbers, and characters and does not contain recognizable words or numeric sequences. It's also important to review and change your default security and privacy settings. If you can limit the amount of data stored and processed by the smart device, by all means do so.

  • Make sure your router is secure
Most of the devices in your smart home will use a router to access the Internet. If a fraudster manages to hack into the router, they will be able to view the data of all devices connected to it. To increase the security of your router, change your login code regularly and avoid using short, easy-to-guess passwords.

You can also set up your router by using a VPN, which will allow you to protect all other devices connected to it with layers of encryption.

We also don't recommend using a shared WiFi network to connect smart devices. It's best to choose those systems that use self-contained networks that comply with security standards and provide end-to-end encryption of all data transmitted.