If you’ve bought any kind of consumer electronics recently – even the most mundane appliance - there’s a good chance you had the option of buying a ‘smart’ model.
That’s because appliances are no longer things you buy, bring home, plug in and put to work. Now they are mini-computers that offer all sorts of additional features.
To make use of that, you probably have to download a dedicated app on your phone, set up an account and sync your new appliance to it.
But while this is presented as something that will make your life easier – it may also be eroding your privacy.
Because, according to a report by British consumer watchdog Which?, some smart appliances – like Air Fryers - are actually accessing a surprising amount of user data with no clear justification for doing so.
That’s happening because, through the app, the user’s phone becomes a kind of middle-man, where all of the sensors and trackers that are in there – like the microphone, and GPS – can become available to the manufacturer.
But why would an Air Fryer need to listen to me?
We need your consent to load this rte-player contentWe use rte-player to manage extra content that can set cookies on your device and collect data about your activity. Please review their details and accept them to load the content.Manage Preferences
It seems like one of the ‘smart’ features on offer in the appliances that were tested was the ability to turn it on and off remotely.
As part of that, it was presumably possible for a user to give a voice command via their phone – but in order to do that, they would need to give permission to the app to access their microphone.
But what Which? also found was that the audio that the apps were picking up was then being sent on to a server in China.
And it’s quite possible that it will sit there for an indefinite period of time.
It then becomes a question of who has access to that.
It is important to note here that the companies in question did have to ask for permission to record audio – it wasn’t something that they did covertly.
Users will also be familiar with an app asking them to give permission to it accessing things like their phone’s microphone, or mobile data, when they first install it.
And that’s partly because rules likes GDPR in the EU have raised the bar on how companies handle user data.
So if they’re gathering data on you at all, they’re supposed to get informed consent up-front. And they’re also supposed to be clear about what they’ll do with that data.
But the important information may well be buried in reams of text – like the terms and conditions that nobody reads.
In the case of the Air Fryer recordings going to China – that was spelled out in the privacy notice.
And what Which? found was that companies will often take a very broad approach to the permissions they seek – there isn’t always a good justification for asking users for certain information, but they do it anyway because they can.
And it’s not just about tapping into your phone – sometimes this data gathering is far more analogue.
For example, companies will straight-up ask for your information like a user’s date of birth, gender, address and so on… none of which should really be required to use an Air Fryer.
But it’s not just Air Fryers that have this data problem, is it?
No – the ‘smart’ appliance is everywhere now.
People will be familiar with Smart TVs, for example. In fact finding a ‘dumb’ TV that doesn’t connect directly to the internet is becoming a bit of a challenge.
But you can also get smart fridges, smart washing machines and dryers, smart dishwashers – even smart kettles.
And all of these will come with an app – and will piggyback on a phone to pick up data about the user.
Another category Which? took a closer look at here was smartwatches – and it said there was some ‘risky’ permissions being sought by these devices – which often gathered a lot of data about the user.
Again, that was often via the customers’ phone – and it often involved the device tapping into location, the microphone, personal health data, stored files and even the ability to see what other apps a person had installed.
Now, again, there could be a legitimate reason for some of that.
Someone using a smartwatch for exercise might want it to track their location so it can tell them how far they've run… and they might want it to tap into their health data so it can log their heart rate, and the amount of calories burned.
But why it would need access to someone’s stored files or a list of the other apps they use is less clear.
What might all of that data be used for?
Even taking the most benign view of this, the information that’s being gathered on users by a lot of companies is probably going towards figuring out what ads to direct towards them.
Because Which? found multiple instances of devices – including Air Fryers and smart speakers – having connections to ad trackers.
The companies will likely say they do not sell personal information on to third parties – and that may be true. But it’s also fudging the issue a little bit.
Because what those ad trackers do is act as a kind of go-between for companies.
They might essentially give a kind of anonymised picture of a user – they live in this general area, they’re in this age category, and they like these kinds of things.
And based on that they can offer to show a company’s ad to them for a certain price.
And of course the more data they can gather on an individual – from what they’re doing on their phone, to how they’re interacting with their Air Fryer – the more valuable that profile is worth to advertisers.
And bear in mind – these trackers are everywhere.
So even if a user doesn’t visit a site like Facebook, there are still Facebook-linked trackers on various websites, and within various apps and services that might be gleaning information about their online habits.
So if they can record audio – does that mean they’re potentially listening in to everything?
People have had this suspicion for years about their smartphones.
Everyone has had that experience where they’re chatting about something with a friend, and then a few hours later they get an ad related to that on your feed.
But the reality is that they’re not listening in to everything you say.
Because even on a practical level – if every single smartphone was beaming a livestream of audio back to a server somewhere, that would take up a huge amount of space very quickly.
And it would eat up a lot of data too – users would definitely notice it.
Not to mention the fact that it would eat up a lot of battery power – anyone who has recorded audio or video on their device for any length of time will know just how power hungry a task it is.
But all of these little trackers from all of these sources do go some way to explaining why we have that experience of talking about something, and then seeing an ad for it.
Because through all these ad trackers, your social media account is able to get an impression of what you’re searching for or reading about - even on websites and search engines they don’t own.
Depending on the permissions a user gave, they may also have a rough idea of where they’ve been and when.
And – crucially – they probably have all that data on a user’s friends and family too.
So, say you’re talking with your friend about a brand of chocolate you haven’t had in years – and then your friend searches to find out where they could buy it. The trackers might know you follow each other, know were recently in close proximity, know you have similar interests, and from that it might decide ‘well if they’re interested in this brand of chocolate – then this other person might be too’.
And, so, they serve you the ad for the product you were just talking about.
So tech companies are probably not listening to you all the time… but, that being said, there are cases where they absolutely are listening in.
When?
When you actively speak to your smartphone or smart device – like when you give a command to your phone’s personal assistant or request some information from a smart speaker.
By their nature these things are always listening out for you to summon them – though they’re not actually recording at that stage.
But once you do summon them and make a request, that data gets pinged off to a server – and is likely saved too.
And there have actually been court cases where the recordings from an Alexa is used as part of the evidence.
There was a fairly gruesome murder case in Wales last year, for example, where a string of commands to an Amazon Alexa were used to help piece together the movements of the accused.
Because the victim was heard asking the Alexa in her bedroom to play music at 3am – then her attacker told the Alexa to stop a few minutes later. Then he was heard, of out breath, turning on the lights in the living room. After that he made another command to the Alexa in the bedroom.
So all of those interactions were recorded, and the authorities in Wales were able to get access to them to play in court.
All that information being available must be open to abuse…
Absolutely – even if it’s not happening systematically, if it exists on a server somewhere, then someone can get access to it.
Last year the FTC in the US claimed that 30,000 Amazon workers could access data from Alexa.
Amazon disagreed with that assessment – but there have been cases in the past where it fired workers for improperly accessing user data.
And one of the big issues that’s cropped up in consumer electronics and appliances in recent years is the arrival of countless small, Chinese brands that are selling products online.
You might not even know they’re Chinese – but if you’ve never heard of them before, there’s a good chance they are.
And the problem there is that there’s very little transparency around the companies themselves, or the things they’re selling.
Often times you have multiple brands selling the same generic product, which they’ve just stuck their own branding and packaging on.
So it’s not clear who made it, and who made the app, and whether they’re following the regulations in terms of handling user data.
And of course data security experts have repeatedly raised concerns about Chinese companies’ handling of user data – and raised questions as to whether they are required to give Chinese surveillance services access to whatever information they hold.
So the question arises – if the company can listen in, who else can?
And that’s before you even think about the risk of hackers tapping into all of this – which can happen with any company.
Though it probably is more likely to happen with a smaller firm that maybe isn’t taking data security as seriously as it should.
So what can consumers do to protect themselves?
The first thing to do is to avoid smart appliances, unless there’s a really good reason for buying one.
It’s not always possible to do so – and retailers and brands will often try and upsell you on all these smart features – but it is worth taking a moment to ask yourself whether the ‘smart’ features are actually all that useful.
And often the ‘dumb’ versions of appliances are actually cheaper.
But that aside – you just need to be very mindful about the information you are handing over – and the permissions you’re giving.
So when you’re encouraged to download an app – ask yourself if you really need to. Will your AirFryer work just fine without it?
And if you decide to download it – or you simply have to – be mindful of the access you are giving it. Do you need to let it tap into your microphone? Does it really need to know your location?
And while there is a long-running debate around which type of smartphone is better Which?’s research does show that Apple’s iPhone wins out when it comes to privacy.
In its study, it found that iPhones dented to leech less user data to companies than was the case with Google’s Android.
That’s because Apple has made a big play around privacy in recent years – and it straight-out blocks certain types of trackers in apps, while making it easier for users to block permissions in other areas.
