Before buying an IoT device, ask these 5 questions
When a Washington state couple’s 3-year-old son complained that he was scared of the voices he heard at night, his parents were rightfully skeptical—until the moment they, too, heard a voice say through the baby monitor, “Wake up, little boy, daddy’s looking for you.” The two-way Foscam device, it turns out, had been hacked.
Wi-Fi-connected appliances, baby monitors, home automation systems, fitness trackers, and locks—so-called Internet of Things devices are skyrocketing in popularity, but lag in privacy and security, experts say.
According to the Federal Trade Commission, the number of connected devices is set to double in the next four years, to 50 billion. And the influx in the collection, transmission, and storage of consumer data—some of which is highly personal—has privacy advocates on edge.
“The Internet of Things is revolutionizing data collection of personal habits, and many people might not realize it’s happening,” says Claire Gartland, consumer protection counsel at the Electronic Privacy Information Center. “People don’t realize when it’s happening or how this information might be used. There’s a real transparency problem when it comes to the Internet of Things.”
According to Gartland, one of these concerns—besides their vulnerability to hacking—is with whom the company shares the data it collects. Health-monitoring devices could share your exercise habits with insurance companies, for example, while smart TVs might share your viewing habits with ratings companies.
“There are a lot of insights that can be used in unexpected ways to make judgements on stuff like your financial status and overall health,” Gartland says. “This data can be used to categorize you to receive or exclude you from certain services and products.”
Before you purchase a connected device, vet it for its data practices and security measures, Gartland says. Privacy policies, though often long and often indecipherable, often outline how data is collected, shared, retained, and protected.
According to Gartland, people should find answers to the following five questions related to privacy and security before investing in an IoT device or service.
What data is collected and shared?
Search the privacy policy for details about the information the company collects, what it shares, and with whom it shares it, Gartland advises. A general rule of thumb: “They should only ask for the data that’s necessary and relevant to the service,” she says.
A fitness tracker, for example, might collect data on the number of steps you take, but think twice if it logs location data, too.
The collection of aggregate data, rather than granular customer information, also ensures a degree of anonymity. For example, a smart grid could collect aggregate data from an apartment complex rather than data from individual devices from within each apartment.
How long is data retained?
Safer connected devices adopt the principle of data minimization, EPIC says—using, storing, and retaining only as much data as is necessary to ensure the functionality of their products or services.
Look for language in the privacy policy that discusses how long the data is stored. “Companies really shouldn’t be retaining data for any longer than needed to provide you with the service,” Gartland says.
Can you opt out?
Beware of companies and services that don’t offer you data collection opt-outs or ask for your permission to collect additional data, Gartland says. And in the settings for the device or service, be careful not to bypass opt-outs or grant unnecessary permissions.
Some IoT devices, such as “a connected toaster,” Gartland says, don’t have screens or interfaces. For devices like these, consult the product’s site for more information.
What security measures does it take?
According to an EPIC report, not all wireless connections in IoT devices are encrypted: “Researchers who studied encryption within the Internet of Things found that many of the devices exchanged personal or private information with servers on the Internet in the clear, completely unencrypted.”
And according to a 2015 report from Hewlett-Packard, 80 percent of connected devices, along with their cloud and mobile application components, failed to require passwords of a sufficient complexity and length.
If a device comes with a default password or an open Wi-Fi connection, change default passwords to strong ones, the Federal Bureau of Investigation advises. If the device does not allow you to change the access password, check that the device providing wireless Internet service has a strong password and uses strong encryption, it says.
Can you access the data it collects?
While not all IoT devices and services support the capability to access the data they collect, it’s a good sign when one does, Gartland says.
“This gives you the opportunity to understand how you’re being portrayed to the company and its partners,” she says. “Even better is having the ability to delete or correct inaccurate information, which could be used to make credit, insurance, and other decisions about you.”