Spies in your home: Which? warns of security camera that sends data to TikTok and washing machines that demand to know your age
Smart home device owners are being asked to provide swathes of data to manufacturers, which could compromise their privacy and potentially result in them handing their personal information to social media and marketing firms, Which? research has found.
The consumer champion found companies appear to hoover up far more data than is needed for the product to function. This includes smart speakers and security cameras that share customer data with Meta and TikTok, smart TVs that insist on knowing users’ viewing habits and a smart washing machine that requires people’s date of birth.
The research suggests that, despite consumers having already paid up to thousands of pounds for smart products, they are also having to ‘pay’ with their personal data.
Which? analysed the data collection practices of popular brands behind a range of smart devices. Experts looked at what information they require to set up an account, what data permissions their apps request and what activity marketing companies are tracking on people’s products.
Every brand looked at required exact location data as well as an approximate one, despite this arguably not being necessary for the functionality of the product.
Smart speakers are only supposed to listen when you want them to, but this is not always the extent of data collection.
Which? found that Bose smart speakers share user data with Meta, the parent company of Facebook.
Researchers found a stark difference in the volume of data requested by smart speakers if users own an Android phone versus an Apple iOS device. For example, Google Nest products request contacts and location on Android, but neither on Apple’s iOS. The app functions the same on both, so the additional data collected on Android does not appear to be essential.
It is not known why this additional data is collected. However, Google’s primary business is advertising and marketing, whereas Apple currently focuses on selling hardware.
When it came to smart cameras and doorbells, Which? found Ezviz devices, sold by major high-street retailers including Argos, had by far the most tracking firms active. This included TikTok’s business marketing unit, Pangle, Huawei, as well as Google and Meta.
Every single smart camera and doorbell brand Which? assessed used tracking services from Google, while Blink and Ring also connected to parent company Amazon. Google’s Nest product demands full name, email, date of birth and gender.
On Android, Arlo, Eufy and Ring also want permission for people’s background location, which is not necessary to alert users when their home security system is triggered, and means they could track users even when they are not using the app. All permissions are activated by default. Consumers can opt out, but this requires changing the settings and could lead to aspects of the device or app no longer working.
In a survey of 1,201 Which? members in April 2023, the data people were most concerned about being shared were their contacts and background location, involving an app tracking where people are even when they are not using it. This was followed by photos, phone number and precise location.
For smart washing machines, experts were surprised to find companies needing the date of birth of users – although this is optional on Beko machines, LG and Hoover will not allow use of the app without knowing when customers were born.
LG wants the most data of all the washing machine brands – the company will know the customer’s name, date of birth, email, phone contact book, precise location and phone number. Hoover wants users’ contacts and phone numbers on Android devices. With Miele, tracking of precise location is enabled by default, and required to use the app.
Most smart TV menus are now flooded with adverts, some personalised based on user data. While tracking is optional, Which? has found that LG, Samsung and Sony bundle this up into an ‘accept all’ button, rather than encouraging customers to review a full list of tracking options and then accept or decline which ones they want.
A third (33%) of the Which? members surveyed admitted to not reading any of the privacy policy when downloading an app, while two thirds (67%) said that they merely skimmed it. This is perhaps unsurprising given terms and conditions and privacy policies are usually incredibly long to read.
A Google Nest owner would need to work their way through more than 20,000 words to get to grips with them, which would take one hour and twenty minutes for someone who reads at 250 words per minute.
Under the General Data Protection Regulations (GDPR), companies must be transparent about the data they collect and how it is processed. The data collected must also be relevant and limited to what is necessary for the processing to take place.
However, the reasons for taking information are often too broad for consumers to appreciate, with companies claiming ‘legitimate interests’. While it all should be listed in a privacy policy, the reality is that when consumers come to click ‘accept’, unless they closely analyse the fine print, they have little to no idea what will actually happen next with their data.
Rocio Concha, Which? Director of Policy and Advocacy, said:
“Consumers have already paid for smart products, in some cases thousands of pounds, so it is excessive that they have to continue to ‘pay’ with their personal information.
“Firms should not collect more data than they need to provide the service that’s on offer, particularly if they are going to bury this important information in lengthy terms and conditions.
“The ICO should consider updating guidelines to better protect consumers from accidentally giving up huge swathes of their own data without realising.”
-ENDS-
Notes to editors
- The survey of 1,201 Which? members was conducted in April 2023.
Consumer advice – How to improve your data privacy
Care about what you share
Some data collection is optional during setup, and that means you can opt out. Only share what you are comfortable with.
Check permissions
On iOS and Android, you can review permission requests before downloading an app, and check what each app has access to in your settings.
Deny access
Also in your phone settings, you can potentially deny or limit access to data such as location, contacts, and so on. Although, that might stop or limit aspects of the app.
Delete recordings
Using the Alexa and Google Assistant settings, you can set your voice recordings to be deleted automatically rather than stored after a period of time.
Read the privacy policy
Do at least browse the policy, particularly the data collection sections. You have the right to object to a company processing your data.
Right of replies
Amazon (in reference to Echo, Blink and Ring devices): “We design our products to protect our customers’ privacy and security and to put our customers in control of their experience.
“We never sell their personal data, and we never stop working to keep their information safe. We use data responsibly to deliver what our customers expect: products that they love and are always getting better.
“We are thoughtful and transparent about the information needed to develop, provide, and improve the products and services that we offer our customers, allowing us to deliver a more personalized experience, and to analyse and improve the performance of our devices and services.”
Google: “Google fully complies with applicable privacy laws and provides transparency to our users regarding the data we collect and how we use it.”
Miele: “Miele is transparent with its customers about the use of data. The data is collected to optimise appliance usage and to offer customers additional features and functionalities. Our digital services vary from country to country. By specifying the location, we ensure that we can provide customers with the relevant services,” Michael Prempert, Director PR Professional/Smart Home.
Samsung: “We design our products with security and privacy top-of mind and our customers are given the option to view, download or delete any personal data that Samsung has stored across any product or app that requires a Samsung account. Customers can find more information about our privacy policies at www.samsung.com/uk/info/privacy”
Hoover/Haier and Bose declined to comment.
Apple, Beko, Arlo, LG, Ezviz and Sony did not reply by Which?’s publication deadline.
Which? was unable to contact Eufy.
Press Release