Smart Home Devices: assets or liabilities? – Part 2: Privacy

TL;DR – Part two of this trilogy of blog posts will tackle the next big topic when it comes to smart home devices: privacy. Are these devices doubling as the ultimate data collection tool, and are we unwittingly providing the manufacturers with all of our private data? Find out in this blog post!

This blog post is part of a series – you can read part 1 here, and keep an eye out for the next part too!

Security: ✓ – Privacy: ?

In my previous blog post, I gave some insights into the security level provided by a few Smart Home environments that are currently sold on the European market. In conclusion, I found that the security of these devices is often a hit or miss and the lack of transparency around security means it can be quite difficult for the consumer to choose the good devices as opposed to some of the bad apples. There is one major topic missing from it though: even if a device is secure, how well does it protect the user’s privacy?

Privacy concerns

It turns out that this question is not unjustified: just like the security concerns surrounding smart home devices, privacy concerns are at least equally present, or maybe even more so. The fear that our own house is spying on us, is something that should be prevented by transparency and strong data subject rights.

These data subject access rights might have already been there on paper for a long time, but it’s never been easy to enforce them in practice. I strongly recommend looking at this paper by Jef Ausloos and Pierre Dewitte that shows just how difficult it used to be to get a data controller to comply with existing regulation.

Does this mean that there is no hope? Well, not exactly. Since then, the GDPR has come into effect. Even though it might still be too early to get concrete results, there have been some developments moving into the right direction. Just a few months ago, in July 2020, the EU-US privacy shield was deemed invalid after a ruling by the Court of Justice of the EU in a case brought up by Max Schrems’ NGO ‘noyb’ (‘none of your business’). This decision means that data transfers from the EU to the US are subject to the same requirements as transfers to any other country outside of the EU.

Existing regulation in Europe

So, which laws are there that protect our privacy anyways? To start with the basics, the European Convention of Human Rights and the Charter of Fundamental Rights of the European Union lay the groundwork for every individual’s right to privacy in their Article 8 and Article 7 respectively. These articles state that: “Everyone has the right to respect for his private and family life, his home and his correspondence.”.

On top of these, there used to be Directive 95/46/EC, which outlined the requirements each EU member state had to implement into their national privacy regulation. However, each member state could implement these requirements at their own discretion, which led to a lot of diverging laws between EU member states. The directive was eventually revoked for GDPR to take its place.

The General Data Protection Regulation (GDPR) is the current regulation that harmonises the privacy regulation for all EU member states. Its well-known new provisions enable data subjects to more effectively enforce their rights and protects the privacy of all people within the EU; or at least it does so on paper.

From paper to practice

Aside from testing the security of each device, I decided to also include some privacy tests in the scope of my assessments. For more information on the choice of devices, make sure to check out my previous blog post!

For each device, I added privacy-related tests in two major fields:

  • privacy policies: I verified if, for each device, the privacy policy contained all the relevant information it should have according to GDPR;
  • data subject access rights: I contacted each vendor’s privacy department with a generic data subject access request, asking them to give me a copy of the personal data they held about me.

Privacy policies: all or nothing

The first step in checking the completeness of a privacy policy, is finding out where it is stored – if it even exists. In many cases, finding a privacy policy was easy, but finding the right one was a different story. Many vendors had multiple versions of the policy, sometimes different editions for the USA and the EU, and other times they simply excluded everything from their scope except the website – not very useful for this research.

The privacy policies showed the exact same phenomenon as I already saw in the security part of the research: if they were compliant on one part, usually they put in a good attempt to be compliant across the board. The opposite was also true: if a policy was incomplete, it often didn’t contain any of the required info as per the GDPR. The specific elements that need to be included in a privacy policy under GDPR are outlined in Article 13. The table below shows which of the policies adhered to which provisions in this article.

The results of checking each privacy policy
(Image credit: see “Reference” below)

Access requests: hide & seek

In the exact same way that it can be difficult to locate a privacy policy, it can sometimes be a real hassle to find the correct contact details to submit a data access request. Most vendors with a compliant privacy policy had either an email address of the DPO, or a link to an online form listed as a means of contact. In case I could not locate the correct contact details, I would attempt to reach them a single time by mailing to their general information address or contacting their customer support. I would also send out a single reminder to each vendor if they had not replied after one month.

What it feels like trying to reach the DPO of many manufacturers
(Image credit: imgflip.com)

Surprisingly, many vendors straight up ignored the request: one third (!) of requests went unanswered. Those that did reply, usually responded quite quickly after receiving the initial request. With a few exceptions that requested deadline extensions or simply claimed to “have never received the initial email” after being sent a reminder.

One third of the sent requests went unanswered
(Image credit: see “Reference” below)

Most importantly, the number of satisfactory replies after running this experiment for over 5 months was disappointingly low. Often, either the answers to the questions in the request or the returned data itself were strongly lacking. In some cases, no satisfying answer was given at all. In one or two notable instances, however, the follow up of the privacy department was excellent and an active effort was made to comply with the request as well as possible.

The aftermath

From these results, it’s clear that there are some changes to be seen in the privacy landscape. Here and there, companies are putting in an effort to be GDPR compliant, with varying effectiveness. However, just like with security, there is a major gap in maturity between the different vendors: the divide between those that attempt to be compliant and those that are non-compliant is massive. Most notably, the companies that ignored access requests or had outdated privacy policies were those that might deem themselves too small to be “noticed” by authorities or are simply located too far from the EU to care about it. This suggests there is a need for more active enforcement, also on companies incorporated outside of the EU, and more transparency surrounding fines and penalties imposed on those that are non-compliant.

Even though privacy compliance is going in the right direction, there is still a lot of progress to be made in order to get an acceptable baseline of compliance across the industry. Active enforcement and increased transparency surrounding fines and penalties is needed to motivate organisations to invest in their privacy and data protection maturity.

Stay tuned for Part 3 of this series, in which I’ll be discussing some options for dealing with the issues I found during this research.


This research was conducted as part of the author’s thesis dissertation submitted to gain his Master of Science: Computer Science Engineering at KU Leuven and device purchases were funded by NVISO labs. The full paper is available on KU Leuven libraries.

Reference

[1] Bellemans Jonah. June 2020. The state of the market: A comparative study of IoT device security implementations. KU Leuven, Faculteit Ingenieurswetenschappen.

About the Author

Jonah is a consultant in the Cyber Strategy & Culture team at NVISO. He taps into the knowledge of his technical background to help organisations build out their Cyber Security Strategy. He has a strong interest in ICT law and privacy regulation, as well as the ethical aspects of IT. In his personal life, he enjoys video & board games, is a licensed ham radio operator, likes fidgeting around with small DIY projects, and secretly dreams about one day getting his private pilot’s license (PPL).

Find out more about Jonah on his personal website or on Linkedin.

One thought on “Smart Home Devices: assets or liabilities? – Part 2: Privacy

Leave a Reply to izonedigital Cancel reply