We use cookies to allow us and selected partners to improve your experience and our advertising. By continuing to browse you consent to our use of cookies as per our policy which also explains how to change your preferences.

Which? investigation reveals ‘staggering’ level of smart home surveillance

Printers, toothbrushes and TVs are tracking how you live your life. Corporate surveillance goes beyond Facebook and into the products you use at home

Every time you print something, brush your teeth or sit down for your evening’s TV viewing, you may not be alone. We’ve found that smart, internet-connected devices you own are tracking and transmitting data on how you live your life.

You may shrug and say, ‘so what? I have nothing to hide’. But with consumer data worth billions, we’re more concerned about what others have to gain.

We set up 19 different smart gadgets and investigated what data they collected. And we found a staggering level of corporate surveillance of your home. Watch our video below or read on to find out more.

Strong passwords are vital to safeguard your privacy and security while using connected devices and online services. Read our expert guide to how to set secure passwords

Smart devices and data

Most connected products have apps, and they usually ask for permission to access things such as your camera and photos. Some requests make sense, such as being able to use the internet connection. But others are less clear.

In our snapshot test, we found a smartwatch that asks to be able to reboot your phone, and an upright vacuum cleaner that wants to record audio on your mobile device.

Location is another issue. Many apps ask for your exact location when they don’t actually need it for the product or service to work. Far too often, specific information is requested about you when the justification seems arguable at best.

Then there’s the galaxy of other companies busily working in the background of your smart gadgets. During our testing we saw more than 20 other operators involved behind the scenes, including marketing companies.

When we used a smart TV for just 15 minutes, it connected with a staggering 700 distinct addresses on the internet.

The internet of things investigated

Email addresses caught in huge data breach by spambot

HP Envy 5020 Printer Hewlett Packard’s Envy 5020 printer reveals information including the file name of what’s being printed and the PC username, so anyone snooping on a network can see it. To HP’s servers, it also sends the file size and type, how many pages are printed and the ink the person is using, although in this case it’s sent using encryption.

HP told us that the data is used ‘to enhance our customers’ experience, provide product support and improvements, and support business operations including delivering our Instant Ink services’. It has agreed to discuss our concerns over local encryption in greater detail.

Philips Sonicare Bluetooth electric toothbrush This smart toothbrush claims to help improve how you brush. So, it tells Philips your brushing habits, frequency and even technique. Philips told us that this is done purely to operate the app. Brushing data can be shared with your dentist, but only if you give explicit permission.

The app asks for your exact location and Philips admitted that it does this to ‘find a local Philips store nearby’. It has decided to discontinue this function. The app also, oddly, asks permission to record audio on your device, but Philips said this isn’t used for any purpose.

ieGeek 1080p IP Camera We’re also concerned over how companies secure your data. In a separate test together with other consumer organisations, we found a flaw in this wireless security camera’s app (provided by a company called Sricam), which meant that we could access more than 200,000 passwords and device IDs for other ieGeek cameras.

We could then see live video feeds of other users, and talk to those users via the camera’s microphone (which we didn’t do). ieGeek/Sricam fixed this flaw in late March 2018, but we’ve subsequently found and disclosed other critical vulnerabilities with the camera and app.

We contacted both ieGeek and Sricam about our findings. Despite a lengthy discussion between us, Sricam declined to discuss our report with its technical teams, and so we were unable to address this issue fully at the time of publication.

Read our full findings in the June issue of Which? magazine.

Our research in depth

In our snapshot test, we set up 19 different smart products, ranging from ‘everyday’ gadgets such as TVs and smartphones, to more unusual kit such as a smart suitcase. This might seem a lot, but the average UK home currently owns 10 connected devices, and that’s expected to reach an average of 15 by 2020.

Over the course of a month, security experts at Context Information Security (Context IS) used a range of legal techniques to investigate data being collected and shared by these smart gadgets and their companion apps. We also ploughed through reams of privacy policies and T&Cs to see what companies disclosed about data collection.

Due to legal restrictions, we’re limited as to how far we can investigate where data is actually going, or what’s being done with the information. Just like you, we’re reliant on companies being transparent over what they’re doing with your data now, or what they may do in the future.

Alex Neill, Which? managing director of home products and services, said: ‘Smart home gadgets and devices can bring huge benefits to our daily lives, but our investigation shows they can collect vast amounts of data about us.

‘Companies should be clear about how they are collecting and using data and ensure consumers feel in control about what they are sharing – without having to trawl through impenetrable terms and conditions.’

Which? has been carrying out a wide-ranging policy study and in-depth face-to-face research with people across the country to understand how they feel about data collection and use. This report will be published on 5 June 2018.

How to protect your data privacy

Check your settings Dig into menus in the app or web interface to see what privacy controls you have available. You can sometimes set what data is collected and shared, so it’s worth taking the time to investigate. The Android and iOS operating systems also now enable you to control more aspects of what data apps can access in the settings menus.

‘Dirty’ your data We use simulated data in our testing, and you can too. Set up a ‘spam’ email for creating accounts or signing up to services. This process, also known as ‘dirtying’ your data, means the impact is minimal if something does go wrong.

Do you need smart? Smart products can be incredibly useful. With devices such as TVs it’s actually hard to buy a non-smart model. However, before you splash out on that IoT (Internet of Things) toothbrush or robot vac, consider whether the extra functionality it brings is really worth the possible data trade-off.

For more advice read our guide to how to protect your smart home data.

Back to top
Back to top