Customers who buy an IoT-enabled product should know that the device will always transmit some data over the internet. It is how they work, and it is what makes them so easy to set, adjust, and control.
But there are limits to what data the devices should and should not transmit. Some information, that may be normal for an Original Equipment Manufacturer to gather and transfer. But it may not be acceptable for the end-user.
As the study has shown, most devices gathered an excessive amount of data: IP addresses, devices’ specs, usage habits, and location. The devices were not only sending collected data to OEM. They were also sharing it with third party-companies, even those who had nothing to do with the customer.
For instance, most of the TVs have sent info about the TV model and location to Netflix. But the researches haven’t installed Netflix on any of the TVs.
Among those third-parties, we can see many advertising companies. They are using the provided data to better target ads to the clients.
Back in 2017, the CIA has developed the malware which kept smart TVs on to record customers’ conversations. The “Weeping Ange” project, or so-called “Fake-Off mode” could have put people’s personal lives to danger, exposing their sensitive information.
OEMs of the IoT enabled devices are trying to resolve the issue by providing the customers with privacy policies. Before starting to use the product, the client can read the document describing what data the product collects. Also, the document contains info about what purpose the collected data serves. To use the product, the customer has to accept the policy.
But still — privacy policies are not an effective solution to the problem. But most of the time such documents are hefty and full of legalese. They are hard to read and comprehend, and most of the users just skip those.
The data encryption solves the problem in a certain way. It makes it harder to steal the data. And at the same time encryption makes it harder for researchers to learn, what it actually is that the company gathers. This way, they have little to no ways to see if the OEM is the only one who receives the transferred data.
The real solution to the problem would be strict regulation. The law must limit the number of companies that extract the data from IoT enabled devices. It makes sense for an OEM to gather your information, but we don’t need advertisers getting too close.
It is obvious that people will keep on surrounding themselves with connected devices. Doing so, it is important to do thorough research on not only the product you are looking to buy. And try to be cautious when purchasing IoT products with built-in cameras and microphones.
Apart from that, look into the OEM which you are buying from. A decent IoT developer makes privacy a default. The company makes sure that the data does not get in the hands of third party companies from day one — not after the wrist slaps from the media. Therefore the set of data serves one and only purpose of powering the IoT infrastructure.