One of the first items I bought when I moved my new apartment was a smart light bulb.

Getting out of bed to turn off the light before you go to sleep? So 2010.

I purchased a WiFi-enabled, no-hub required, smart light bulb that was on sale at a local retailer without much thought.

To setup the smart light bulb, I downloaded the manufacturer’s app to my phone, entered my WiFi credentials, and voila! Convenience achieved.

But did I prioritize convenience over my privacy?

I wasn’t sure so I went to the manufacturer’s website to read their policy. To my surprise, I could not find a link to the manufacturer’s privacy policy on the website- a big red flag.

Even when I tried to learn more about this mysterious manufacturer safeguarding my WiFi credentials, I found nothing.

Phillips Smart Wi-Fi Wiz Connected Wireless Light Bulb
Philips Smart Wi-Fi Wiz Connected Wireless Light Bulb. Photo courtesy of Home Depot.

With alarm bells going off, I took a trip to Home Depot to purchase a smart light bulb from a well known American lighting company. After I installed my new bulb, I deleted my account with the shady manufacturer.

I work at an IoT company, and even I, admittedly, do not always read the privacy policies for my IoT devices.

What’s Hidden in Privacy Policies

Whether you have consumer or enterprise grade IoT devices, companies’ privacy policies are often your only window into how they manage your data. However, most of us do not read the policies consistently. In 2018, the Consumer Policy Recent Centre conducted a survey of over 1,000 Australian consumers, and found that only 6% had read the privacy policies of every service they signed up for.

As my smart light bulb example highlights, it’s not always easy to find the policy and understand what it means. The policies can also be very long. A 2012 study conducted by researchers at Carnegie Mellon University found that the average privacy policy was 2,500 words and required 10 minutes to read.

To help you better understand how IoT companies are using your data, let’s explore the privacy policies of several consumer and enterprise IoT companies.

Should you trust Nest in your nest?

Earlier this year, Google, which owns the American home automation company, Nest, announced the Nest Guard would add support for Google Assistant.

However, what was supposed to be a routine product announcement became an anti-privacy firestorm.

Nest Guard
Nest Guard. Photo courtesy of Nest.

The Nest Guard’s product page failed to mention that the device had a microphone. Until the announcement, only Nest and Google employees knew. Google labeled the gaffe an error and said it did not mean to mislead consumers.

The Nest Guard debacle demonstrates that privacy concerns with IoT devices start at the hardware level. Unless you open up the device and identify its components, you cannot be exactly sure what’s inside. It is an undue burden to ask consumers to examine the inner workings of every IoT device. However, it is more reasonable to review the device’s privacy policy before purchasing.

Nest’s privacy policies explained

Nest has a landing page dedicated to privacy, which outlines its privacy principles. I rate Nest’s page as exceptional because it makes it easier to find the privacy policy and download your data.

Nest has separate privacy policies governing website data versus product and services data. Most companies combine the website and product policies into one. I own a Nest Thermostat E so the privacy policy for product and services is most relevant. (Nest privacy policy for products and services: 5250 words, 21 minutes to read).

For most Nest products, such as the Nest Learning Thermostat and Nest Cam, the privacy policy explicitly answers what data is collected and for what purpose. Strangely, there was no mention of my product, the Nest Thermostat E.

Nest says it will not share my personal information for marketing or personal purposes without my permission. The company may share my non-personal data, data that is aggregated or anonymized. There is lots of research on de-anonymization techniques from researchers from the University of Texas at Austin and other institutions. In my case, I doubted that temperature, humidity, and proximity data from my zip code would be enough to identify me.

Overall, I felt that the privacy policy was easy to read and would be clear to most Nest users. If you, like me, are using a Nest product that is not mentioned in the privacy policy, you may have to email Nest for more information. Once Nest responds to my inquiry, I will update this post.

Secrets in Your Nest Data Dump

Nest data download email

I was curious about what my Nest data file looked like because I only think of my Nest Thermostat as a temperature monitoring and control system.

To request my Nest data, I followed a link at the bottom of the privacy landing page. My data files were uninteresting, except for the proximity sensor readings. Either I have a frequent, unannounced house guest while I am at work, or the proximity sensor data is inaccurate.

Since the data that was being collected from my thermostat was innocuous, I felt indifferent about it being shared with third parties. One interesting difference between Nest and other consumer products, like Findster, is the terminology the companies use to talk about sending data to third parties. Nest uses the term “share” while Findster, a tracking device for pets, explicitly uses the term “sell.” (Findster privacy policy: 3510 words, 16 minutes to read)

The word share is just a euphasmism. For many consumer IoT products, the secrets in your data, sensitive or not, are available for many eyes to see.

Unveiling the Enterprise

To kick off my research into enterprise IoT privacy practices, I started with my own company, Temboo. (Temboo privacy policy: 1772 words, 7 minutes to read).

At Temboo, we choose to make the privacy policy accessible on every webpage by including a link in the footer. First, the policy outlines what personally identifiable information we collect.

This information may include your name, company, email address, phone number, mailing address, IP address, credit card information, and other details regarding yourself and your use of Temboo.

Temboo’s Privacy Policy

It is common to both explicit and vague descriptions of the types of personal data collected. I can appreciate that it is difficult for companies to anticipate all the types of data that they may collect during years-long relationships with customers. On the other hand, where privacy is concerned, the more information, the better.

Kosmos temperature data graph

Since companies will rarely tell you all the types of data they will collect, its most important to understand how your data will be used.

Temboo’s policy describes nine ways the company uses personal information. None of the nine use cases are selling or sharing personal information for profit, or even external research purposes.

Temboo is not alone. None of the enterprise IoT companies I researched sell personally identifiable data.

Handling Anonymous Data

After reading Temboo’s policy, I had one remaining question: what does Temboo do with data that is not “personal?” I had to re-read Temboo’s policy multiple times to find an answer. While the policy uses the phrase “personal information” repeatedly, this phrase covers what companies separate into personal and anonymized data. As an unsolicited recommendation to Temboo’s lawyer, I think our policy could add an explicit mention to anonymized data.

Other enterprise IoT companies, like Particle distinguish between the treatment of personal and anonymous data. Particle develops IoT hardware and software, and has reportedly 60,000 devices online daily. (Particle privacy policy: 1367 words, 6 minutes to read).

Particle may collect and create anonymous data by excluding personally identifiable information. Particle reserves the right to use Anonymous Data for any purpose and disclose Anonymous Data to third parties at its sole discretion.

Particle’s Privacy Policy

In its privacy policy, Particle states it mainly uses customer data to improve its own products and services. Since the policy leaves open a backdoor for other purposes, I looked for clues as what those purposes may be. I did not find anything during my search.

It is difficult to set expectations and manage the privacy of your data when you do not know how it may be used. The best you can do is remove your data from a service if you suspect it is being used in a way you do not approve.

Ready to Pull the Plug

Microsoft’s privacy landing page makes a number of promises regarding data handling while using its services. One of them: pull the plug.

Microsoft privacy page

Under the headline, “You own your data,” Microsoft confirms that it removes your data at the end of a service agreement. It is critical to understand how your data will be used both during and after a service agreement ends. If you do not see an explicit mention of post-service data management in a privacy policy, email the company for more information. (Microsoft privacy policy: 2856 words, 12 minutes to read).

Your Data, Your Rules?

Until recently, it felt like tech companies held all the power when it came to defining privacy guidelines. However, legislation (GDPR), increased public awareness (Cambridge Analytica), and other factors are shifting more power to consumers.

In the IoT space, discussions of privacy and security are frequent but often shallow. In truth, it seems like most companies want to reserve the right to use consumers’ non-personally identifiable data however they see fit.

What can you do to protect your privacy while using consumer and enterprise IoT devices? Read the privacy policy, and ask questions to clarify any confusion.

  • Can you list the ways you use my data?
  • Will you mine my data for marketing or advertising purposes?
  • Do you treat personally and non-personally identifiable information differently?
  • What privacy settings are available once I start using your service?
  • What happens to my data when I stop using your service?

If you have questions about your privacy while using Temboo’s products and services, email us at hey@temboo.com.

Subscribe to Temboo’s newsletter

* indicates required
Posted by:Sarah McMillian, Product Outreach

Sarah is on the Product Outreach team at Temboo. Using her background in mechanical engineering, she helps manufacturers and other types of businesses do more with IoT. Sarah keeps podcasts on tech + society in heavy rotation, and has worked in four continents.