One of the first items I bought when I moved my new apartment was a smart light bulb.
Getting out of bed to turn off the light before you go to sleep? So 2010.
I purchased a WiFi-enabled, no-hub required, smart light bulb that was on sale at a local retailer without much thought.
To setup the smart light bulb, I downloaded the manufacturer’s app to my phone, entered my WiFi credentials, and voila! Convenience achieved.
But did I prioritize convenience over my privacy?
Even when I tried to learn more about this mysterious manufacturer safeguarding my WiFi credentials, I found nothing.
With alarm bells going off, I took a trip to Home Depot to purchase a smart light bulb from a well known American lighting company. After I installed my new bulb, I deleted my account with the shady manufacturer.
I work at an IoT company, and even I, admittedly, do not always read the privacy policies for my IoT devices.
What’s Hidden in Privacy Policies
Whether you have consumer or enterprise grade IoT devices, companies’ privacy policies are often your only window into how they manage your data. However, most of us do not read the policies consistently. In 2018, the Consumer Policy Recent Centre conducted a survey of over 1,000 Australian consumers, and found that only 6% had read the privacy policies of every service they signed up for.
To help you better understand how IoT companies are using your data, let’s explore the privacy policies of several consumer and enterprise IoT companies.
Should you trust Nest in your nest?
Earlier this year, Google, which owns the American home automation company, Nest, announced the Nest Guard would add support for Google Assistant.
However, what was supposed to be a routine product announcement became an anti-privacy firestorm.
The Nest Guard’s product page failed to mention that the device had a microphone. Until the announcement, only Nest and Google employees knew. Google labeled the gaffe an error and said it did not mean to mislead consumers.
Nest’s privacy policies explained
Nest says it will not share my personal information for marketing or personal purposes without my permission. The company may share my non-personal data, data that is aggregated or anonymized. There is lots of research on de-anonymization techniques from researchers from the University of Texas at Austin and other institutions. In my case, I doubted that temperature, humidity, and proximity data from my zip code would be enough to identify me.
Secrets in Your Nest Data Dump
I was curious about what my Nest data file looked like because I only think of my Nest Thermostat as a temperature monitoring and control system.
To request my Nest data, I followed a link at the bottom of the privacy landing page. My data files were uninteresting, except for the proximity sensor readings. Either I have a frequent, unannounced house guest while I am at work, or the proximity sensor data is inaccurate.
The word share is just a euphasmism. For many consumer IoT products, the secrets in your data, sensitive or not, are available for many eyes to see.
Unveiling the Enterprise
It is common to both explicit and vague descriptions of the types of personal data collected. I can appreciate that it is difficult for companies to anticipate all the types of data that they may collect during years-long relationships with customers. On the other hand, where privacy is concerned, the more information, the better.
Since companies will rarely tell you all the types of data they will collect, its most important to understand how your data will be used.
Temboo’s policy describes nine ways the company uses personal information. None of the nine use cases are selling or sharing personal information for profit, or even external research purposes.
Temboo is not alone. None of the enterprise IoT companies I researched sell personally identifiable data.
Handling Anonymous Data
After reading Temboo’s policy, I had one remaining question: what does Temboo do with data that is not “personal?” I had to re-read Temboo’s policy multiple times to find an answer. While the policy uses the phrase “personal information” repeatedly, this phrase covers what companies separate into personal and anonymized data. As an unsolicited recommendation to Temboo’s lawyer, I think our policy could add an explicit mention to anonymized data.
It is difficult to set expectations and manage the privacy of your data when you do not know how it may be used. The best you can do is remove your data from a service if you suspect it is being used in a way you do not approve.
Ready to Pull the Plug
Microsoft’s privacy landing page makes a number of promises regarding data handling while using its services. One of them: pull the plug.
Your Data, Your Rules?
Until recently, it felt like tech companies held all the power when it came to defining privacy guidelines. However, legislation (GDPR), increased public awareness (Cambridge Analytica), and other factors are shifting more power to consumers.
In the IoT space, discussions of privacy and security are frequent but often shallow. In truth, it seems like most companies want to reserve the right to use consumers’ non-personally identifiable data however they see fit.
- Can you list the ways you use my data?
- Will you mine my data for marketing or advertising purposes?
- Do you treat personally and non-personally identifiable information differently?
- What privacy settings are available once I start using your service?
- What happens to my data when I stop using your service?
If you have questions about your privacy while using Temboo’s products and services, email us at firstname.lastname@example.org.