Are retailers selling our privacy and security to China?

The smart home market is increasingly big business with many retailers looking for a slice of the action, but in their rush to jump on the market, has privacy and security fallen by the way side and are retailers lining themselves/ their customers up for issues down the line? It certainly looks this way and  there will be implications down the line perhaps the next Cambridge Analytica or even issues of National Security.

Searching for a cost effective smart bulb

In recent months I’ve been doing some upgrades to my home network and smarthome, in particular lighting and cameras. For the first project I needed around 10 downlights and with many on the market starting at £25 and some going over £50 per bulb this was quickly going to be a very expensive project!

Having shopped around I started to bump in to some very reasonably priced WiFi enabled GU10 downlight bulbs. There was limited information available online but having used WiFi smart home devices before I felt there was a good chance these would if the bill.

The first and not uncommon issue I encountered with these products is that they required you to register online, but worse still having registered online I also found that it was not possible to connect to a device unless it was registered via the internet. 

On closer investigation it appears the device is not activated locally once the app is setup, but via an internet service and reportedly the device is using some crude cryptography / encryption. I assume this is because it can’t handle the usual internet standards due to limited capabilities on the device.

Digging deeper and wanting to integrate my lights in to my smarthome, it quickly became apparent that these devices will not work locally outside their own eco-system. It appears that the supplier has frustrated the issue by disabling the ability to locally communicate or re-flash (re-programme) the devices, such as using Tasmota, an open source firmware for some IoT devices. Some have also said that more recent devices have been moving towards proprietary chipsets which further locks devices in.  There are also reports that the devices need to dial home ever so often otherwise they become fussy or disconnect altogether. 

If you pay attention to this sort of thing it immediately rings alarm bells for a number of reasons:

• People are forced to surrender privacy and security to a 3rd party to use a product when there is no good technical reason to do this.
• The longevity of any purchase has no guarantee as the company could change or discontinue the service at any time rendering devices useless.
• If the internet has issues, devices would no long be able to work with the rest your smart home.
• You are basically at the mercy of a 3rd party and it isn’t always clear who.

Unwitting Customers

The problem is most people don’t pay attention to these issues until it is too late and retailers seem to be doing little to help. Ask yourself, when was the last time you properly read a privacy policy in detail, or looked at what devices were doing on your home network and internet?

People will likely be entering in to these purchases unwittingly, only to find out the issues perhaps having purchased, or more likely, in the future when they have an issue or the next big privacy and security scandal breaks. 

This is true of many companies. Take LG, my preferred brand of televisions, once you purchase you find out you have to accept a lot of policies otherwise much of the device is rendered useless. Hive from British Gas force you to go via the internet, Philips try to lock their products in, the market is rife with this stuff.

It’s clear there is a problem across the industry, but no one cared about Cambridge Analytica, until they did.

How extensive is the issue?

For this particular bulb, very! 

For these bulbs alone there must be many thousands of customers across the UK and further afield who have bought in to its low price products and signed up to their services and done so unwittingly. Many will probably never notice anything, until that is, there is a problem. 

One of the companies behind this influx of cheap smarthome devices is  called Tuya which looks to be a Chinese brand. It has a platform and range of products which can be rebranded, as well as providing developer tools which enable a company to create an apparent new brand and line of products that all lead back to Tuya and their platform.

My initial search suggested that the UK market is awash with such re-branded products including the likes of :

• TCP Smart
• 4Lite Wiz
• LEDLite
• Calex
• V-Tac
• Status
• Calex

to name a few. 

These brands / companies are sold by many retails and will be highly attractive due to their price and the quality of the lights themselves isn’t bad at all. Again, some fairly basic searching reveal more than 10 well known and often trusted names appear to sell such products. 

• Argos
• Screwfix
• TLC Electrical
• ToolStation
• John Lewis
• B&Q
• Tesco
• Asda
• Wickes
• Dunelm
• Homebase 
• CPC
• Currys PC World

When some of these names sell you a product you come to expect a certain level of quality and would perhaps expect they had done some background checks. I would certainly hope that people were being educated to make more informed choices about the nature of products and services they are buying, but this is something of an industry wide issue.

Privacy polices

While I have not research any of these in depth given the number of them, I did poke around some of their apps and privacy policies to see what the situation was. In most cases it wasn’t great.

Firstly, people don’t read these things, but if they did, they aren’t exactly accurate or informative about what is going on and I very much doubt some would stand up to scrutiny under data protection laws in the UK or wider EU given that  key required aspects were missing.

It is far from clear what is going on with your data, who it is being held and processed by, with generalized statements such as:

“As a result data may be transferred outside the EU. By using our products and services you acknowledge and agree to personal information being transferred in this way”

I did reach out to a number of companies to discuss the matter. My first contact was TLC Electrical where I purchased some initial products. They clearly had no idea and simply forwarded what was quite a snotty response from the manufacturer the essence of which was “don’t worry about it we’re a big company and what do you expect for the price”. I challenged TLC on this and got nothing useful back.

I then started reaching out to some of the other retailers. Where they did come back with a semi-meaningful response, it was clear that none had any general knowledge in this area, let alone direct access to product knowledge or training. If they came back with anything typically they had to go though various channels, I suspect they went back to the manufacturer / brand name owner. 

As I mentioned earlier, it is not exclusive to these brands either. Products from the likes of Philips and Hive while perfectly capable of working locally and indeed supporting ZigBee an open smart home standard,  but often they still try to capture people in their walled garden and force users to go via the internet, even when there is no real need. Much of this need to know information is not available upfront.

Their privacy policies also make for interesting reading and will be a subject of a future blog.

However, your individual privacy is not the only issue, and while you might choose to accept this from UK and other “trusted” countries / brands, not all are equal. 

China for example is well known for issues with quality, security, privacy, etc. Anyone who has poked around Chinese electronics will know that it’s a smorgasbord from the excellent right up to the damn right lethal.  When it comes to links between the Chinese government, technology companies these concerns are nothing new. 

While bathing yourself in a lovely pink hue is probably your top priority and China knowing this might seem trivial, homes across the UK and further afield being swamped with these increasingly sophisticated, reprogrammable, always connected, smarthome devices and regardless of origin this is something that warrants further debate, public education and should be of concern to regulators. 

What needs to change?

It seems pretty clear to me that retailers keen to get in on the smarthome market have not done sufficient diligence on the products or are taking a blasé attitude to their consumers. The blank looks on peoples faces when I tried to return many of my test purchases on the grounds of privacy and security said a lot.

The market is in need regulation, nothing so draconian that it stifles innovation, but to ensure that there is a basic level of respect for privacy and security but above all, absolute transparency so that people make informed purchases.

• There is no good reason Smart home devices cannot work locally and default to this in the first instance so products are usable without any privacy implications.
• Internet connection should be optional and this should only be necessary for remote access. 
• Services/features should be clearly listed, in particular, those that work locally and those that require internet access and/or data sharing
• Privacy policies should be clear about who is behind the product or service and explicit about what data is held and processed, where and by who.
• A duty of care placed upon retailers to ensure they are selling products that meet basic minimum guidelines that the the above information is made clearly available prior to purchase.
• Access to markets from vendors foreign and domestic subject to standards with public awareness campaigns. 

I would also advocate for greater transparency around devices encouraging them to use common and open standards which allow local connections. Regulating around this can be tricky as it runs the risk of stifling the market, but greater transparency and market awareness would help.

What can you do in the mean time?

Whether you want the latest gadgets and gizmos or a novel virus, everything comes from China these days, but it is not all bad. While the likes of Philips Hue are ridiculously expensive there are cheaper alternatives and high quality products from all over the world including China.

Invest a bit of time checking who is behind the product. There are many imports and as demonstrated rebrands of them so its worth doing your homework. There are also plenty of products that have bucked the trend and do approach the interoperability, privacy and security of devices with some common sense.

Remember, privacy and security is often overlooked in general, never mind the technology and cyber security behind it. Many who review such products do not have deep understanding of these issues or are not concerned about them so you are unlikely to get a fair or sensible view.

I myself am a long way from being an expert but do try to explore these issues to the best of my ability. Here are few points which I consider:

• If you are going with a WiFi device ensure it can be setup and used without the internet, this will ensure even if the company disappears you can continue to use your device and you wont have to compromise your privacy and security unless you choose to do so.
• Using ZigBee and z-wave devices ensures they work locally and can intercommunicate but they will require a hub such as SmartThings, Hubitat, etc and can sometimes require more setup.
• Check their privacy policy and any ambiguity or lack of clarity is worth enquiring about. The more enquiries and concerns people make the more likely industry will respond.
• RF (Radio Frequency) products also exist and can be used without any connectivity using a simple remote. While not 100% secure, they do only operate locally and are often really easy to setup. Some can also be “bridged” to your smarthome using a mini hub, but then all the previous points about privacy and security come back in to play.

Conclusion

As the relentless smarthome tech market marches on, there are lots of privacy and security issues to consider. It’s clear a great deal of consumer education is required and we need advances in accessible security / technology for the average home user as today proper security is out of reach of the general population. 

The smarthome market needs closer inspection by regulators under current legislation, but legislators also have some catching up to do when it comes to protecting consumers.