I recently became aware of this article where a Google exec says - he’s serious - that ‘Nest owners should probably warn their guests that their conversations are being recorded’. That’s assuming the owners themselves are even aware of what these devices are doing, and the likely truth is that they do not. Like needy little aliens all these devices phoning home are breaching the privacy of their owners, the guests of those owners and anybody else that comes within WiFi or sensor range.
So, in order to improve the situation around Electronic Toys (ET’s for short), that feel the need to contact the mothership I would like to propose that we create a standard like the one we have for the labeling of ingredients for food. But this time with internet access and privacy in mind. The issues - as far as I’ve been able to tabulate them - are:
- device activation requires an internet connection
The device will not work until you give it internet access after which it will conduct some transaction with the mothership the precise nature of which you will never be able to determine with certainty.
- device activation requires online registration
After purchase, and giving the device access to the internet you will need to go online, fill out some form with unspecified data in order to be able to use the device.
- device requires membership to service
After purchase, and giving the device access to the internet and subsequent registration you will be enrolled in some membership. This membership, even if free, can be terminated by the company in which case you will no longer have the use of the device you paid for, or access to any content stored on the device.
- device will stop working if the company goes out of business (or is acquired)
The device requires a working set of ‘backend’ servers that it can connect to in order to function. If the company should go out of business or decide to decommission this backend then your device will no longer function.
- device requires a mobile device application to function
Even though the device has nothing to do with mobile computing you still require a mobile computing device to interact with it and to operate normal functionality. Without this you will not be able to use your device. Optionally, this interaction may run through a server outside of your control and outside of your jurisdiction.
- device sends statistical information (aggregate) to the company
The device collects usage data and other data the company may be interested in but does not collect specific information. Examples of this would for instance be a music player that collects data about the genres or the number of hours the device is used but not the exact songs played.
- device sends detailed information to the company
In this case the device would send the exact songs played to the company compared to the example above.
- device sends sensor information to the company
Sensor readings such as light intensity, occupancy, temperature, power consumption and so on are sent to the company for collection.
- device sends location information to the company
The device contains a GPS radio and uploads your location information; either in realtime or delayed to the company that made the product.
- device contains a microphone or camera
The device contains a microphone or a camera that can not be physically disabled by a switch or cover. (Note that a light sensor is effectively a one pixel camera.)
- device sends audio to the company
The device contains a microphone and the output of that microphone is digitized and uploaded to the company servers.
- device sends video to the company
The device contains a camera and will upload the recorded video to the company servers.
- device does not use encryption for its communications with the mothership
The device transacts its business with the backend in ‘plain’. A further requirement here could be that if the device does use encryption that it clearly lists which encryption standards it supports.
- device does use encryption for its communications with the mothership
This is an improvement over the previous category but would make it harder for the end user to inspect the traffic. Decryption keys should be provided to the end user so they can verify that the traffic sent is indeed just that which is disclosed and no more.
- device can be remotely upgraded to change its functionality and/or upload model
This is to warn against devices that ostensibly remote update to guard against security risks but occasionally use this benign path for dark pattern purposes such as to add telemetry or remote recording even though the device did not have this functionality when it was originally acquired.
- device can not be transferred to new owners
This is important because it effectively reduces the resale value of the device to zero.
device requires a computer with a particular operating system to function
device requires software installation from a particular app store where the user needs an account
device uses documented and/or open data formats to store its data
This would be a good thing, if the user wishes to inspect the data or expand the device functionality then they have a better chance of achieving this.
- device software / firmware can be replaced with independently developed software
This may require an NDA or some other agreement with the company but if the option exists it would definitely be a plus. Another option would be that the device software can be replaced independent of the company; for instance through an agreement with a their party such as the manufacturer of the micro controller powering the device or some other mechanism.
- hardware is fully documented
The device comes with full schematics
- software is fully documented
The software installed on the device is available for download and can be rebuilt and uploaded to the device independent of the company. Bonus points if the software is licensed under a permissable open source license.
These should be listed in a standardized format on the outer packaging of the device in size large enough that a consumer will notice and read the warning label. The color of this label should be red on a white background. The header of the label should be: “Caution: Online status: Unsafe! This device violates your privacy in the following ways:“. Not noticing the label until after purchase should always be grounds for a free refund, as should be the appearance of any forced online interaction or the downloading of apps post purchase. In contrast; those devices that do not do any of the above are allowed to carry a green label on a white background that reads ‘Online status: Safe’.
It is obvious that there may be legitimate business reasons why ETs would require some kind of online backend. But for many of these devices such a backend should be entirely optional, if a device could function without such a backend it should be able to function without such a backend. Similar warning systems should be made a requirement for vehicles and other consumer goods that send data to the company that made the product. But if the executives of the manufacturers feel that you might require consent (good point: in many places recording conversations without consent is illegal!) then maybe they should do more to ensure that you know your position and can opt-out of such conflicts by not purchasing the product in the first place.
Yet another thing that maybe should be a requirement is that each such device should be accompanied by a set of stickers that can be pasted to all entry points to warn visitors that they are entering a zone where their privacy will not be respected.
Follow me on twitter: http://twitter.com/jmattheij