UK homes vulnerable to ‘staggering’ level of corporate surveillance

by Sabremesh

A timely reminder that 1984 didn’t get it quite right. The agencies of state snoop, and can find out everything about those it targets, but the surveillance panopticon is largely corporate, and this is probably what most of us should be most concerned about. Of course, the government closes the loop by accessing the data scraped by the corporations.

via theguardian:

British homes are vulnerable to “a staggering level of corporate surveillance” through common internet-enabled devices, an investigation has found.

Researchers found that a range of connected appliances – increasingly popular features of the so-called smart home – send data to their manufacturers and third-party companies, in some cases failing to keep the information secure. One Samsung smart TV connected to more than 700 distinct internet addresses in 15 minutes.

The investigation, by Which? magazine, found televisions selling viewing data to advertisers, toothbrushes with access to smartphone microphones, and security cameras that could be hacked to let others watch and listen to people in their homes.

The findings have alarmed privacy campaigners, who warn that consumers are unknowingly building a “terrifying” world of corporate surveillance.

“Smart devices are increasingly being exposed as soft surveillance devices that owners have too little control of,” said Silkie Carlo, the director of Big Brother Watch. “People are now being subjected to invasive and unnecessary corporate snooping on an unprecedented scale.

“The very notion of a smart home is one of ambient surveillance and constant recording, which will without doubt lead people to modify their behaviour over time. If this current direction is continued, we will become a society of watched consumers subjected to the most granular, pervasive and inescapable surveillance. It is a terrifying thought.”

Which? bought more than £3,000 worth of smart home equipment and set it up in a lab to monitor how much data was being collected and transferred. As well as the manufacturers, more than 20 other companies were on the receiving end of data transfers including social networks, third-party monitoring services, advertising and marketing data brokers.

Just one device – a Samsung smart TV – connected to more than 700 distinct internet addresses after being used for 15 minutes. If the viewer accepts Samsung’s privacy policy, the company gains the right to monitor what is being watched and when. It uploads some of that data to Samsung’s advertising platform, Which? says, “suggesting it is used for marketing”. Another Samsung device, the company’s Smartthings hub, sits at the heart of the smart home and has a privacy policy that allows aggregated information to be shared with “advertisers and/or merchant partners”.

Other devices didn’t transmit much data but unnecessarily asked for it anyway, creating the possibility of breaches down the line. A Philips bluetooth toothbrush, for instance, links up with a smartphone app to monitor brushing habits, frequency and technique. But the app also asks for location information, which Philips said was used only to find a local company store, and microphone access – Philips said this wasn’t used at all.

Some devices collected only the data they should, but then failed to keep it secure. Which? tested a security camera, sold under the IeGeek brand, and found a security flaw in the app that meant the company could access usernames and passwords for other cameras. If they had misused that access, they could have seen live video feeds from other people’s homes, and even talked to those users. That flaw was fixed by IeGeek, but Which? has since found others that are still live.