It’s January 28th 2021, which means Data Privacy Day is upon us once again. A lot has happened in the past year, including a global pandemic that resulted in many of us becoming more dependent on our devices than ever before. For several years now, the lines between technology, privacy and convenience have become blurred. Technology has crept into our lives gradually, quietly peeling back the layers of our privacy in exchange for even greater convenience, and many of us accept it willingly.
It’s good that we have this day to draw attention to data protection and have the conversation around privacy, but have you ever stopped to consider who’s listening? If today’s goal is to empower individuals and encourage businesses to respect privacy, safeguard data and enable trust, this article aims to shine a light on the threat that smart devices might pose to our privacy.
When Amazon first launched the Echo in 2014, there was a lot of scepticism around letting the world’s largest online retailer put a listening device in your home. Today, Amazon has shipped more than 100 million smart speakers and “Alexa” has quite literally become a household name. And that’s just the tip of the iceberg. At the time of writing, more than 12% of homes worldwide are considered “smart homes” due to having one or more connected devices. That figure is forecast to reach 21% by 2025, meaning one-fifth of the world’s homes will need to start thinking very critically about data privacy.
How are smart devices a risk?
While many of the most common “listening” devices – e.g., Google Home, Amazon Alexa, and some security and smart home devices – usually have authentication or encryption built in, the cheaper non-branded devices often do not. This makes it easier for bad actors to establish direct connections to these devices while easily bypassing any firewall restrictions. It really puts things into perspective when you consider that cyberstalkers could spy on you in your home by exploiting a vulnerability in a smart security system that’s designed specifically to keep you safe.
Aside from the devices, people should also be conscious of what goes on behind the curtains. To the companies that develop and manufacture many of these devices, data is the new currency. It’s often widely shared – often without direct consent – with third parties such as other manufacturers, insurance companies, data aggregators, social media sites and even the government, all of whom have a vested interest in your data.
Which devices are vulnerable?
According to SAM Seamless Networks, 47% of vulnerable devices installed on home networks are security cameras. Not only does that put your home at risk, but it can also end up putting entire servers at risk. For instance, if a hacker gained control of 1,000 webcams, they could use them to make simultaneous requests to the server and crash it, resulting in downtime and potentially thousands of vulnerable homes. These are known as DDoS attacks and today a significant amount of traffic that contributes toward DDoS attacks comes from home-based IoT devices.
It’s important to remember that it’s not just professional cyber criminals that have the upper hand here. Less sophisticated exploits are still possible if somebody is willing to put the time and effort into eavesdropping on your home. In the UK in 2018, one of the first ever court cases for IoT-related abuse led to an 11-month prison sentence. A man was found guilty of eavesdropping on his estranged wife through the microphone on a wall-mounted tablet used to control the heating and lights in their home.
What can you do to protect yourself?
We should all have a grip on our data privacy, but that grip is significantly weakened once our data has been transmitted to the cloud. It’s one of the things that makes IoT such a vulnerable and complicated concept. We’re not always aware of precisely what’s being shared or who it’s being shared with, so the best thing we can do is retain as much control as possible at the point of sharing information.
An additional big risk comes from software not being updated on these devices – look for a company that promises to keep updating the software and provide regular patching.
Try not to give out data unnecessarily, and always be wary of untrusted or unfamiliar websites. If an app or service asks for more information than you feel is necessary, question it. Some sign-up pages are designed to make you give up more information (such as a phone number or address) by making it seem mandatory.
The onus is on service providers to stop with these tactics, and on manufacturers to allow users greater control over their devices. Users should have the ability to shut down their devices fully when not in use or disconnect services such as GPS or microphones when they aren’t required.
Data Privacy Day is the perfect time to have a “digital spring clean” and get rid of any unwanted devices, services and legacy accounts. It’s also a great time to talk to each other about data privacy and question the amount of data you give up – both willingly and unwillingly. Conversation is good, but always be mindful of who’s listening…