Skip Navigation
BlackBerry Blog

IoT Monitoring Devices Raise New Privacy Concerns

FEATURE / 10.25.17 / Kim Crawley

I've started to watch Star Trek Discovery and I'm reminded of how characters in Starfleet facilities can just say “computer,” ask any sort of question, and get an intelligent response from their era's more advanced AI. We’re finally starting that get that nifty technology, but one thing Starfleet doesn’t seem concerned with is whether their AI is secure.

Amazon debuted their Echo line of Internet of Things (IoT) devices in November 2014. Google debuted their Home line of devices in November 2016. Both devices enable users to use their voice to interact with Amazon or Google's AI software and the Internet to engage in various tasks, such as playing music, podcasts, and audio books, answering questions about weather and traffic, automating other compatible smart devices, purchasing merchandise, hands-free phone calling, receiving news updates, and calendar scheduling. It's all pretty novel and convenient, but many people have raised privacy and security concerns. I've written about some of the information security concerns of IoT devices here.

All Amazon Echo and Google Home devices feature microphones, which usually listen to everything around them at all times. Some models such as the Echo Look, Echo Show, and Echo Spot also contain cameras which can possibly watch whichever room you put them in.

Tech Experts Remain Somewhat Divided on These Types of Devices When It Comes to Privacy

Some people in the tech media really love these devices. While reviewing the Google Home, WIRED's David Pierce wrote, “Home recited the answer to 'What’s the difference between acetaminophen and ibuprofen,' quickly, informed me that giving my dog squash is totally fine as long as it’s cooked, and told me the Cubs won game six. Google has spent the last few years refining the 'answer boxes' that appear atop your search results and provide context. That work goes to good use here.”

But many tech experts have been concerned about the privacy implications of using these devices. Slashgear's Chris Davies wrote, “Amazon is still doing a little extra homework in the background as a shortcut to knowing you better. Things like your music playlists are automatically processed by Echo’s voice services, 'to improve response time and accuracy'; similarly, Amazon reserves the right to share your music titles, radio stations, and zip code with 'third party services', though doesn’t confirm who they might be.”

Davies continued, “in the end, how much you trust Echo comes down to a more wide-ranging question about how you trust the cloud. On the one hand, there have been enough data leaks and privacy goofs over the past twelve months to make you understandably wary of what’s going on with the servers of other; on the other, if you want the convenience features, cloud processing is still the most efficient and flexible way of doing it.”

Dan Olds of OrionX, a technology analyst firm, spoke about his concerns about Google Home. “There are plenty of privacy issues with this type of always listening technology. It's obvious that any device that is always listening could also be always storing and always analyzing anything that is within earshot of the receiver. (Google Home) could give Google a hell of a lot more personal data about users than they get now. That microphone will be a witness to every verbal interaction in the home. It will also know what you watch on TV, what you listen to, and, obviously, when there's no one home."

Privacy vs. Novel and Useful

I don't know about you, but I like having no one but my cat watch me while I'm at home. I'm an avid console gamer and I don't own Xbox's Kinect. I'll soon buy a PlayStation VR to go with my PS4 partly because I'm confident that it's simply an output device. I turn GPS off on my phone when I'm not using Google Maps. I tell Android that I don't want my location information to be shared with websites and apps, but I'll occasionally let my phone share my location when I'm at the Toronto Eaton Centre shopping mall so that Google can deliver me a useful directory of all of its 235 stores and services.

There are understandable questions about what exactly Amazon and Google are doing with all of the data they acquire from consumer Echo and Home usage. Amazon has already acknowledged that they reserve the right to share Echo acquired information with “third party services.” Is Amazon sharing pictures of the rooms in people's houses with the furniture and appliance manufacturers whose products they sell? Are Amazon and Google sharing information about which movies and music customers enjoy with big entertainment media companies like Sony and Warner Bros.?

What Happens When IoT Monitoring Comes from the Non-Tech Giants?

Huge toy manufacturer Mattel is getting into the IoT monitoring device game, this time by marketing a product for parents to use with their babies, toddlers, and school-aged children. The company announced their Aristotle device in January 2017, and they were originally supposed to release it to consumers last summer. Their novel product is something of a cross between an Amazon Echo and a baby monitor.

Some of Aristotle's features that Mattel has announced include logging wet diaper and feeding data, answering a child's questions, soothing babies to sleep with lullabies, favorite songs, and a night light, looking for deals and coupons on consumable baby products, ordering diapers from retailers, playing guessing games with animal sounds and shapes, and teaching older children other languages and helping them with their homework.

Even though Aristotle hasn't quite been shipped to market yet, privacy concerns have been raised about it, as well.

“Alexa and Echo have prepared us to say this is okay,” said MIT professor Sherry Turkle, “to see something that’s actually quite shocking as okay. (Aristotle's ability to play lullabies to help babies sleep) is exactly the wrong thing for a computer to be doing.”

She believes that an IoT device cannot comfort a baby as well as a human parent can, and that devices like Aristotle may discourage parents from directly interacting with their children, having a possibly negative effect on their development. Her concern goes beyond information security and into the realm of child developmental psychology.

The Center for Digital Democracy's Jeff Chester is primarily concerned about the privacy of the child: “The kid tech industry sees kids’ bedroom as an economic bonanza. They can get all kinds of profile information — the kid likes to eat this kind of food, the kid likes to listen to this kind of music, and we’ll have this kind of information that we can share with partners and advertisers.”

Putting Aside the Potential Ethical Implications…

Even if Amazon, Google, and Mattel are ethical in how they use consumer data, these are Internet connected devices which may be vulnerable to cyber attack. Although Mattel has said that 256-bit encryption is used when Aristotle devices stream video to parents' phones, are the devices' other data streams encrypted?

And even so, cyber attackers could send spyware malware to Echo, Home, and Aristotle devices that can give them all sorts of lucrative personal data, including but not limited to video and audio from people's homes. Also, any plaintext data transmitted through the internet can be easy to intercept with man-in-the-middle attacks.

I advise consumers to strongly consider the cybersecurity risks of IoT monitoring devices before they consider purchasing one.

Kim Crawley

About Kim Crawley

Kimberly Crawley spent years working in consumer tech support. Malware-related tickets intrigued her, and her knowledge grew from fixing malware problems on thousands of client PCs. By 2011, she was writing study material for the InfoSec Institute’s CISSP and CEH certification exam preparation programs. She’s since contributed articles on information security topics to CIO, CSO, Computerworld, SC Magazine, and 2600 Magazine. Her first solo-developed PC game, Hackers Versus Banksters, and was featured at the Toronto Comic Arts Festival in May 2016. She now writes for Tripwire, Alienvault, Cylance, and CCSI’s corporate blogs.

The opinions expressed in guest author articles are solely those of the contributor, and do not necessarily reflect those of Cylance or BlackBerry Ltd.