Friday, June 21, 2024

Connected home or monitored home: should you give up your privacy for home automation?

Must Read

Privacy and digital life do not necessarily go hand in hand. The case of connected objects is complex. On the one hand because they are precisely intended to collect data to offer a personalized experience. On the other hand because they are closer to our intimacy.

Impossible not to be aware of the fact that, as soon as we surf the Internet, as soon as we draw our smartphone, in short, as soon as we use a digital service, we sow personal data like Tom Thumb. Some scandals have opened the eyes of the general public to the massive collection of data and its possible excesses, from the revelations of Edward Snowden, to the Cambridge Analytica scandal. 

When it comes to connected homes, objects that we bring into our homes, at the heart of our privacy, it is all the more legitimate to ask what data they collect, for what purposes and above all what this implies. . And if we don’t somehow mourn our private lives.

A supervised collection

According to the definition of the GDPR recalled by the Cnil (Commission Nationale Informatique et Libertés), personal data is  “any information relating to an identified or identifiable natural person” , knowing that a person can be identified directly (by name and first name) or indirectly by a photo, a login ID, an IP address, a social security number, a voice recording, etc.

In Europe, their collection and processing are governed by the GDPR but not prohibited, with the exception of so-called sensitive data (political opinions, racial or ethnic origin, religious beliefs, sexual affiliation, etc.), the collection and use of which are prohibited except in very specific cases.

On its site, the CNIL informs individuals and professionals.©CNIL

The connected home, a special case

Which user has never wondered if his surveillance camera was not observing him without his knowledge or if his voice assistant was not listening to his conversations? The case of the smart home is special in more ways than one. Firstly because these devices are precisely intended to collect a whole lot of data (personal or technical) to evolve and enrich the experience. Data passes between objects, as well as between the manufacturer’s server and the user’s smartphone. 

Above all, before even talking about data collection, we bring it into our homes, into our private life in the strict sense of the term. It has even become difficult to escape them. “There is no need to go very far in home automation to have connected objects. A printer is a connected object. The TV is connected. The smartphone is a connected object that we often forget” , points out Benoit Grunemwald, cybersecurity expert at ESET France & Francophone Africa.

In her article “Privacy put to the test by the connected object” (World of Grandes Ecoles and Universities), Sandrine Macé, Scientific Director of the IoT Chair and Head of the IoT option at ESCP, discusses it our paradoxical behavior with regard to the connected object, which “attracts as much as it repels” . It attracts because “technological innovations widen the field of possibilities” , but is feared precisely for the data it collects.

It should be noted that the smart home sector has another particularity which is not without impact on respect for privacy: the variety of its players (digital giants, connected home specialists, more general brands, unknown players who sell devices at low prices on marketplaces, publishers of services or applications that do not sell hardware, etc.).

No data is trivial

Among the data collected by these devices, some may seem harmless, but can already reveal a lot. It is unclear who is likely to use them or how, and their importance also depends on the context. In a video entitled “Our data are not commodities”, La Quadrature du Net gives the example of soldiers who carried out their physical exercises equipped with a connected bracelet, without being aware that they were at the same time recording the detailed plan of the military base. 

Vincent Roca, a researcher at Inria, gives us another: “taken individually, each piece of data can already have meaning. I often take the example of the connected light bulb which can reveal unusual habits or situations. For example, if you don’t use your light bulbs for a while, maybe it’s because you’re away from home. Conversely, if you start using them frequently at night over a period of time, this can also be indicative of certain things. »

Our schedules, our habits, our way of life, what we like to watch, the music we like to listen to and much more… so many things that the connected home knows about us.

In a forum dedicated to the impact of connected objects on privacy, teachers from Esilv (the engineering school of the Pole Léonard de Vinci) enjoin us not to consider any data as trivial. Especially since they take on a whole new meaning when they are crossed with others. “The intrusion into private life becomes more violent as soon as we can cross all this innocuous data. And now I have become a prey, people can put pressure on me, impersonate me, take advantage of my habits to steal my property, from the simple theft at home to the copy of the badge that opens the premises of my company. The list is long ,” they explain.

What our connected home knows about us

The implications go beyond the risk of usurpation. When you connect your home, you are exposed “to the capture of a lot of data of different natures which will probably be crossed and acquire meaning thanks to this crossing, beyond what you can imagine as a user. “ Warns Vincent Roca. He cites the case of robotic vacuum cleaners that map: the housing plan informs about the composition of the family. If this information is crossed with the address and the cost of real estate in the area, it can give an idea of ​​the household’s standard of living. 

The proliferation of connected objects within the home could therefore be a boon for actors who would like to know more about us. Because a connected home can “know” so many things: our schedules, our habits, our lifestyle, what we like to watch, the music we like to listen to and much more.

This is also the reason why personal data is so coveted: cross-checked and analysed, it reveals so many things that we can use it to predict or even influence some of our behaviors, in particular our purchasing behaviors (that would I be willing to buy, what do I need, what could I want, how much would I be willing to spend…).

What data do connected objects collect?

Smart home devices inevitably collect data. Depending on the type of device and its manufacturer, their quantity and nature vary.

If we take the example of Netatmo, which highlights its concern for security and respect for privacy, the manufacturer only collects the user’s email address and some information that depends on the product, such as the city housing to adapt the operation according to the country or the heating algorithms according to the weather. “That’s all that is sent to the servers ,” says Grégoire Markarian, product director at Netatmo.


As for Amazon, its Alexa devices are linked to an Amazon account. Alexa thus has access “to various personalization elements and to the information that is in the user’s account, for example the delivery address if I do voice shopping, what are my favorite radio stations, my music service… there are no additional specific elements collected” , explains Clément Monjou, Alexa Senior Business Development Manager. It specifies that four pieces of information are sufficient: surname, first name, email address and postal address. 

As far as Alexa products with a screen are concerned, “there is absolutely nothing that passes through. In the event that we want to make a video with another user, the video stream which allows the exchange is not stored and it is encrypted from end to end”. Ditto if the user monitors his apartment with the camera, he can access the live stream, but nothing is recorded.©Amazon

As for voice recordings, he assures that “Alexa does not listen to its customers. Alexa only listens for the ‘wake word’ – plus there’s a physical button to mute the mic. The recording parameters can be customized (no recording, deletion of recordings one by one, grouped…). As for the data shared with partners for Alexa skills, it is “transparent for the user” , he knows which element is shared with which partner.

On the side of Google Assistant, the same: it is possible to modify the parameters, to access the recordings and to delete the history. The assistant also waits wisely in standby mode to detect the wake-up word. It then processes short audio clips and, if it does not detect activation, Google promises that they are not sent or saved on its servers.

“On the least expensive objects, we observed an absence of security measures; on higher-end objects, it was mainly in terms of informing people that questions arose. »

Often decried, Amazon (on a page dedicated to Alexa and privacy) and Google (in its privacy rules) play the card of transparency by detailing the data collected, their processing, what the user can configure and how. 

While many players in the sector comply with these GDPR requirements, it is not systematic. During the REDOCS event (Meeting with Doctoral Students in Security), the Cnil submitted a series of analyzes on connected objects to doctoral students in security. They noticed that certain GDPR rules were not always respected:  “On the least expensive objects, we observed an absence of security measures; on higher-end objects, it was mainly in terms of informing people that questions arose. »

Question intentions

More perhaps than the data collected, we must question their destination. And, for this, we can question the economic model of companies. The words of Grégoire Markarian (Netatmo) encourage us to do so: “By design, our products are made to collect a minimum of data for several reasons. First of all, storing data is expensive and since we don’t do anything with it except use it for the daily use of products, there is no point in storing it. And what does not concern us does not concern us. We therefore collect a reduced amount of information. Our salary comes from the sale of cameras, thermostats, weather stations…”

Vincent Roca also encourages us to question everyone’s business model to get an idea of ​​their interest in collecting our data. “I think you have to ask yourself the question of the different classes of actors to understand the motivations of each other. I tend to identify four categories. Manufacturers of connected objects, manufacturers of smartphones, third-party players who are more oriented towards smartphone services and applications, and finally manufacturers of connected speakers, who also have a decisive role in this ecosystem. »

According to him, the former would rather be motivated by the sale of objects. The latter need to exist on this market. Regarding the publishers of applications and services, citing IFTTT as an example, according to him: “It is possible that they are present to collect data, especially since the service is free and they do not ask nothing to the user. As for connected speakers, he believes that they  are really at the crossroads, not very expensive in terms of what they do. There is a chance that these actors are there to collect, cross-reference and use data to make the link with their other services and activities”. Vincent Roca reminds us that Amazon also has a commercial activity and that the parent company of Google makes most of its turnover in the field of targeted advertising. 

Voice assistants, connected objects like no other

In this sense, smart speakers occupy a very special place within the connected home, since they centralize the requests and often the commands of the connected objects of the house. According to Vincent Roca, if they are used, even to control the objects which present the least risk, that changes the situation. “It’s a bit vicious, because the objects themselves don’t present the advertisement. So it feels like nothing is happening beyond their primary functionality. But these are Trojan horses that collect and associate data, which is exploited in another way. But the exploitation still takes place. »

Connected home, “weakened” home? 

According to Benoit Grunemwald (ESET), “from the moment you enter the game of a connected object and especially if it is connected to the cloud, you open a door to sharing, to the use of your data and Above all, we have an extremely vulnerable entry point, which is the connection to the account” – logins and passwords are part of the elements that weaken the ecosystem.

He gives us some recommendations for securing a connected home. The key would be to have “good cyber hygiene” from the purchase and installation phase. The basics are using different passwords on all accounts, which a password manager makes easy, and creating strong passwords – rather  “passphrases, sprinkled with a few special characters, numbers and capital letters” . He also recommends using two-factor authentication when available. 

He also specifies that there are solutions to be installed on a home computer or on a smartphone which analyze what surrounds them, including connected objects. They are able to report “suspicious behavior and/or inadequate default configurations” (they are included in some antivirus products offered by ESET). 

The choice of material is also important. Better to opt for a manufacturer that offers regular updates, especially if they are security-related, because “the question is not whether there is something infallible. Nothing is, everything has flaws. On the contrary, the manufacturer that updates its solutions and offers bug fixes shows how much it respects its users, their privacy and their personal data . To find out, he suggests asking for information on forums, on the application publisher’s site, or from users who study the products closely. 

Another recommendation from the expert: “Also look on the site for mentions of personal data policies, GDPR compliance, data storage. Where on the planet is this data stored? Do they allow themselves to share this data with third parties? Under what conditions? »

The Exodus Privacy platform of the eponymous association allows Android users to analyze applications by listing the “trackers” present there.©Screen capture

If the benefits brought by the connected home are undeniable, our interlocutors encourage us to question ourselves on the risk-benefit ratio and not to systematically consent to everything.

Because the sinews of war is consent; but still it must be enlightened. And that is the whole difficulty in the field of data collection. While the GDPR has allowed European citizens to benefit from a little more transparency, it is sometimes difficult to know what is really going on behind the scenes.

Latest News

7 The most requested services of an escort

The most demanded services of an escort, although the saying has tried to tell us many times, the reality...

More Articles Like This