Northeastern University research finds smart TVs, other Internet-connected devices are exposing private user data by Khalida Sarwari September 20, 2019 Share Facebook LinkedIn Twitter The smart devices in your home are listening to you, recording your whereabouts, and sending data to technology companies and other third-parties, according to a new study by David Choffnes, an associate professor at Northeastern. Photo by Matthew Modoono/Northeastern University While you were binge-watching Stranger Things, your smart TV was sending data to companies such as Netflix and Facebook, according to a new study led by Northeastern professor David Choffnes. And it’s not just your TV; Other devices in your home that connect to the internet, including your wireless video doorbell, your speakers, and your digital assistants, are listening to you, recording your whereabouts, and sending data to technology companies and other third-parties. David Choffnes, an associate professor in the Khoury College of Computer Sciences. Photo by: Adam Glanzman/Northeastern University “There is a small number of these cloud providers that are getting a lot of insight into what you’re doing with these devices,” says Choffnes, an associate professor in the Khoury College of Computer Sciences who led the study with his research colleagues from Northeastern and Imperial College London. “And since they’re in our homes and they can do things like detect motion, they know when we’re home, they listen to our voice commands, they record video, they’re potentially getting access to a lot of sensitive data about us.” The researchers discovered that, at minimum, third parties receive information about the devices people are using, when they are using them, and where the devices are located. What isn’t clear is what third-party services are actually doing with that data and whether they’re misusing it, says Choffnes. But, he says, this practice raises concerns about user privacy and security, especially because it runs the risk of exposing consumers to potential data breaches. “We are increasingly letting these devices in our homes and we have almost no insight into the data they’re collecting, who they’re sharing that data with, and what the privacy implications are,” says Choffnes. The content of the information that devices are sending to companies is unclear because much of that data is encrypted, says Choffnes. That can be a double-edged sword. “That’s good for protecting your data from eavesdroppers, but it also poses a significant challenge for privacy researchers like myself who are trying to investigate what’s going on,” he says. To hold these companies accountable, Choffnes says that there ought to be a way for independent parties, such as researchers and auditors, to oversee the nature of the information that’s being exchanged. Choffnes and his team conducted more than 34,000 experiments in which they tested 81 devices in the U.S. and U.K., including smart TVs made by companies such as LG and Samsung. They wanted to understand just how much data is collected by smart devices and where that data gets distributed. They found that many TV devices were collecting data and sending it to Netflix, even when users were not Netflix customers. They also found that the most frequently contacted companies were those that provide cloud services for smart devices, including Amazon, Google, Akamai, and Microsoft. Choffnes says that it’s possible that these companies could be using this data to determine which market to enter next and which new customers to target. The researchers also investigated Zmodo and Ring, which make wireless video doorbells for people who want to know who is coming to their home, even when they’re not there. Choffnes and his colleagues discovered that they could view images taken from a Zmodo camera even when they weren’t authorized users of the device. And they found that Ring devices began capturing video 10 seconds before informing visitors that they were being recorded. “One of the big problems here is that there’s no way to turn it off and there’s no way to get consent,” he says. “If you’re visiting someone, these things are recording you, and you don’t have any control over that.” Choffnes and his team are now looking into potentially developing software that will enable users to stop their devices from sharing their data. He compared the program to an ad blocker, a piece of software designed to prevent advertisements from appearing on a web page. “In many cases, these devices just don’t need that many connections to provide their functionality, like to be able to watch TV or to be able to turn on your microwave from a voice command,” he says. In the meantime, he advised privacy-conscious people to avoid smart devices if at all possible. “You have to wonder, as more and more devices have these connections: When you buy a product, are you becoming the product?” For media inquiries, please contact Mike Woeste at m.woeste@northeastern.edu or 617-373-5718.