The popularity of smart home devices such as Amazon’s Echo (Alexa) has seen a rise in their presence within our homes. Our homes being our safe, private space where we can speak to those we trust about the most trivial to serious issues. But with smart home assistant devices planted throughout our rooms, are our conversations really as private as we believe?
How the smart device works is simple: you give a command to ‘awaken it', the consumer poses a question, the internet-connected device relays the question to the host server and then provides an answer in an audible format. The most important aspect of this process is that the device can listen. However, when does the listening start and then stop? Or more aptly, is the device constantly listening in order to hear the wake-up command?
A couple from Oregon, unbeknown to them, had a private conversation recorded by a smart home device which then sent the recording to one of their digital address book contacts. The smart device had not been given a command to do this, nor did it make the couple aware when it had. It wasn’t until the recipient of the recorded message contacted them that they realised what had occurred. Similarly, stories in the media have reported smart home devices randomly laughing or giving directions to cemeteries during the night without being given any commands.
In the dire scenario of someone obtaining smart device recordings, who is held culpable for these attacks? Is it the manufacturer of the hardware, the software developer, the internet service provider or the consumer? Should consumers be under a legal obligation to ensure they are securing the devices to a reasonable extent?
California has become the first state to create a cybersecurity law that governs smart devices. The bill (SB-327) will come into force in January 2020 and states that any manufacturer of a device that connects directly or indirectly to the Internet has a legal obligation to equip it with reasonable security features.
In response, the United Kingdom’s Department for Digital, Culture, Media and Sport has issued a code of practice offering guidance for consumers, explaining step by step how to maximise their cybersecurity when using these devices. The straightforward steps include ensuring you set up a unique password when activating your smart home device. Although this does not necessarily deal with the issue of being recorded, it does help to prevent unauthorised access, use or disclosure of any recordings or information the device holds.
This may sound like common sense for some people, but in reality, many smart home devices are left with the manufacturer password (eg, 1234). This may be due to lack of time or guidance as to how to change it, or an assumption that the device comes with a unique password. However, this may leave them open to being hacked. In particular, smart home devices are not subject to the same scrutiny or daily vigilance as smartphones, and therefore may fall under our radar when it comes to cybersecurity maintenance.
Alongside the Department for Digital, Culture, Media and Sports guidance, the EU General Data Protection Regulation (GDPR) has also had an effect on smart home devices, specifically on how personal data is used and protected. An example of this is the smart device company Yeelight, which failed GDPR compliance at the last minute, rendering its devices unusable. However, this does not account for the data collected before their disuse, nor the fact that Yeelights are advertised as being able to be controlled and share data with Amazon Echo (which did not fail GDPR compliance).
Nevertheless, smart home devices remain popular with consumers and time will tell as to how much of our lives and personal conversations are being covertly invaded. Consumers should be empowered by knowledge as to how they can best protect themselves, rather than solely relying on smart devices.