How much of your privacy would you trade for a smarter home? Internet service providers (ISPs) can peek at the internet-connected devices people use in their own homes – baby monitors, TV set-top boxes, vibrators – even when those devices are specifically set up to protect users’ privacy.
“These home devices are also home surveillance devices,” says Peter Swire at the Georgia Institute of Technology in Atlanta.
We’ve known that for a while, but concerns were generally directed at outsiders, like people spying on our baby monitors, or hackers coaxing our internet-connected devices to join in a distributed denial of service attack.
But in the wake of policy changes in the US earlier this year, people began to wonder who else could start using our data for profit. In March 2017, the US legislature voted to repeal Obama-era rules that would have prevented ISPs from selling personal information to third parties and given users more power over what information they shared with ISPs.
“ISPs are in the most powerful position in terms of having data that they could sell on,” says Brent Mittelstadt at the Oxford Internet Institute, UK. Metadata – information about how and when someone is accessing the internet, but not about what they send or receive – is valuable because it is relatively easy to analyse and contains insights into an individual’s lifestyle.
In the US, ISPs are allowed to use or sell data they collect about their users’ internet use and histories. Do our smart devices broadcast yield any bankable information?
To find out, Noah Apthorpe at Princeton University and his colleagues set up a mock smart home, complete with seven internet-connected devices, to find out what they might reveal about their users.
Four of the devices, the team found, could be easily identified by ISPs just because of the way they connected to the internet. That might not be a problem when it comes to an Amazon Echo, which immediately revealed its identity. But now that everything from insulin pumps to vibrators comes with internet connectivity, just knowing what gadgets someone is using could be valuable information to advertisers.
Jigsaw of habits
Encrypted connections are one way of preventing the amount of information that an ISP can gather about its users. Website addresses that begin with “HTTPS” encrypt their traffic so although an ISP or other network observer could see that a user had visited a particular website, they wouldn’t be able to work out which specific pages they visited or what they did on that website.
And encryption doesn’t stop ISPs from knowing which internet-of-things devices their users have, nor does it stop them seeing when we use those devices. In the Princeton study, ISPs could track a user’s sleep patterns by detecting when a sleep tracker was connecting to the internet. It also revealed that ISPs could identify when a home security camera detected movement and when someone was watching a live stream from their security camera.
The authors say there might be ways to cut down the snooping abilities of ISPs. One possible defence involves deliberately filling a network with small amounts of traffic. This could be done by running all your internet traffic through a VPN and then programming the VPN to record and play back that traffic even when the IOT device is not in use, making it tricky for ISPs to work out when a particular device is actually being used. However, this would probably slow down the network, making it a somewhat impractical defence against network observations.
Ultimately, Mittelstadt says, it’s up to consumers to weigh up the privacy risks that come along with using internet-connected devices. But it’s hard for us to make informed decisions when it’s not at all clear what kinds of data ISPs are collecting, or how they’re using the data. “There’s a lot of uncertainty around that data,” he says.
This type of observation is possible anywhere, but in the US there are few restrictions on what data ISPs are allowed to sell. EU law makes it more difficult for ISPs to do similar things, and the upcoming General Data Protection Regulation should protect UK citizens.