The Internet of Things is Surveillance

Posted on Nov 21, 2018 by Derek Zimmer
Share Tweet Plus



The IOT is back in the news again this week. A judge has ordered Amazon to turn over audio data from an Alexa device related to a murder investigation.

There’s a few interesting things raised by this warrant. The investigators believe that Alexa may have captured audio of the attack itself and uploaded it to Amazon servers, which means that Alexa would have been listening despite the “wake word” not being spoken. This would go against how Amazon tells us the device functions. The investigators may be hoping that Alexa may have incidentally heard something that sounds like the wake word, and recorded audio based off of that. This has happened before.

They are also asking for a list of all devices that connected to the speaker during the time period in question. This means that Amazon is collecting information on everyone that visits your home and when based on their mobile devices that they bring along with them.

These new developments only add to the pile of issues that come with placing internet-connected microphones in your house. There’s the obvious problems like the security of the device, a hacked Alexa can listen to everything you say and do. And deeper problems like being unable to figure out what the speaker is collecting. The device can easily listen and record based on specific marketing or “national security” phrases and wait to upload the information until the next wake word is spoken. You can cram low quality audio in surprisingly small spaces, and because all communication with home servers is encrypted, you can’t know what information is actually being transmitted. A great example is Google Android sending GPS information to Google even while GPS was explicitly disabled.

Conspiracy theories aside, the Internet of things is a race to get unnecessarily internet connected devices into our homes, and the consequences are far worse than your light bulbs DDoSing universities in the long-run. It is all just more digital surveillance, added to the mountain of data collected about you by your internet provider, 300 digital marketing companies, and sold, exchanged and aggregated into tools designed to manipulate you into buying certain items, voting a certain way, or to direct your mood regarding various causes and topics.

What was once a faint digital shadow, a small figment of information that left a trail about our recent browsing habits, has grown into full dossiers. The largest marketing organizations and governments now know:
where you live (GPS, IP address, Geolocation, Nearby Wifi and Bluetooth devices),
where you go (GPS data),
what you do (GPS data),
what you buy (Cookies, Payment Data, GPS data, Data from Online Shopping Accounts),
who your friends are (GPS data correlated with proximity, apps pulling phone and email contact lists, even Bluetooth Proximity),
where you work (GPS data, employment records, IP address, Geolocation, Payroll Data, IRS Data),
where you eat out (GPS, Payment Data, Geolocation),
what you buy when you eat in (GPS, Payment Data, Store Membership Numbers),
when you cook your meals (Smart Meters),
when you sleep (Smart Meters),
when you take a trip (GPS data, Payment Data, Geolocation, Travel Data from Airlines/Trains/Busses),
and so much more. There are burgeoning businesses to install “security cameras” all over your house that upload all of your personal information to “the cloud.” It doesn’t take a huge logical leap to guess why they would do that. IoT devices are placing microphones and cameras all over your home. Companies and governments alike want all of that data.

When you combine companies acting unethically, the security risks of the devices themselves, and the problems with all of this data being aggregated into complex compendiums of our entire lives, the risks far outweigh the gimmicky rewards.

Projects like Mycroft may bring us better alternatives for people who want the smart-home functionality without all of the surveillance, but they too have some concerns.

Remember to consider what kind of data that your devices can gather about you, and how it can be combined with lots of other information about you to strengthen surveillance. Weigh the value of the utility of the device against the cost of your privacy before buying an IoT enabled device!

About Derek Zimmer

Derek is a cryptographer, security expert and privacy activist. He has twelve years of security experience and six years of experience designing and implementing privacy systems. He founded the Open Source Technology Improvement Fund (OSTIF) which focuses on creating and improving open-source security solutions through auditing, bug bounties, and resource gathering and management.

VPN Service

Leave a Reply