X

How Big Brother's going to peek into your connected home

The tech industry easily convinced the public to accept a myriad of free services for the price of some loss of privacy. But getting them to embrace the smart home is going to be a far harder sell.

Nick Statt Former Staff Reporter / News
Nick Statt was a staff reporter for CNET News covering Microsoft, gaming, and technology you sometimes wear. He previously wrote for ReadWrite, was a news associate at the social-news app Flipboard, and his work has appeared in Popular Science and Newsweek. When not complaining about Bay Area bagel quality, he can be found spending a questionable amount of time contemplating his relationship with video games.
Nick Statt
10 min read
The Nest Protect smoke detector. CNET

For as long as people have envisioned the inevitable advent of smart home, critics and privacy advocates have warned how it might all go horribly wrong.

We're not just talking Orwellian paranoia or a dystopian future where our personal lives are intertwined with corporate identities constantly siphoning data from them. The security and privacy issues at play in haphazardly wiring up our personal spaces are becoming increasingly more substantive and -- with the proliferation of smart devices -- opening up our lives to more points of vulnerability, both from real-world threats and existential ones.

"There's been nearly 600 million breaches of records since 2005. Those are the reported ones," said Will Pelgrin, the president and CEO of the Center for Internet Security. "It's almost a rite of passage of going through a data breach. I don't know anyone who hasn't been affected, whether it's email or the Target breach." And those numbers will only escalate as more data sources enter our lives -- and our homes. "The hackers out there trying to harvest this data are potentially in countries that don't prohibit it and they have a lot of time and some are well-funded," Pelgrin added.

The connected home vision has been around for decades. But until recently, futurists didn't worry much about privacy considerations because this Jetsons'-like scenario always seemed far over the horizon. All that changed last month when Google scooped up smart device-maker Nest Labs for $3.2 billion and pushed the privacy question off the back burner.

Fearing 'Big Brother' in the home
As the news hit the wire, the immediate reaction in some corners of the Internet was severe. Some swore never to purchase a Nest product now that Google owned the company. "There are some very good alternatives available which are not controlled, or have data collected from them, by Google," wrote one commenter here at CNET.

Others pointed to the recent revelations about the NSA's surveillance activities into the remotest corners of our lives. "We're inviting Google et al. to gain even more control over us? The world is going mad," wrote another. The Twitter snark and Google+ jokes came in torrents, and headlines like "Why is everyone disappointed by Google buying Nest?" aggregated the anger.

That wariness is now a common refrain when talking about Google as it expands aggressively into areas like robotics and ventures into personal health monitoring with far-out projects likeglucose-measuring contact lenses. But putting aside the cheeky "Terminator" and HAL 9000 references, the second-guessing is more a testament to Google's ambition and seemingly limitless capabilities than it is a criticism of the company's privacy track record. No one has ever been substantially hoodwinked by Google with regards to their personal information. The way it handles data across its sprawling and free network of Web services, all of which funnel data into its ad infrastructure, is at this point well-known and more or less accepted by the people using its services.

Rather, people with legitimate concerns wove the Nest acquisition into a larger picture: a Google spin on the smart home could become overwhelmingly influential enough to careen the industry towards a model of free or cheap products with subtle data collection caveats we simply ignore out of apathy or because the alternatives aren't as good. In the age of NSA surveillance and mass adoption of data-sharing services and social networks, the threat of letting that strategy transition to the home is increasingly worrisome to those who think the option of keeping sacred certain aspects of our person lives should remain intact.

"The fact that when I'm sitting in front of my computer Google more or less knows what I'm doing, that doesn't seem to bother people too much," said Jean-Louis Gassée, a former Apple executive who regularly opines on tech trends in the industry blog Monday Note, wrote recently about the connected home and its many hurdles. "But if we broaden this to comings and going and in-house activities...for a lot of people, that's going to far."

And while Google has yet to make even one substantive move in the connected home beyond purchasing Nest -- that deal hasn't even closed yet -- it's become the face of the privacy discussion whether it wants to spearhead it or not. Nest CEO Tony Fadell and co-founder Matt Rogers have both been steadfast in their belief that transparency is key in retaining current and potential Nest customers' trust and that the company's terms of service should for now remain the same.

Still, Fadell's understandable yet telling refusal to say that Nest will never share data, and his admission at Germany's DLD Conference only one week after the acquisition announcement that a terms of service change would likely involve opt-ins, mean the privacy debate is only just getting started.

"I think we are pretty conscious, increasingly conscious, of how much Google knows about us in the digital world. With the ubiquity of sensors on our mobile phones, now they know where we are in the real world.," said Fatemeh Khatibloo, a Forester analyst who recently made the argument that Google's Nest acquisition will force a much-needed privacy debate about the Internet of things. "Now they're going to know exactly what we're doing in our home it starts to get a little bit scary. We're all very unsure as consumers what Google will and can do with that data."

The privacy play beyond Google and personal information

Foscam's digital video baby monitor is one of many "smart cameras" you can buy now. It was also discovered that it had severe vulnerabilities last summer, allowing a hacker to sprout profanity at and observe a Houston couple's 2-year-old child in her crib. Foscam

When it comes to the connected home, we're starting to see an abundance of choices: smart appliance lineups from Samsung and LG; cross-device communication software from Smart Things and Z-Wave; elegantly redesigned household staples like Nest's thermostat and smoke detector; and -- having arrived sooner and with more vulnerabilities than more recent smart home additions -- Internet-enabled cameras for home security and monitoring.

The home automation market is estimated to grow to more than $15 billion by the end of the decade, while the broader "Internet of things" market for connecting homes, businesses, and entire utilities and data industries is a "$19 trillion opportunity," Cisco CEO John Chambers boldly claimed at the Consumer Electronics Show last month.

That means going forward, the privacy discussion won't just revolve around what data is being shared, with whom and for what purposes as if the debate were the same conversation that privacy advocates have regarding Facebook. Instead, the connected home market -- with its many different products and platforms and no universal privacy protection -- is offering consumers a thousand different ways to "make the home smarter," with each coming with its own set of security risks and protection responsibilities that, if ignored or not followed carefully, can turn a system or product against its owner.

"My analogy is Fred Flintstone meets George Jetson," said Pelgrin. "Where Fred Flintstone is the users, we're getting this tech and we not only don't understand the benefits, but also the potential risks and challenges. There are some aspects of this that are tremendous."

Nowhere is that insight more apt than in the last decade's existing smart devices, consisting mostly of loosely protected home networks and IP cameras. Kashmir Hill, a Forbes reporter who last year detailed the vulnerabilities of such devices and networks by hacking into some herself, says that the threats are real, and thankfully at this time are only elementary. Similar to Hill's careful experiments, hackers would likely engage in activity like turning on and off lights or changing the television channel mostly for fun.

"I see that as a small-scale problem. I don't imagine massive attacks from China," she said. "But certainly thieves could figure out a way to manipulate technology." It could, and has in select instances already, venture into the creepy and sometimes criminal. Hill mentions specifically the instance last August in which a hacker tapped into a couple's Foscam baby monitor, spouting profanity at their 2-year-old and even discovering and then using the child's name by reading it off nursery wall using the monitor's camera.

In that vein, Hill sees Google's arrival in the space not as a reason to worry but as a source of relief if only in that it means we'll see more careful handling of privacy issues, a duty Google is more or less obligated to perform at this point to stave off criticism. "I tend to be more reassured when you have big companies that jump into this," Hill says. "The hacks that I've seen in the past are smaller companies. The infamous Foscam IP camera that was very easily hackable, TRENDNet IP cams, all over the net people were tapping into what they thought were private feeds."

In Hill's venturing into smart device vulnerabilities, she relied on one found within Insteon's home automation system that let an outdated product, one admittedly not originally designed for remote access, list a user's system through Google, where anyone could tap into it if the user failed to implement security measures that were voluntary, instead of required by default. Hill noted:

The dumb thing? Their systems had been made crawl-able by search engines -- meaning they show up in search results -- and due to Insteon not requiring user names and passwords by default in a now-discontinued product, I was able to click on the links, giving me the ability to turn these people's homes into haunted houses, energy-consumption nightmares, or even robbery targets. Opening a garage door could make a house ripe for actual physical intrusion.

That let Hill mess with people's lights -- something she did only after first contacting the unsuspecting users and asking to demonstrate the intrusion -- and in some cases even track down physical locations of the homes she was infiltrating if the user included street address information in the system name.

"As consumers we need to be cognizant to what we're agreeing to. How many of us really take the time to read the user license?" said Pelgrin. And it's that shift in responsibility, away from companies in an era when consumers expect to be wronged on the Web until the perpetrator backtracks its questionable practice, that marks an important shift with a connected home where the risks are higher and the data more sensitive.

With trade-offs & opt-ins, responsibility shifts to users
"I do think that are benefits of sharing data," said Alex Hawkinson, CEO of smart device- and software-maker Smart Things, in an interview CNET regarding the Nest acquisition earlier this month. "You can do a much better job at algorithms," he added of situations like brown outs, and aggregate that data for future use. "That of course can be all anonymized."

As Fadell expressed after the acquisition that opt-ins may play a large part in data sharing initiatives with the smart home down the line, the notion of a more transparent system -- one with incentives like a lowered energy bill -- that would let companies and consumers benefit symbiotically seems like a no-brainer. "Opt-ins in my opinion rate much better than opt-outs. As consumers we have the opportunity to help influence the marketplace and how data is used," Pelgrin noted.

"I really think that it's about transparency from a vendor perspective. It's about the customer understanding what they're signing up for. And do you want that to report back to the vendor? There's a good value in that, that they can improve that product or software," he added.

"I think it depends on how intimate the data is. I think a lot of people would say they wouldn't be bothered by the Nest data," said Hill. "But there was a big privacy debate about Kinect and Xbox [One] that was always on. That's more sensitive information."

Despite whatever kind of opt-ins arise, Hill is less worried about the idea of hacks or the specifics of added user responsibility than she is simply about the idea of having all our eggs in one basket. "More I just think about the fact that we'll be sending data all the time," Hill said, noting that a Google smart home platform may down the line be the best choice for consumers in that it will be the best designed and the most secure, but that that poses its own set of issues. "That's where you get into that paradox. You go with an established company that you're familiar with, but that means you're sharing more information with that company," she added.

No matter how it progresses, privacy in the connected home is about as complicated an issue as any the market will face in its long road to widespread adoption. Not only will companies like Google, Nest, Smart Things, and the numerous other players emerging seemingly every other week have to go to new heights with regards to transparency, incentivizing opt-ins, and thorny legal issues, but consumers can no longer aimlessly expect to use products and services until they get burned and move on. The lasting effects of a hack won't simply be a call to MasterCard or being asked to turn on two-factor authentication; intrusions both digital and potentially physical, unwarranted surveillance, and sensitive personal information leaking steadily to ad companies are all on the table.

And at the moment, that unfortunately means not taking companies or their products at face value while universal data protection and encryption and airtight security measures are in place. The burden is on us, and that's both good and bad, a teaching moment and also a sharing of power. "As people are more cognizant, I would hope that they would have more agency in deciding," Hill said. "And I hope the companies do stay ahead of the privacy and security because some of these services we'll be really nice and i hate to think we'll reject them."

"It's not new to the Internet of things. We've been giving up as consumers for a long time our finances, our identity -- a lot of the things about where we live and what we do already. Now our granular activity: when we watch TV, open the fridge, when you get in your car. It becomes that," Pelgrin said. "I think it is a time for all of us to take stock."