Pioneering research has discovered how smart devices talk to Android apps and each other to share data that allows them to know who enters a home, when, and how much they earn
I honestly still don’t get, what exactly all this is for.
Why are companies pumping more and more money into advertising? What do they expect us to do? Most people can’t spend more money and if you have to increase prices because of your overblown ad budget, they’re even less likely to do so.
And what exactly are they thinking they’re getting from companies like Google and Meta? The amount of ads I get that are actually relevant and not super-obvious is miniscule. Ad tech does not work even remotely as well as advertised.
I, too, am curious if there’s an advertising bubble.
I hope so.
I’ve noticed something about my wife, though.
She’s not a “mindless capitalist zombie with the sole goal of owning more stuff”, but she does pay attention to advertising a lot.
We need more diapers?
Well, it just so happens there’s some new startup app that’s advertising a free first month, so if she signs up for that up, we could get free diapers, and we’d only have to keep the membership for another two months, and they have deals on peanut butter, and we’d get access to their free streaming service and they have Disney, so it’s probably worth it overall.
And so it goes, with a million of these deals.
The thing is, each “deal” is so complicated that it’s extremely difficult to know which ones we’re actually saving money on.
The cynical would say “you’re never saving money: everything’s rigged”, but that’s clearly not true.
Some of these deals clearly do work out for us (and some of them cause the startup to immediately go bankrupt).
But most of them aren’t clearly better or worse for us: we’d have to spend several hours going through hypothetical scenarios to do the full CBA, which we don’t do.
I do wonder, on balance, how much it’s costing us.
I also wonder how many of these deals are specifically (personally) targeted at my wife because they know what she needs and what her habits are.
That’s because you’re not a typical consumer. Average consumer those ads target is a mindless capitalist zombie with the sole goal of owning more stuff. Especially in US (but not only) people are trained by their capitalist master that ‘you are what you own’ and spending money is a way of living there. I’m sure you see it everywhere. People go absolutely crazy over brands like Marvel or Star Wars and spend thousands of dollars on useless gadgets. People go crazy over snickers and buy hundredths of pairs. People go crazy over phones and and take credit just to own the latests model. And the ads are there to program those people into wanting more and more things.
You’d be surprised the amount of times I’ve heard someone say they got something after seeing a targeted ad. I personally just zone out until the ad’s done. It’s hard to believe people actually pay attention, and then go so far as clicking the ad and buying the product.
It definitely should be, but I have heard at least 2 people make that statement, so the fact that it’s not 0 is mind blowing. Maybe I just need better friends.
You don’t get it because you don’t have the endless supply of information on ever man woman and child on earth.
The information is valuable so they can continue to squeeze every cent out of everyone I’m every way possible, including those who can’t afford to spend it.
Or, bear with me, just send a massive amount of spam mails to leaked mailing lists. Maybe 1 in a million reacts and you scam them (cfr all the “Nigerian prince” scams.
A looooot less work because the victim’s will contact you themselves. No need to go and “compare which phones show up together and them figure out why they were together and then figure out if it was an affair or not and then contact them in the hopes they care enough to pay ransom”
Seriously, that sounds like such a bullshit approach. It’s uneconomical for the criminals. It’s super involved and doesn’t pay that much. Why would anyone do that, if regular fraud is right there to commit.
Security risk is the bigger concern IMHO. These devices are often a security weak point for networks. Putting them on their own wifi network and then isolating that network is critical.
How can you ensure this is done? There are so many devices that need to connect to the internet and some that require access to other network devices to function.
You basically need to employ network engineering level security - very tight firewall rules, use NAT where it’s available (IPv6 removes NAT, which ipv6 apologists will tell you is a good thing - they’re wrong, as it removes per-service level control and moves it out to per-device/per-NIC), and punch very specific holes to grant access where needed.
I don’t think that the issue is that people don’t know; people don’t care. They don’t understand how horrible the loss of privacy is, and think that the marginal convenience of being able to control your thermostat from your workplace, or have your refrigerator add milk to your shopping list outweighs the negatives of them being turned into botnets, or monetizing all of your data to squeeze every last penny out of you.
The difference is the part immediately after you stopped quoting:
They don’t understand how horrible the loss of privacy is…
What OP is saying here is that people know abstractly that smart devices are not privacy friendly, but they don’t understand how big a deal that actually can be.
I also feel many don’t understand the full extent, either. They’re used to using fairly secure devices in their everyday life (often not realizing how much the software they install is also spying on them), so why wouldn’t these IoT things also be secure?
In my experience, it’s all very vague and ethereal until the risks are highlighted for them. “So what if Google can read all of my emails? What could they possibly do with that information, anyway; why should I care?” is an example of a portion of a real conversation I’ve had.
I agree. There are far too many people with the “if I’m not doing anything wrong, then what have I to hide?” mindset. I’ve seen people unironically say that all Tor users must be engaging in illegal activity, and I don’t think it occurs to them that in many parts of the world, freely accessing information is an illegal activity, and by adopting this mindset we’re empowering that type of state.
I like the way a coworker put it to me, it’s the same reason we have locks on our doors and curtains on our windows, it’s not because we have something to hide, but a right to privacy that tech giants have widely ignored.
We also shouldn’t be conditioned to just accept terms of services with no recourse, by this point I think most people just press accept and know by now whatever it is there, isn’t worth the trouble of fighting to have it changed. So companies get to legally have a free for all with your privacy, cause you consented to things you’ll later find out you didn’t even know you consented for.
ToS are the worst thing ever. They are “contracts” that you are required to sign to do literally anything in the world but are not allowed to negotiate and can be modified at any time without your consent and your original signing is propagated to the new contract and it is still considered binding. Also, they are allowed to put clauses in which hand over rights to your property, intellectual or otherwise, which is irrevocable and perpetual. Additionally, you have many “software” providers putting clauses in which state that you only lease the license, you do not own it. Even if you have a physical media with the software, you only purchased a lease and it is therefore illegal for you to resell it. They are also allowed to revoke your lease at anytime, without recompense of any sort. That is the real power of SaaS, not the subscription, but the fact that nobody is ever allowed to own something, no matter how much money you have paid.
Yes, as others have said, they are virtually unenforceable, but it does happen often enough to make sure you are afraid of it.
The TOS are the legal equivalent of a locked car door. It’s the bare minimum prevention against a lawsuit, but really doesn’t protect anything. It’s because they are so long and opaque that they are often unenforceable.
It helps once, but does it push notifications when the TOS changes from the last time you read it?
The TOS could switch from protecting your data to sharing it for money at any point in time and that would apply to any existing data. Unless you know you can get them to delete it, the fact that the TOS used to say something does not matter once they change it.
@snooggums@throws_lemy@HelixDab2@Jessvj93 ofc that’s always the risk you take when using any service. Sadly a lot of the time the ToS is so long it’d take forever to read but this is the closest I’ve been able to find to quick overviews on the the ToS of a specified service.
Note that it does not have every service critiqued as I think ppl with TOSDR manually read the ToS and evaluate.
The best solution IMO is don’t let your smart devices have access to the internet. Put them on a VLAN, block them at the firewall, whatever method you prefer. Accessing your home network remotely is one thing, but your air conditioner doesn’t need to INITIATE a connection to the outside world.
You should never fully trust ANY device on your network. Even if it’s not collecting your personal information and sending it off to who-knows-where, there could always be a zero-day exploit just waiting for someone to find it.
That’s what I did 🙃 Unfortunately, some devices do not work at all without a connection to the manufacturer’s cloud, this also needs to be taken into account.
A long while ago, my first foray into smart home stuff was a Phillips Hue system. I used to use it exclusively offline, but I got deeper into smart home stuff and wanted to add some integration into my system. I don’t remember what anymore, but it meant setting up a Hue developer account, so I signed up. Gave them my email address. Stopped using the integration, moved, reset the hub, used it offline for years.
This February I logged into the hub for some reason. I think an accessory wasn’t working and Hue user docs said to log in or some such nonsense.
Five days ago, I got an email from Amazon. They told me that one of the batteries in a Hue switch was running low, and they helpfully provided me with a link to buy new ones. Their page for the device indicated that they were being updated with its battery percentage every 4-8 hours - and that I had authorized Alexa access to my Hue system in February.
I checked the Hue app, and it indicated no apps or services connected to my account.
Logged into the Hue website, dug into my settings, and there were a dozen app’s and services that had been “authorized” to access my account - none that showed up in the app.
Every smart device that has been on my network - devices that I never integrated with Hue (on purpose!) were all happily showing very recent access times to my data. Systems I don’t have accounts to anymore. I revoked access, of course.
Three days ago Amazon emailed me to let me know a different device needed a battery, and showed that Hue had shared the battery level of the device with them that day - 2 days after I revoked access.
Yeah… all their products are getting trashed, reflashed, or used with zigbee hubs I’ve built.
I have flashed all the bulbs and ceiling lights in my house and they work locally on FOSS firmware now 😉 It is not a big deal. I have very poor soldering skills, and I did this anyway.
Oh, I could make it worse if you’d like? That tool isn’t made for just the bulbs I got at Costco, it’s made for any device in the Tuya ecosystem. What’s Tuya? They’re a Chinese white-label manufacturer that makes smart devices that other companies can slap their brand on. They’ll throw you together an app too, but all of the API calls go through their infrastructure. Bonus, they also make security cameras that send footage to their servers, and smart locks too. They’re literally everywhere, but I’m in Australia so that’s where I’m basing this list:
I mean, there are still plenty of ways to have smart things that don’t communicate with the internet. Ikea’s stuff is all zigbee, they don’t have wifi at all. You can get one of their hubs to control from your phone, or they sell remotes with zigbee you can pair directly to control a set of bulbs. They never have to see internet at all.
You are not logged in. However you can subscribe from another Fediverse account, for example Lemmy or Mastodon. To do this, paste the following into the search field of your instance: !privacyguides@lemmy.one
In the digital age, protecting your personal information might seem like an impossible task. We’re here to help.
This is a community for sharing news about privacy, posting information about cool privacy tools and services, and getting advice about your privacy journey.
You can subscribe to this community from any Kbin or Lemmy instance:
Check out our website at privacyguides.org before asking your questions here. We’ve tried answering the common questions and recommendations there!
Want to get involved? The website is open-source on GitHub, and your help would be appreciated!
This community is the “official” Privacy Guides community on Lemmy, which can be verified here. Other “Privacy Guides” communities on other Lemmy servers are not moderated by this team or associated with the website.
Moderation Rules:
We prefer posting about open-source software whenever possible.
No soliciting engagement: Don’t ask for upvotes, follows, etc.
Surveys, Fundraising, and Petitions must be pre-approved by the mod team.
Be civil, no violence, hate speech. Assume people here are posting in good faith.
Don’t repost topics which have already been covered here.
News posts must be related to privacy and security, and your post title must match the article headline exactly. Do not editorialize titles, you can post your opinions in the post body or a comment.
Memes/images/video posts that could be summarized as text explanations should not be posted. Infographics and conference talks from reputable sources are acceptable.
No help vampires: This is not a tech support subreddit, don’t abuse our community’s willingness to help. Questions related to privacy, security or privacy/security related software and their configurations are acceptable.
No misinformation: Extraordinary claims must be matched with evidence.
Do not post about VPNs or cryptocurrencies which are not listed on privacyguides.org. See Rule 2 for info on adding new recommendations to the website.
General guides or software lists are not permitted. Original sources and research about specific topics are allowed as long as they are high quality and factual. We are not providing a platform for poorly-vetted, out-of-date or conflicting recommendations.
Soms don’t even care.
Is Govee any better or worse than any of the other brands?
Their app is awful
I honestly still don’t get, what exactly all this is for.
Why are companies pumping more and more money into advertising? What do they expect us to do? Most people can’t spend more money and if you have to increase prices because of your overblown ad budget, they’re even less likely to do so.
And what exactly are they thinking they’re getting from companies like Google and Meta? The amount of ads I get that are actually relevant and not super-obvious is miniscule. Ad tech does not work even remotely as well as advertised.
I, too, am curious if there’s an advertising bubble. I hope so.
I’ve noticed something about my wife, though. She’s not a “mindless capitalist zombie with the sole goal of owning more stuff”, but she does pay attention to advertising a lot. We need more diapers? Well, it just so happens there’s some new startup app that’s advertising a free first month, so if she signs up for that up, we could get free diapers, and we’d only have to keep the membership for another two months, and they have deals on peanut butter, and we’d get access to their free streaming service and they have Disney, so it’s probably worth it overall.
And so it goes, with a million of these deals. The thing is, each “deal” is so complicated that it’s extremely difficult to know which ones we’re actually saving money on. The cynical would say “you’re never saving money: everything’s rigged”, but that’s clearly not true. Some of these deals clearly do work out for us (and some of them cause the startup to immediately go bankrupt). But most of them aren’t clearly better or worse for us: we’d have to spend several hours going through hypothetical scenarios to do the full CBA, which we don’t do.
I do wonder, on balance, how much it’s costing us. I also wonder how many of these deals are specifically (personally) targeted at my wife because they know what she needs and what her habits are.
That’s because you’re not a typical consumer. Average consumer those ads target is a mindless capitalist zombie with the sole goal of owning more stuff. Especially in US (but not only) people are trained by their capitalist master that ‘you are what you own’ and spending money is a way of living there. I’m sure you see it everywhere. People go absolutely crazy over brands like Marvel or Star Wars and spend thousands of dollars on useless gadgets. People go crazy over snickers and buy hundredths of pairs. People go crazy over phones and and take credit just to own the latests model. And the ads are there to program those people into wanting more and more things.
You’d be surprised the amount of times I’ve heard someone say they got something after seeing a targeted ad. I personally just zone out until the ad’s done. It’s hard to believe people actually pay attention, and then go so far as clicking the ad and buying the product.
Is it zero?
It definitely should be, but I have heard at least 2 people make that statement, so the fact that it’s not 0 is mind blowing. Maybe I just need better friends.
You don’t get it because you don’t have the endless supply of information on ever man woman and child on earth.
The information is valuable so they can continue to squeeze every cent out of everyone I’m every way possible, including those who can’t afford to spend it.
deleted by creator
Or, bear with me, just send a massive amount of spam mails to leaked mailing lists. Maybe 1 in a million reacts and you scam them (cfr all the “Nigerian prince” scams.
A looooot less work because the victim’s will contact you themselves. No need to go and “compare which phones show up together and them figure out why they were together and then figure out if it was an affair or not and then contact them in the hopes they care enough to pay ransom”
I guess your username makes sense.
deleted by creator
As a high value individual you have to accept that you’ll always be a target. Nobodies like you and me on the other hand? Nobody will bother.
Will Mulder rescue me then?
Seriously, that sounds like such a bullshit approach. It’s uneconomical for the criminals. It’s super involved and doesn’t pay that much. Why would anyone do that, if regular fraud is right there to commit.
deleted by creator
But not like that. And not on a scale that would justify all that investment. These crimes only happen in your mind.
deleted by creator
Security risk is the bigger concern IMHO. These devices are often a security weak point for networks. Putting them on their own wifi network and then isolating that network is critical.
How can you ensure this is done? There are so many devices that need to connect to the internet and some that require access to other network devices to function.
You basically need to employ network engineering level security - very tight firewall rules, use NAT where it’s available (IPv6 removes NAT, which ipv6 apologists will tell you is a good thing - they’re wrong, as it removes per-service level control and moves it out to per-device/per-NIC), and punch very specific holes to grant access where needed.
Prevent north/south traffic entirely, limit east/west traffic heavily
Happen to have any resources outlining these steps for the average consumer?
Tasmota & ESPHome are the ways to go 🙃
Plus Zigbee devices with your own coordinator and Valetudo for robot vacuums 😌
I don’t think that the issue is that people don’t know; people don’t care. They don’t understand how horrible the loss of privacy is, and think that the marginal convenience of being able to control your thermostat from your workplace, or have your refrigerator add milk to your shopping list outweighs the negatives of them being turned into botnets, or monetizing all of your data to squeeze every last penny out of you.
You say you don’t think the issue is that people don’t know then immediately begin with “they don’t understand…”
What’s the difference?
The difference is the part immediately after you stopped quoting:
What OP is saying here is that people know abstractly that smart devices are not privacy friendly, but they don’t understand how big a deal that actually can be.
So what you guys are saying is that people have no idea how much their privacy is being invaded.
Not understanding is the same as not knowing. I know that a car pollutes the environment but I don’t understand just how much. I don’t know the info.
And don’t understand the extent of its impact.
Exactly, they aren’t the same.
I also feel many don’t understand the full extent, either. They’re used to using fairly secure devices in their everyday life (often not realizing how much the software they install is also spying on them), so why wouldn’t these IoT things also be secure?
In my experience, it’s all very vague and ethereal until the risks are highlighted for them. “So what if Google can read all of my emails? What could they possibly do with that information, anyway; why should I care?” is an example of a portion of a real conversation I’ve had.
What’s really maddening is realizing that secure spying is still spying.
I agree. There are far too many people with the “if I’m not doing anything wrong, then what have I to hide?” mindset. I’ve seen people unironically say that all Tor users must be engaging in illegal activity, and I don’t think it occurs to them that in many parts of the world, freely accessing information is an illegal activity, and by adopting this mindset we’re empowering that type of state.
I like the way a coworker put it to me, it’s the same reason we have locks on our doors and curtains on our windows, it’s not because we have something to hide, but a right to privacy that tech giants have widely ignored.
We also shouldn’t be conditioned to just accept terms of services with no recourse, by this point I think most people just press accept and know by now whatever it is there, isn’t worth the trouble of fighting to have it changed. So companies get to legally have a free for all with your privacy, cause you consented to things you’ll later find out you didn’t even know you consented for.
ToS are the worst thing ever. They are “contracts” that you are required to sign to do literally anything in the world but are not allowed to negotiate and can be modified at any time without your consent and your original signing is propagated to the new contract and it is still considered binding. Also, they are allowed to put clauses in which hand over rights to your property, intellectual or otherwise, which is irrevocable and perpetual. Additionally, you have many “software” providers putting clauses in which state that you only lease the license, you do not own it. Even if you have a physical media with the software, you only purchased a lease and it is therefore illegal for you to resell it. They are also allowed to revoke your lease at anytime, without recompense of any sort. That is the real power of SaaS, not the subscription, but the fact that nobody is ever allowed to own something, no matter how much money you have paid.
Yes, as others have said, they are virtually unenforceable, but it does happen often enough to make sure you are afraid of it.
The TOS are the legal equivalent of a locked car door. It’s the bare minimum prevention against a lawsuit, but really doesn’t protect anything. It’s because they are so long and opaque that they are often unenforceable.
No reason to care when the TOS can be changed at any time, and who wants to read it once much less every times they want to use a thing?
@snooggums @throws_lemy @HelixDab2 @Jessvj93 tosdr is the solution to that!
It helps once, but does it push notifications when the TOS changes from the last time you read it?
The TOS could switch from protecting your data to sharing it for money at any point in time and that would apply to any existing data. Unless you know you can get them to delete it, the fact that the TOS used to say something does not matter once they change it.
@snooggums @throws_lemy @HelixDab2 @Jessvj93 ofc that’s always the risk you take when using any service. Sadly a lot of the time the ToS is so long it’d take forever to read but this is the closest I’ve been able to find to quick overviews on the the ToS of a specified service.
Note that it does not have every service critiqued as I think ppl with TOSDR manually read the ToS and evaluate.
The best solution IMO is don’t let your smart devices have access to the internet. Put them on a VLAN, block them at the firewall, whatever method you prefer. Accessing your home network remotely is one thing, but your air conditioner doesn’t need to INITIATE a connection to the outside world.
deleted by creator
You should never fully trust ANY device on your network. Even if it’s not collecting your personal information and sending it off to who-knows-where, there could always be a zero-day exploit just waiting for someone to find it.
deleted by creator
You’re correct about an outside individual accessing your network, but that still doesn’t prevent a device on your network from phoning home.
I think most people have at least some open ports, though. Isn’t port forwarding required for a lot of online games? It used to be at least.
deleted by creator
That’s what I did 🙃 Unfortunately, some devices do not work at all without a connection to the manufacturer’s cloud, this also needs to be taken into account.
A long while ago, my first foray into smart home stuff was a Phillips Hue system. I used to use it exclusively offline, but I got deeper into smart home stuff and wanted to add some integration into my system. I don’t remember what anymore, but it meant setting up a Hue developer account, so I signed up. Gave them my email address. Stopped using the integration, moved, reset the hub, used it offline for years.
This February I logged into the hub for some reason. I think an accessory wasn’t working and Hue user docs said to log in or some such nonsense.
Five days ago, I got an email from Amazon. They told me that one of the batteries in a Hue switch was running low, and they helpfully provided me with a link to buy new ones. Their page for the device indicated that they were being updated with its battery percentage every 4-8 hours - and that I had authorized Alexa access to my Hue system in February.
I checked the Hue app, and it indicated no apps or services connected to my account.
Logged into the Hue website, dug into my settings, and there were a dozen app’s and services that had been “authorized” to access my account - none that showed up in the app.
Every smart device that has been on my network - devices that I never integrated with Hue (on purpose!) were all happily showing very recent access times to my data. Systems I don’t have accounts to anymore. I revoked access, of course.
Three days ago Amazon emailed me to let me know a different device needed a battery, and showed that Hue had shared the battery level of the device with them that day - 2 days after I revoked access.
Yeah… all their products are getting trashed, reflashed, or used with zigbee hubs I’ve built.
Used this tool just yesterday to stop some bulbs I got at Costco connecting to the cloud.
https://github.com/tuya-cloudcutter/tuya-cloudcutter
Having to hack even bulbs to avoid being spied on is a new level in dystopia.
I have flashed all the bulbs and ceiling lights in my house and they work locally on FOSS firmware now 😉 It is not a big deal. I have very poor soldering skills, and I did this anyway.
Oh, I could make it worse if you’d like? That tool isn’t made for just the bulbs I got at Costco, it’s made for any device in the Tuya ecosystem. What’s Tuya? They’re a Chinese white-label manufacturer that makes smart devices that other companies can slap their brand on. They’ll throw you together an app too, but all of the API calls go through their infrastructure. Bonus, they also make security cameras that send footage to their servers, and smart locks too. They’re literally everywhere, but I’m in Australia so that’s where I’m basing this list:
And that is, quite literally, only to name a few.
Thanks mate.Moving forward I am Not going to buy anything “smart”
I mean, there are still plenty of ways to have smart things that don’t communicate with the internet. Ikea’s stuff is all zigbee, they don’t have wifi at all. You can get one of their hubs to control from your phone, or they sell remotes with zigbee you can pair directly to control a set of bulbs. They never have to see internet at all.
@princessnorah @yoz rlly??? I might have to look into this!
deleted by creator