It seems that companies developing the connected devices that make up the Internet of Things are in a constant race to release new technologies while potentially compromising on privacy.
It emerged this week that certain models of Samsung’s smart TVs are able to record conversations while voice recognition is active.
Samsung’s Terms and Conditions read:
“Samsung may collect and your device may capture voice commands and associated texts so that we can provide you with Voice Recognition features and evaluate and improve the features.”
“Please be aware that if your spoken words include personal or other sensitive information, that information will be among the data captured and transmitted to a third party.”
So while voice recordings will only be made while the feature is active, the Terms and Conditions do state that:
“If you do not enable Voice Recognition… while Samsung will not collect your spoken word, Samsung may still collect associated texts and other usage data so that we can evaluate the performance of the feature and improve it.”
I have blogged and spoken on privacy and the Internet of Things several times and it is disappointing to find that privacy and security are still not part of the design process for most consumer IoT devices.
First, in 2013 I highlighted the amount of data that is being generated by each and every user of connected devices, often without their knowledge or understanding.
Then, in 2014 I revealed how voice activated technology could be used to manipulate devices into executing unauthorized commands such as sending emails, or controlling a smart TV.
How Voice Activated devices can be hacked
Here we have the two issues combined into one
- End users are likely unaware that their data is being collected while using the voice command feature. Likewise they don’t understand that this data is used and shared.
- The dangers of voice activated technology and how they can be used in potentially harmful ways. If you entered sensitive data such as a password via voice recognition, it may seem safe. Voice command records can be stored and stolen just like written files.
Users may not understand that while Samsung’s privacy policy contemplates the use of active voice commands, voice activation features can be used both actively and passively, meaning that devices can be constantly recording sound and identifying activation commands.
There is, as such, a potential for privacy issues here.
It’s about time that manufacturers of smart devices started taking the privacy and security of its users seriously. Only a few weeks ago a wireless baby monitor was hijacked and the attacker communicated directly with the nanny through the device.
After CES 2015, I commented that privacy should be at the very heart of the Internet of Things, a sentiment echoed by the FTC and its Chairwoman Edith Ramirez in their report on the Internet of Things.
Hopefully, it will not be too long before the public and electronics producers realize that going online should not mean surrendering your privacy.