Set-Top Devices

Let’s start with the first group—entertainment devices, typically those hooked up to your TV. (I know they no longer go on top of your TV, the geometry of flat-screen televisions being what it is, but they’re still commonly called set-top devices.) Such products can tell providers and advertisers a lot about your tastes and interests. For example, if you stream videos from Amazon or Netflix to your TV, the provider will know what you watch and at what time of day; from this, they could attempt to deduce your age, gender, political persuasion, and whether there are any children in your home—as well as when you’re home and when you’re away.

That’s just the start. Here are a few other ways a set-top box might infringe on your privacy:

• A set-top box (or your TV itself) might include a camera and microphone for video calls, and your remote control might also include a microphone. These cameras and mics can be misused just like the ones on your computer (see Mind Your Camera and Microphone)—without your knowledge, other people could see you and hear what you say in your own living room.

• Devices like Xbox Kinect can often accurately determine how many people are in a room, as well as their gender and even age.

• A Blu-ray or DVD player may send information about discs you play and features you use to online services such as Gracenote, as well as to the manufacturer and its partners.

Furthermore, your privacy controls are limited—you may not be able to configure settings or install extra software as you can on a computer or mobile device, and using a VPN is generally out of the question. (Using a VPN Router can often help—it can provide a VPN connection to all your devices, albeit with a speed penalty. But assuming they don’t block you for using a VPN, video providers still know who you are and what you watch because you must log in, so you’re not gaining much privacy that way.)

As privacy concerns go, I have trouble working up much anxiety about set-top devices, and there’s not much I could do about it anyway (other than stop using them). But you should at least be aware of the sorts of data you may be giving away. And if you’re in the market for a new device in one of these categories, look carefully for any hints that the manufacturer offers you control over privacy settings—that’s definitely a selling point.

Web-Connected Cameras

Let’s turn our attention to a class of devices that you should definitely be quite anxious about: web-connected cameras. These come in every conceivable shape and size, with many different intended uses. Some are designed for monitoring your baby sleeping in the next room. Some (so-called nannycams) are for keeping an eye on the babysitter when you’re out, and are often disguised or hidden in other objects. Many are intended as home security devices—they record all the activity in their field of view (often with motion activation) and can send it to the cloud or stream it to your mobile phone. Still others are built into doorbells, toys, and games.

Whatever the configuration or sales pitch, when you put a camera in your house that’s connected to the internet, all the usual rules apply. That is, you should assume that anyone on the internet can see everything the camera sees.

I know what you’re thinking: I had to use a special app and go to a special site and use a special username and password! If I had to do all that, surely my cameras are safe from hackers. Right?

Yeah, not so much. One of the biggest reasons is that most people don’t bother changing the factory-set default passwords for their security cameras, and those are easy to find. So easy, in fact, that a Russian website broadcasts live feeds of tens of thousands of cameras from hundreds of countries—all of them without their owners’ knowledge, and many of them showing kids at play and other private household activity. (See Hacked Footage from Baby Monitors and Webcams Being Broadcast on Russian Site for one story about this site.)

So of course you should immediately change the password for any such device you use, and make it a good one. (Again, see Take Control of Your Passwords for advice.) But that may not be enough, devices such as these (or the servers they connect to) could have security flaws that give outsiders access. At the very least, I suggest turning off the cameras (or pointing them at a wall) when they’re not in use, and as with set-top devices, read up on the manufacturers’ security and privacy claims.

Other Connected Objects

When it comes to appliances, light bulbs, home-automation equipment, and the like, things get even more complicated.

Home security systems are designed to know when someone is at home, and in many cases, where in the home someone is—and that information could be misused in numerous ways. Perhaps your security company is completely trustworthy, but someone who hacks into your home system (or the monitoring company’s computers) could learn enough to carry out a serious crime.

You may also be aware of the huge controversy that occurred when Google bought smart thermostat manufacturer Nest. Since Google is in the business of learning everything about you in order to sell advertising, users worried that their heating and cooling habits (and what those implied about their schedule, tastes, and so on) might be used for purposes they never agreed to. Google insisted that wouldn’t happen, of course, and the controversy eventually faded. But then in February 2019, it came out that Nest Guard, a component of the Nest Secure home security and alarm system, contained a microphone that Google never informed its customers about. That was…troubling, to say the least.

Speaking of microphones, there are numerous devices whose purpose is to listen to what you say in order to play music, order groceries, speak the weather forecast, and perform other tasks—I’m thinking, for instance, of Google Home and products based on Amazon’s Alexa, such as the Echo line. Because these devices are constantly listening to audio in your home and sending that audio back to the developers for processing, potentially any speech that occurs in earshot of the devices could be used (or misused) for any imaginable purpose. Needless to say, I am not at all OK with Amazon, Google, or anyone else having access to audio recordings from inside my home.

But it gets worse. It’s one thing if Netflix knows I binge-watched Stranger Things last weekend. It’s another if some random company on the internet knows exactly when I’m away from home, asleep, or even in a particular room (because of the states of my home’s smart light bulbs, thermostats, or whatnot). It’s even more concerning to me if that data could be used to remotely unlock my door. That’s precisely what Amazon wants you to let it do with Amazon Key, a smart lock system that, among other capabilities, can let people delivering packages for Amazon unlock your door and place the packages inside your house. I’m not alone in thinking that’s a pretty bad idea.

And then there’s Facebook, a company that (as I may have mentioned in passing) has a staggeringly bad reputation when it comes to privacy, wanting to sell me Portal, a device with a camera, microphone and video screen that will sit in my house and connect directly to Facebook. I…can’t…even.

Even if the companies that develop these various internet-connected products are utterly trustworthy—and I obviously have some doubts about that—there could always be bugs or exploits that allow hackers to access them, and the range of potential problems is enormous.

Unfortunately, privacy controls for the average internet-connected Smart Thing are spotty at best—and with or without such controls, smart devices can be, and have been, hacked on a large scale (for example, to create a giant botnet to carry out a distributed denial of service, or DDoS, attack). Again, it doesn’t matter much if the objects in your home connect to the internet via an encrypted router or a VPN; once the data is out there, someone could potentially find and use it.

Even more unfortunate, I can’t offer any terrific advice here, except to repeat what I’ve said in other contexts: Be suspicious and circumspect when considering home automation products that involve microphones, cameras, sensors, or locks. Opt out of any nonessential data sharing. Don’t use default passwords. And keep an eye out for software updates and other privacy alerts from the manufacturers that may enable you to nip security problems in the bud.