Whether it’s your air fryer or your video doorbell, many of us now use several smart devices in our day-to-day lives.
But new research may have you reassessing which gadgets you keep in your home.
Experts from Which? have warned that four unexpected devices could be spying on you.
In their study, the team rated popular smart devices across six categories – consent, transparency, data security, data minimisation, trackers, and data deletion.
Based on these ratings, the researchers gave each product an overall privacy score.
Their findings reveal that several popular air fryers can listen in to your conversations and even send your personal data back to China.
Meanwhile, several smart speakers are ‘stuffed’ with trackers – including Facebook and Google.
‘Our research shows how smart tech manufacturers and the firms they work with are currently able to collect data from consumers, seemingly with reckless abandon, and this is often done with little or no transparency,’ said Harry Rose, Which? magazine editor.
Whether it’s your air fryer or your video doorbell, many of us now use several smart devices in our day-to-day lives. But new research may have you reassessing which gadgets you keep in your home. Pictured: Aigostar air fryer
In their study, the team rated popular smart devices across six categories – consent, transparency, data security, data minimisation, trackers, and data deletion. Based on these ratings, the researchers gave each product an overall privacy score
Air fryers
Which?’s analysis revealed that three products – Aigostar, Xiaomi Mi Smart, and Cosori CAF-LI401S – knew their customers’ precise location, and wanted permission to record audio on the user’s phone.
The Xiaomi app linked to its air fryer connected to trackers from Facebook, Pangle (the ad network of TikTok for Business), and Chinese tech giant Tencent (depending on the location of the user), while the Aigostar air fryer wanted to know the user’s gender and date of birth when setting up an account.
Meanwhile, both the Aigostar and Xiaomi air fryers sent personal data to servers in China – although this was flagged in the privacy notice.
In response, a Xiaomi spokesperson said: ‘The permission to record audio on Xiaomi Home app is not applicable to Xiaomi Smart Air Fryer which does not operate directly through voice commands and video chat.’
A Cosori spokesperson added: ‘We prioritize privacy, and subject to our internal compliance requirements, the smart products must comply with GDPR.’
Aigostar did not respond to a request for comment.
Smartwatches
Huawei’s device was found to request a staggering nine ‘risky’ phone permissions, including your precise location, the ability to record audio, access to your stored files, and the ability to see all other apps installed
The Kuzil (left)and WeurGhy (right) were found to be essentially the same product, which Which? says is a common problem on marketplaces where little-known brands sell near identical goods. Both smartwatches required consent to work, and if declined, they only operated as basic watches
In the smartwatch category, Which? tested the three most popular devices sold on Amazon – the Huawei Ultimate, the Kuzil, and WeurGhy.
Huawei’s device was found to request a staggering nine ‘risky’ phone permissions, including your precise location, the ability to record audio, access to your stored files, and the ability to see all other apps installed.
In response, Huawei said that these permissions all had a justified need.
‘Huawei takes consumers’ privacy incredibly seriously,’ a spokesperson said.
‘Clearly, to be useful lifestyle and health/fitness partners, smartwatches require permissions to access a number of personal data; we are very clear both on the devices at set-up, and on the companion app Huawei Health, which permissions are required and why, and users have full control over turning them on or off at any time.’
Meanwhile, the Kuzil and WeurGhy were found to be essentially the same product, which Which? says is a common problem on marketplaces where little-known brands sell near identical goods.
Both smartwatches required consent to work, and if declined, they only operated as basic watches.
Which? also found none of the legally required information on how long the smartwatches would be supported with security updates.
However, both watches did not appear to use any trackers.
WeurGhy and Kuzil were uncontactable.
The Hisense 40A4KTUK (pictured) and Samsung EU43CU7100KXXU both required a postcode at set up, while the LG 43UR78006LK asked for a postcode, although this was not mandatory
The Hisense smart TV did not connect to any trackers that Which?’s researchers could detect, but Samsung and LG linked to several of them, including Facebook and Google. Pictured: LG 43UR78006LK
Smart TVs
Which?’s analysis found that smart TV menus are ‘littered’ with ads and ‘thirsty’ for user data.
The Hisense 40A4KTUK and Samsung EU43CU7100KXXU both required a postcode at set up, while the LG 43UR78006LK asked for a postcode, although this was not mandatory.
Samsung’s TV app requested eight risky phone permissions, including the ability to see all the other apps on the phone.
The Hisense smart TV did not connect to any trackers that Which?’s researchers could detect, but Samsung and LG linked to several of them, including Facebook and Google.
In response, Samsung said: ‘At Samsung, the security and privacy of our customers’ data is of the utmost importance. And we employ industry-standard security safeguards and practices to ensure that the data are secured. Customers are also given the option to view, download or delete any personal data through their Samsung accounts.’
A Hisense spokesperson added: ‘Hisense UK values its relationships with its customers and respects their data privacy rights.
‘We are compliant with all UK data privacy laws and only capture the postcodes of our customers to enable them to receive regional specific content, enhancing their user experience.
Which? tested the Bose Portable Home Speaker (left), Amazon Echo Pop (right), and Google Nest Mini (Second Gen)
‘If users are concerned, then many of our TVs will accept a partial postcode.’
LG declined to comment.
Smart speakers
Which? tested the Bose Portable Home Speaker, Amazon Echo Pop, and Google Nest Mini (Second Gen).
Bose’s speaker and app was found to take the fewest upfront phone permissions of the three devices tested, but was ‘stuffed’ with trackers.
This included Facebook, Google, and digital marketing firm Urbanairship.
The Bose speaker also scored poorly on how it secured customer consent for data tracking.
In contrast, the Amazon Echo was found to give useful options to skip various requests to share data.
However, both the Amazon and Google accounts needed to use the Echo Pop or Nest Mini, respectively, do not give users an easy option to opt out of trackers.
An Amazon spokesperson said: ‘We design our products to protect our customers’ privacy and security and to put them in control of their experience.
‘For example, we build easy-to-use controls for our customers—these include physical buttons or shutters, simple in-app controls, and prompts within the device set up experience—and have created resources that explain how our devices and services work and the options available to customers.’
A Google spokesperson added: ‘Our customers’ privacy is very important to us and Google fully complies with applicable privacy laws and provides transparency to our users regarding the data we collect and how we use it.
‘For those moments when users want additional privacy controls on Google Nest smart speakers and displays, users can use Google Assistant in Guest Mode.
‘When in Guest Mode, Google Assistant won’t say or show personal results, personal contacts, and automatically deletes audio recordings and Google Assistant activity. ‘
How to improve your data privacy
Based on the findings, Which? has given several pieces of advice on how you can improve your data privacy:
Care about what you share
Some data collection is optional during setup, and that means you can opt out (although potentially with consequences in terms of functionality). Only share what you are comfortable with.
Check permissions
On iOS and Android, you can review permission requests before downloading an app, and check what each app has access to in your settings.
Deny access
Also in your phone settings, you can potentially deny or limit access to data such as location, contacts, and so on. Although, that might stop or limit aspects of the app.
Delete recordings
Using the Alexa and Google Assistant settings, you can set your voice recordings to be deleted automatically rather than stored after a period of time.
Read the privacy notice
Do at least browse the policy, particularly the data collection sections. You have the right to object to a company processing your data.
