America's Favorite Door-Locking App Has a Data Privacy Problem

An anonymous reader shares a report: Latch is on a mission to digitize the front door, offering apartment entry systems that forgo traditional keys in favor of being able to unlock entries with a smartphone. The company touts convenience -- who wants to fiddle with a metal key? -- and has a partnership with UPS, so you can get packages delivered inside your lobby without a doorman. But while it may keep homes private and secure, the same can't be said about tenants' personal data.

Latch -- which has raised $96 million in venture capital funding since launching in 2014, including $70 million in its Series B last year -- offers three products. Two are entry systems for specific units, and one is for lobbies and other common areas like elevators and garages. The company claims one in 10 new apartment buildings in the U.S. is being built with its products, with leading real estate developers like Brookfield and Alliance Residential now installing them across the country.

Experts say they're concerned about the app's privacy policy, which allows Latch to collect, store, and share sensitive personally identifiable information (PII) with its partners and, in some cases, landlords. And while Latch is far from the only tech company with questionable data practices, it's harder for a tenant to decouple from their building's door than, say, Instagram: If your landlord installs a product like the keyhole-free Latch R, you're stuck. The issue of tenant consent is currently coming to a head in New York City, where residents of a Manhattan building are suing their landlord in part over privacy concerns related to the app.

Most smart lock are easy to by-pass

[BigFire]

Here's a video by a locksmith demonstrate it

https://www.youtube.com/watch?... [youtube.com]

Re:

[Anonymous Coward]

I'm sorry, but Kwikset =/= Latch. Thanks for playing though. Call in again soon!

Re:

[Milvuss]

Vigik were at first designed to allow mailmen and other utility workers to access the common spaces of a building securely. Before this, in the 90s, they had a metal key pass who could open any front door of most parisian buildings. Of course, after some years this pass was easy to obtain for anyone. The Vigik was conceived as a time limited pass, as to make any lost/stolen/cloned badge useless.

Then a access control targeted at regular people living in the building was added, using the same hardware, but no

Re:

[DarkRookie2]

This isn't going to happen.
People have yet to give up their Facebook account.

Oh hell no

[cmdr_klarg]

How is fiddling with a cell phone to unlock my house more convenient than the old fashioned way? To let a delivery person into my house? Nope.

I'll keep fiddling with my keys, thank you.

Re:

[Anonymous Coward]

It applies to what it applies to. "Obsolete" locks are in use right now, there was no "recall" or "replacement" drive. Sure a brand new lock might be better, but then, they will attack other vulnerable points. That wasn't the original point.

The original point is that people trust shitty locks because whizbang/technology/shiny insert your reason. They aren't going to locksmiths who test their products out, they're taking what Kay-Bee home builder gives them. Or "lockpro" guy.

"and used by locksmiths for

Re:

[Anonymous Coward]

What an absurd argument.

Door locks are, in themselves, useless. If someone can pick a lock, someone can walk up and kick in a door, smash a window, and no... one quick loud sound won't have people/neighbours running to investigate. That's why people have alarm systems, if locks actually kept people out? You wouldn't need an alarm, thank you.

And pointing to ONE traditional locking system, and saying "LOOOK!!! Pathetic, traditional locks are insecure!" is an absurd argument, especially when their overall

Re:

[sarren1901]

If there is some kind of blue tooth device in the door lock, the phone could connect to it before you reach the door and you would just enter. Be like the keyfobs for cars that you leave in your pocket the whole time. You just walk up and open the door, press start and go. When you walk away the car locks. It's about 5 feet.

You still have your metal key for backup but it's pretty nice never fishing for keys. I'm tempted to do some research and build this myself for my own front door. Definitely putting it i

Re:

[Hognoxious]

Outer door on a cord round my neck. Inner door on a lanyard through my belt with one of those clip things for attaching dogs.

I figure that if I come home with no head and missing my trousers I've got bigger things to worry about than keys.

Re:

[AmiMoJo]

The idea is that it unlocks the door when you get near it with your phone. The phone notices it has connected to your home wifi or uses location services.

Just make sure that if someone steals your phone they don't know where you live, or they won't even have to break in...

Re:

[q4Fry]

Also makes things easy for someone to follow $resident into the building.

Re:

[Hognoxious]

How is fiddling with a cell phone to unlock my house more convenient than the old fashioned way?

You haven't noticed that most people have their phone out all the time?

Re:

[skids]

I'm sure this will drive up phone sales, in that many more phones will be dropped while simultaneously manhandling a bag of groceries.

Not that metal keys are awesome, but if you want to make a NFC or proximity lock, give me a separate fob which I can drop on the floor and step on with no worries.

Re:

[Deep Esophagus]

... a partnership with UPS, so you can get packages delivered inside your lobby without a doorman.

But while it may keep homes private and secure

I don't think those two statements can be equally true in this universe.

Mechanical locks need no power or network

[Nkwe]

Mechanical locks need no power or network. If power or network is not available I still want to be able to get in (and be able to lock the door so no one else can get in.) Mechanical locks need physical access to change the key, so they are not likely to get changed on accident. One data glitch or administrative mistake by someone in some other city, and I can't get in. I strongly prefer a mechanical lock with a physical key over an electronic one.

Re:

[Anonymous Coward]

Not to mention that time you're running back home to use the toilet but you have to update the lock firmware before you can open the door.

Re:

[Anonymous Coward]

Given everything else that's wrong and stupid with these products, I'm willing to bet that they fail open after a power/network loss. ;)

Re:

[Anonymous Coward]

Well you wouldn't want to be locked in the home. What if you lost power because there is a fire and you need to get out of dodge fast? Fail to open is definitely safer then fail to lock.

Sure, I get it. If a thief disables the power, the door is wide open. Clearly not good, but then the common thug isn't even capable of disabling the power to your structure. Someone with more knowledge of power and electricity could very likely bypass the door lock anyway.

Re:

[Fly Swatter]

Who would buy a product that you can't unlock physically from the inside? The national fire code council and every fire department would publicly denounce such a product that failed to let you unlock (from within) a residential door during a fire or power outage.

Re:

[AHuxley]

Mechanical locks dont show a random person who was trying to get into a home.
What they look like, the time they attempted to get in and what method they tried to use.

Re:

[Dutch Gun]

Why in the world would you want your door lock to do that? That's what security cameras are for.

Re:

[AmiMoJo]

It's like keyless entry for your car. You are supposed to keep a physical key available in case it doesn't work... Of course with the car the key is built in to the fob, with these things you have to carry both your phone and a separate key to be sure of being able to get back in.

The bigger issue is that it can be unlocked over the internet. Historically that has not been very secure.

Almost as secure as

[bobstreo]

hiding a spare key under a doormat or in a fake rock.

I can see the interest in door cams, considering delivery thefts, and people knocking on your door in the middle of the night, but door locks?

Sounds like another solution waiting for a problem to solve.

And even better, when the new version comes out, and your old lock is "no longer supported, or the app gets rejected from the app store, where are you then?

Re:

[WillAffleckUW]

In the old days, people would have a designated box outside (or even next to the door of) their house, one that would require a key to open (but not get entry inside). It worked fine. For centuries.

You give the delivery service one of the keys.

This was used for: ice delivery, milk delivery, newspaper delivery.

Some versions had a one-time-only settting. After you emptied it, the action of resetting the key would allow one use to deposit something inside, automatically locking it after. The best part was fin

Re:

[WillAffleckUW]

They used something called fish keys. Try watching Antiques Roadshow sometime.

Re:

[Nethead]

Use to be called? I'm always fishing for my keys.

Re:

[sjames]

So? The pin tumbler lock is hardly the first lock invented.

Re:

[Nethead]

The 12" x 10" x 10" aluminium and fiberboard milk case from Darigold was my first electronics project box when they stopped delivering back in about 1966.

If they go bankrupt

[WillAffleckUW]

The privacy information will be sold to a third party, in the event the firm goes bankrupt. Who can then do anything they want with it.

Source: multiple court decisions over the last two decades.

SOLUTION IN SEARCH OF A PROBLEM!

[Rick Schumann]

Yet again.
We do not need this nor do we want this! Dumb idea.
If anything I'd want more secure mechanical locks, locks that can't be picked easily or at all, not adding extra attack vectors.
That's not even touching on the privacy concerns: now we'll have some shitty corporation logging when we enter and leave our own homes, too? Fuck that!
STOP SURVEILLING US IN OUR HOMES, DAMNIT!

Re:

[JaredOfEuropa]

Speak for yourself. In larger buildings like offices or rental properties, key management can be a pain in the rear. It’s nice to be able to revoke keys instead of having to replace locks (and issue new keys to everyone) if a tenant loses their key to the front door.

With that said, you’ll definitely want a system that doesn’t gather data and works offline.

Re:

[Hognoxious]

I'm sorry Dave, I'm afraid I can't do that.

Who what why? An app for what??

[Bobrick]

I'm willing to bet the people that would use this are the same fucking morons that went out to buy a "smart" speaker. Go ahead and connect your door lock to the internet, you get what you deserve if you're that fucking dumb

Re:

[bgrahambo]

If you're paranoid about a "smart" speaker, I've got some bad news for you involving an always on, networked, portable, listening device that's been installed in your pocket for years

Re:

[quonset]

*checks pockets*

Nope, nothing. What device are you talking about? I see absolutely nothing installed in any pocket I look in.

Re: Who what why? An app for what??

[Zero__Kelvin]

Yep ... None of us doubt there is nothing down there.

Re:

[Bobrick]

I'm gonna assume you mean a cellphone? I did not have one "for years" and it sure as fuck ain't in my pocket wherever I go, but sucks for you if you're dumb enough to let that thing in your pockets all the time?

Whats the problem?

[AHuxley]

People all over the USA will see and understand more about who is trying to enter their homes?
A company will have data sets on who attempts to enter a home to do crime?
Do the new stats track with what the FBI has found for decades and decades about who does crime and in what parts of the USA?
Thats not a privacy problem. Thats selling product the will secure a home from criminals and allowing people to better understand who is doing crime.

People trying to get into a home to do crime should be detected

Re:

[MadKeithV]

Anyone who got access to your smartphone probably had to get past your physical keys while they were at it.

Don't Use These Locks!

[WindowsStar]

There are already several paid apps that will open these locks. They are not secure in any form. The data issue is just the icing on the cake.

Behavior analyze part of unlocking a door!

[fluke11]

It looks like previous versions of the Android app from Latch makes use of Mixpanel [mixpanel.com], Fabric [fabric.io] and Branch [branch.io] to do such things as:

• Analyze user behavior across your sites and apps.
• Deeply analyze behavior
• Uncover behaviors that correlate with healthy and unhealthy users
• Capture every customer touchpoint across any channel, platform, and OS

I see now why Latch CEO Luke Schoenfelder declined to be interviewed. This seems really creepy things to be doing in an app that should simply unlock a door. I am almost 100% confident that Latch will never open source their Android application to increase transparency for security and privacy despite that being key features you would want out of this type of application.