Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Google Privacy

Amazon and Google Now Require Continuous Data From Other Smarthome Devices (cnet.com) 67

An anonymous reader quotes CNET: For years, smart speakers from Amazon, Google and Apple have traded data back and forth with other devices in the home. This is how their voice assistants turn on the smart lights. But in early 2019, something changed: Amazon and Google began requiring continuous status-change updates from devices -- requiring, for instance, partnered smart bulbs to send data to Amazon or Google any time they are turned on or off... Before automatic status updates, if you asked your voice assistant to turn on the lights, Alexa or Google Assistant had to ping the smart bulbs to check whether they were already on, receive the status, then send the appropriate command. With status updates in place, the first two steps of that process were excised...

It was a seemingly small change and one that received modest media coverage, but some smart home developers are increasingly uncomfortable with the change... After probing further, it appears that not only do status updates make users and their data more vulnerable to attack, but it also gives these tech giants access to more home occupancy data than ever before. Despite the discomfort of numerous partners, Google and Amazon have shown no willingness to alter course... "[Status update] data gives platforms [like Google and Amazon] a privileged position that no one manufacturer enjoys," said Brad Russell, the Research Director of smart home devices at research firm Parks Associates Inc. While Amazon says it doesn't sell the data it gathers to third parties or use it for targeted advertising, that data is still of tremendous value to the company. In much the same way it can tell how many times per year Alexa users ask for the time, then create a product based on that data, Amazon can now tell where you spend your time in your house, when you're awake and when you're sleeping and countless other life patterns you're only vaguely aware of yourself.

Google, too, profits from this data, though it seems more reluctant to admit it.

This discussion has been archived. No new comments can be posted.

Amazon and Google Now Require Continuous Data From Other Smarthome Devices

Comments Filter:
  • by Joe_Dragon ( 2206452 ) on Sunday March 15, 2020 @11:36PM (#59834032)

    So if your network is down then what?
    Can they get stuck on or off?

    • by E-Rock ( 84950 ) on Monday March 16, 2020 @12:02AM (#59834074) Homepage

      At least some of them. My son got a cool light strip and I was very surprised that there was no manual controls at all. Had to use an app to do anything.

      • by Anonymous Coward on Monday March 16, 2020 @02:11AM (#59834188)

        I once bought a Tzumi "smart" Bluetooth padlock because I found it on sale at a local shop. It turned out that in order to use it, you had to install an app, grant it network and GPS permissions, create a remote account and have a constant connection to the manufacturer's server. Every time you unlocked it, the app would supposedly phone home letting the manufacturer know the time and location of activation. I say supposedly because I never even got as far as installing their app. As soon as I found out that was a requirement, I smashed the lock with a hammer (so that nobody else could use it) and tossed it in the trash.

        Razer pulls this kind of spying shit for ALL of their products, regardless of whether it's a keyboard, mouse, phone or laptop, they want to spy on you.

        • And Tzumi were probably cheering because they made the sale AND then didn't have the ongoing bandwidth costs to support it. Win/win for them :)

      • by Calydor ( 739835 )

        Even that seems ridiculous. Instead of just turning things off you have to find your cell phone, find the right app, and from there turn off the lamp you've been standing next to all this time. What if your battery died?

        • The only responsible way to create a smart on/off device, and similar, is to have it communicate ONLY on the LAN / bluetooth.

          The whole "but you can manage (device) from anywhere if you have a cloud based system" is a benefit that comes with entirely too many downsides.

          When you had old school lights and thermostats, in-home-only was fine. No reason it can't still be fine, but with the added convenience of managing from anywhere in the home, just not anywhere in the world and via multiple third parties, comm

          • It doesn't have to be that way.

            While pretty much all (AFAIK) commercial home automation hubs "call home", which is indeed a major security issue, there are lots of alternatives today.

            If you don't mind diving into a little bit of DIY, there are many privacy-centered options today for your local network only. Like Home Assistant [home-assistant.io] and OpenHAB [openhab.org].

            Sure, they take more work to set up, but you get the comfort of knowing that nobody at Google or Amazon knows exactly when you turn on or off your vibrator or wha
      • "At least some of them. My son got a cool light strip and I was very surprised that there was no manual controls at all. Had to use an app to do anything."

          Send it back and tell them it is defective. Which is the truth.

        I wonder when the Telemetry Bubble will pop just like the DotCom bubble did 20 years ago?

    • ... bin the internet of shit bulbs and go buy some normal ones , then make the effort to use a switch to turn them on and off.

  • by ZorinLynx ( 31751 ) on Sunday March 15, 2020 @11:38PM (#59834036) Homepage

    The fact that we have to send data back and forth across vast geographical distances to offsite servers to make our smart home stuff work is absurd. All this should be operating purely on the local subnet with the Internet only required to control your devices from outside your home.

    This whole needing the Internet and company's servers to work thing is what has kept me away from deploying more smart devices in my home. So far I only have Philips Hue lighting, which operates locally.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      So far I only have Philips Hue lighting, which operates locally.

      Does it? Have you confirmed that the Hue bridge (which connects Zigbee to Wifi) doesn't require an internet connection itself through your router? i.e.: will it still work when connected to just a private Wifi network with no external access?

      • by JaredOfEuropa ( 526365 ) on Monday March 16, 2020 @02:53AM (#59834242) Journal
        Yes, Hue operates locally. The app (or your smart home hub) can connect directly to the hub, and works when your internet connection is down. There are also several smart home hubs that work the same way. I use the Vera hub, which offers remote access through their gateway server, but it’s entirely optional.

        Local connectivity should be your number 1 consideration when you buy any piece of smart home equipment. And even if a device does offer remote access, I prefer to disable it, firewall the device, and have my hub handle that.
      • Zigbee generally doesn't need an internet connection and AFAIR it is even possible to connect the switches directly to the bulbs bypassing the hub altogether.

    • by gweihir ( 88907 ) on Monday March 16, 2020 @12:01AM (#59834068)

      Naa, if this was all local, how would a) black-hats ever hack you and b) Amazon and Google ever profile your life?

      In other news, the more tightly coupled a system is, the less reliable and secure. Any good engineer hence avoids doing that.

      • by rtb61 ( 674572 ) on Monday March 16, 2020 @12:29AM (#59834120) Homepage

        So it simply needs a law. Does it need to send data to the people who sold it, to provide a benefit to the customer, no, then ban it. Simply start issuing bans on server connections on device that should be only locally controlled and locally updated and only expressly with the owners permission.

        • by dwywit ( 1109409 )

          That solution of yours is a bit at odds with your sig.

          Correction, it's completely at odds with your sig.

        • How else can the likes of Google and Amazon keep tabs on the validity of the various subscriptions they'll clearly be selling very soon for this 'tat'?
          It needs to phone home and if you have not paid your subscription the device in question is disabled. Don't pay for a month and it gets bricked.

          That is clearly the sort of society these companies want us to accept soon (there is no later for them)
          Pay $$$ for the device
          Pay $$$ each month to keep it active.
          Result is one happy Google or Amazon. They have you by

        • Companies like Google will argue that requiring all data to be sent to them is necessary. They may argue that it helps them “offer an improved experience” as they often like to say. And it may even be true: perhaps they come up with a machine learning supported cloud hub which will learn your habits and manage your house accordingly, with minimum effort on your part. They need the data for that, and the law does not say anything about having to make certain parts of their service optional (i.e.
        • by gweihir ( 88907 )

          Nothing simple here. Credibly faking a "benefit to the customer" is very easy. This is not something a law can solve.

        • by AmiMoJo ( 196126 )

          Why do you think people buy these things? They like being able to control their home remotely, even when far away.

          It's the same reason I like cars with connected services. I like being able to see the status of the car, enable the AC or unlock the doors remotely. Those are all useful services to me.

          Of course I'm aware that there are security issues to consider. But so far they seem manageable. With the home stuff I have a separate network for that gear and the firewall only allows outgoing connections to sp

        • While I personally view the IoT as amazingly stupid and wasteful, in no way would I support making it *illegal* for a device to work this way. If you want to be spied on, so be it. I don't, but go for the surveillance, dude.
          • by gweihir ( 88907 )

            Well, the main problem with IoT is insecurity. It is still far too easy to build a bot-net from cheap IoT things.

            Incidentally, without explicit opt-in and default-off, this behavior is already illegal in the EU toe to the GDPR.

    • My SmartThings setup does not require an Internet connection; it uses one to allow control/monitoring from anywhere, but the few times my Internet's been down, the system still works.
    • by Z00L00K ( 682162 )

      And this is why I keep to normal physical breakers on the wall. Only when there's a hard to locate power outlet that I sometimes have to cycle because I have to reboot a device I have a radio-controlled switch on it, but it's still local. Of course a neighbor might be able to hack it, but the worst thing that will happen is that I will have to unplug the switch and deal with crawling on the floor each time I need to restart that device, which only happens a few times per year.

    • And this is rapidly getting more prevalent and absurd. And this is already pissing people off.

      Either I have full local control of the device (without using an "app"), or they can go fuck themselves.

    • Even the Philips Hue is going too far. I'm sticking with my Philips SceneSwitch [techhive.com].

  • by Anonymous Coward
    "He sees you when you're sleeping. He knows when you're awake. He knows if you've been bad or good. So be good for goodness sake." Words by Haven Gillespie, 1934.
  • by oldgraybeard ( 2939809 ) on Monday March 16, 2020 @12:09AM (#59834094)
    data grab by the big players. They are thinking that by doing it now(virus) no one will notice and they can get all 3rd party devices to include them 24/7/365 so they can market sell and make even more money.

    I fail to see why anyone would have one of those devices in their homes. They are just there to route money to the big players.

    The big players are monopolies and will need to be dealt with.

    Just my 2 cents ;)
    • It is funny because trusting reported status is sure to cause issues which means in the end they will go back to pinging the devices to "know" the status for sure. And they will get to collect all the additional juicy profitable data because, ah oh we just have not gotten around to not requiring/gathering it..

      Just my 2 cents ;)
      • Which reminds me that everyone with resources should have their home/personal/business server which is the central player in their lives.
        Your devices should just talk with your base server(whatever)(which is under your control)(encrypted by you) and the base is the dissemination point.
        The concept of installing a untrusted apps(others apps) on your device(is a security breach) and then sending all your data through said untrusted app(any you do not control) is a foolish design in the real world. The whole
        • by AmiMoJo ( 196126 )

          Seems like there would be a decent market for something like that if it existed. The problem seems to be that any new local protocol won't be well supported by device manufacturers.

          Maybe someone could build a router with this functionality that did a MITM attack on the connections to the cloud. It depends if the device manufacturers security is decent enough to notice that kind of thing happening.

          I suppose the alternative is to make the devices as well, but it's hard to win when you don't offer consumers mu

  • by Bandraginus ( 901166 ) on Monday March 16, 2020 @12:13AM (#59834098)

    That "something changed in early 2019" was the expiry of patent held by Lutron Electronics for "Instant Update": 5,905,442 titled "METHOD AND APPARATUS FOR CONTROLLING AND DETERMINING THE STATUS OF ELECTRICAL DEVICES FROM REMOTE LOCATIONS"

    Basically it covered the status update where a smart device could send the status back to a controller, rather than it have to be polled. This held back its adoption by the Z-Wave community for years.

    So Google and Amazon *couldn't* implement this automatic status updates because it was too costly to build into the devices themselves. However, now that the patent has expired, it seems like these giants are going for the data jugular!

  • Not a smart device (Score:5, Insightful)

    by NotEmmanuelGoldstein ( 6423622 ) on Monday March 16, 2020 @01:13AM (#59834158)

    ... requiring continuous status ...

    Needing a computer a 1,000 km away, to switch-on a light hanging 5 metres away, is far from smart.

    • "Needing a computer a 1,000 km away, to switch-on a light hanging 5 metres away, is far from smart."

        Think about this for a second....this fits perfectly well in a comedy routine!

  • by LibreHome ( 6202364 ) on Monday March 16, 2020 @01:29AM (#59834162)
    • Or you could stuff this [blitzwolf.com] in the back of the gang box and wire it into the light switch yourself and turn your lights on/off from anywhere in your house. No internet connection needed.
  • If you let (sorry, PAY) Google or Amazon or some other data warehousing megacorp. to be a man in the middle between you and turning your lights on, or opening your front door - you need your bloody head examined.

  • So obviously your phone can be used as the target... the this is obfuscation for in-home tracking so they can hit you with 5G accurately anywhere in the house.
  • It's pretty easy, stop buying "smart" stuff. Don't put an Alexa or other personal spy assistant in your home. It adds zero value to your life and hands every bit of your daily activity and personal behavior to a corporate oligarch. Vote with your wallet and they will change overnight.
  • it's already established that these devices are always listening and continously sending audio back to HQ, how does this additional bit of data come as a surprise to anyone?

    people pay willingly for a continious spying device, collecting data (even when not interacting with it), providing immense value for the data gathering companies, all with very little benefit to the user. you must admit that is pretty amazing to accomplish.

    luckily nobody is forcing you (yet) to actually buy and use these devices.

  • Just another reason NOT to use Alexa, Google Home, or any of this crap.

    If you need a wifi connection, an app, and a user account with a corporation to turn a light on and off, you done fucked up.

    And remember kids, "patch your lightbulbs [slashdot.org]".

  • ..and you bought all this crap anyway.
    There's still time: e-waste all of it and take back some of your privacy.
    • You are just shouting into the wind. You really underestimate how ignorant the average consumer is.

Never tell people how to do things. Tell them WHAT to do and they will surprise you with their ingenuity. -- Gen. George S. Patton, Jr.

Working...