IOT Devices Provide Comcast A Wonderful New Opportunity To Spy On You

from the monitor-and-monetize-ALL-the-things! dept

For some time now we've noted how poorly secured IOT devices provide a myriad of opportunities for hackers looking for new attack vectors into homes and businesses. That's of course when these devices aren't just coughing up your personal data voluntarily. Whether it's your smart fridge leaking your Gmail credentials or your internet-connected TV transmitting your personal conversations over the internet unencrypted, we've noted time and time again how IOT manufacturers consistently make privacy and security an afterthought -- one that's going to ultimately cost us more than some minor inconvenience.

But in addition to the internet of broken things being a privacy and security dumpster fire, these devices are providing a wonderful new opportunity for larger ISPs looking to monetize the data you feed into their networks on a daily basis. A new study out of Princeton recently constructed a fake home, filled it with real IOT devices, and then monitored just how much additional data an ISP could collect on you based in these devices' network traffic. Their findings? It's relatively trivial for ISPs to build even deeper behavior profiles on you based on everything from your internet-connected baby monitor to your not so smart vibrator.

We've long noted that while encryption and VPNs are wonderful tools for privacy, they're not some kind of panacea -- and the researchers found the same thing here:

"...encryption doesn’t stop ISPs from knowing which internet-of-things devices their users have, nor does it stop them seeing when we use those devices. In the Princeton study, ISPs could track a user’s sleep patterns by detecting when a sleep tracker was connecting to the internet. It also revealed that ISPs could identify when a home security camera detected movement and when someone was watching a live stream from their security camera."

Similar concerns have been raised (and promptly ignored in most areas) regarding information collected from smart energy meters by your power utility, since power usage can similarly provide all manner of monetizeable insight into your daily behavior. The researchers do note that more sophisticated users could use a VPN to confuse their ISP, but the full study indicates there will be some impact on network performance that could be a problem on slower connections:

"The authors say there might be ways to cut down the snooping abilities of ISPs. One possible defence involves deliberately filling a network with small amounts of traffic. This could be done by running all your internet traffic through a VPN and then programming the VPN to record and play back that traffic even when the IOT device is not in use, making it tricky for ISPs to work out when a particular device is actually being used. However, this would probably slow down the network, making it a somewhat impractical defence against network observations."

Aren't you glad Congress recently voted to kill consumer broadband privacy protections solely for the financial benefit of Comcast, AT&T, Verizon and Charter (Spectrum)? Those fairly basic rules required that ISPs be entirely transparent about what data they're collecting and who they're selling it to. The rules, proposed after Verizon was caught modifying user data packets to track online behavior (without telling anyone), also would have required customers opt in to more sensitive financial data collection. Without them, oversight of ISP data collection is sketchy at best, no matter what large ISPs and their friends claim.

While the lack of ISP transparency as to what's being collected and sold is one problem, so too is the fact that most of these devices offer little to no insight or control over what kind of data and information they're transmitting. That leaves the onus entirely on the consumer to try and cobble together an imperfect array of technical solutions to minimize ISP snooping and protect themselves (often impossible for your average grandparent or Luddite), or to take the smarter path in the smart home era and resort to older, dumber technologies whenever and wherever possible.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community. Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis. While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: encryption, iot, privacy, security, smart devices, spying, surveillance

Companies: comcast