For the past 18 months, stories of smartphones and smart home virtual assistants (like Amazon Echo or Google Home) leaking user data have dominated media headlines and raised all sorts of privacy concerns. Now get ready for a new wave of Internet of Things (IoT) stories involving other smart devices, including smart TVs and connected appliances, which are also tracking you and leaking data. Several new studies help to illustrate all the IoT privacy issues that you might expect to encounter when you watch a smart TV, stream Netflix, or interact with any of the countless “smart home” devices now available for sale.

Smart devices are sharing your personal data with third parties

The first IoT privacy study, a joint academic collaboration between Northeastern University and Imperial College London, examined the data sharing activities of 81 different “smart” devices commonly found in people’s homes. These included popular consumer tech products available from big-name tech vendors (i.e. Google, Amazon, Roku), including smart TVs, streaming dongles, smart audio speakers and video doorbells. In total, the two teams of researchers (one in the U.S and one in the UK) conducted 34,586 experiments to see how much data these devices were collecting, storing and sharing.

What the researchers found was astounding – 72 of the 81 IoT devices shared data with third parties completely unrelated to the original manufacturer. And the data they shared went far beyond just basic information about the physical device being used – it also included IP addresses, device specifications and configurations, usage habits, and location data. Some of these third parties were names you might expect – such as Google, Amazon and Akamai – because it is these companies that are providing the Wi-Fi, Internet networking or cloud storage functionality needed to run these IoT products. But there were plenty of other devices making third-party contact with companies located around the world (and not just in the U.S. or UK). That alone should be reason for concern: when you purchased your brand-new smart TV, you probably had no idea that your user data was going to be shared, sold and re-packaged to a veritable mélange of third party tech vendors.

And then there’s the matter of how the data was often being shared – usually as a plaintext file without any sort of encryption at all. Anyone “eavesdropping” on this data flow would be easily able to make some pretty strong inferences about factors like user identity, user location and user behavior. In total, 30 of the 81 devices in the study were found to share data in this open and brazen manner. For that reason, it’s easy to make the claim – as many media outlets already have – that your home is “leaking” data. Anyone concerned about data collection or IoT privacy issues would have reason to be alarmed about the way IoT devices are operating these days without any attention to privacy or security.

IoT privacy issues involving your smart TV

Another research study, this one from academics at Princeton University and Chicago, also raises significant IoT privacy issues. Unlike the first study, which looked at 81 different devices, this study focused on smart TVs and Internet streaming devices. What they found was particularly alarming: 89% of Amazon Fire TV channels and 69% of Roku channels including tracking that collects information about viewing habits and preferences. Thanks to their use of an open-source tool known as IoT Inspector, these researchers were able to figure out exactly what type of data was being shared, and then track to see where it was being sent.

Similarly, a Washington Post reporter conducted an unofficial experiment of his own to figure out how much tracking and monitoring your average smart TV is carrying out on a daily basis. Using the same IoT Inspector tool, he was able to determine that “smart pixels” on your smart TV screen was capturing information about what was being watched, and where, and then transmitting that information at a rate of once per second to various third-party IP addresses. And, in some cases, smart TVs from the likes of Samsung, Roku, Vizio and LG were doing more than just capturing information via a “smart pixel” – they were also capturing complete snapshots of the screen image and then transmitting that information to third parties as well. That in itself should strike many people as being creepy – it’s almost as if a whole group of complete strangers were standing over your shoulder, recording notes about everything you watch on TV, and how often you rotate between different shows or channels on your connected devices.

The big business of IoT device tracking

Other studies, too, support the notion that just about any device connected to the Internet (and especially smart TVs and streaming devices) can be used as ad tracking devices. In the old days, advertisers might have had to wait on the results of the latest Nielsen report to figure out who was watching what, and when, on TV. Now, they have real-time access to that information.

What really raises IoT privacy issues, though, is how that information and data is being used. If it were merely being used for “personalization” and “customization” purposes – as the manufacturers typically claim – then that’s at least somewhat understandable. Information about which devices were being used to watch streaming content might help a company like Netflix optimize the quality of its streams.

#IoT #privacy study shows 72 out of 81 different IoT devices shared data with third parties completely unrelated to the original manufacturer. #respectdata Click to Tweet

However, IoT privacy experts have legitimate reasons to be concerned about the results of these latest academic studies. They suggest that personal data “leaking” from the home is being used to create sophisticated profiles of users, based on their usage habits. And it’s even more troubling, from an IoT privacy perspective, that some of this data involves personally identifiable information such as exact geolocation data, social media data, and unique device information. Combined, this data can be used to figure out the identity of the user. All of that data, of course, is pure “gold” for advertisers, who want to know as much as they can about users so that they can serve up the perfect ad at the perfect time.

Next steps for the Internet of Things

Going forward, IoT device makers are going to have to pay much more attention to privacy and security issues. If they fail to take into account important IoT privacy issues, it may soon be time for legislators and regulators to force them into making changes to the way these devices are manufactured, tested and sold.