Let’s start a consumer bill of rights for connected devices

Every innovation comes with a learning curve. In particular, every new technology has a period when people are just trying to figure out what they can do with it. I get that. But technology adoption is moving ever faster. Indeed, the chart showing how long it took Americans to adopt most technology compared to how quickly we’ve made smartphones, computers, and the internet a regular part of our daily lives would be shocking only to those who haven’t experienced it firsthand.

So it stands to reason that the adoption of smart home technology will see a rapid rise. (Unfortunately this adoption is occurring even as the firms building the smart home gear are learning exactly what they should and shouldn’t do). Yet consumers still don’t fully grasp what exactly this new tech can enable in terms of data collection and potential security threats.

There are also several problems, from a consumer’s point of view, when it comes to smart home tech. If manufacturers want to develop this market, they need to start addressing those issues in advance, not watch them unfold and apologize later for the damage — even if that damage is theoretical.

As we embed technology into everything, here’s a list of disclosures that any manufacturer should make in their product manuals and, in some cases, on the packaging and on their websites.

Expiration date: Devices need an expiration date for service and over-the-air updates. If you buy a fridge, you expect there will be patches for it during the subsequent 10 years or so that the fridge is in your house. But if the company hasn’t made plans to provide those patches or allocated the budget to do so, it means you may end up with a device that becomes a hole in your security. Like warranties, which provide some legal framework for device functionality over time and through M&A or bankruptcies, we need something to guarantee patches and upgrades for connected devices. We have it with phone and computer OSes. We should have it with IoT, too.

Sensors, especially in cameras or microphones: A good portion of the internet is currently focused on this topic after Google said it never intended to keep the microphone on its Nest Guard security system device a secret. But Kevin and I brought this up a few weeks ago, after we had a hard time finding whether or not a television has a microphone on it. When you connect something to the internet, the data it collects is potentially vulnerable. Even if a manufacturer follows the latest security practices, new exploits can render them insecure, as can poor user habits. Any consumer bringing a device into their home with the potential to share their data with the world has to do so knowing exactly what their risk model is. That means they need to know what data is potentially at risk.

Currently, device makers regularly pop into devices sensors that are unused and undisclosed. Most aren’t as potentially worrisome as a camera or a microphone, but even temperature sensors and other data collection devices should be disclosed. Transparency isn’t just a virtue in this case. It should be mandatory.

What data is shared, and with whom. Again, this is a basic tenet, but right now such information is buried in privacy policies and terms of service that can take hours to read in full. Not exactly what you’d call transparent. Companies should disclose early on in the buying process what data gets sent to the device maker and to third parties. And those companies should know how it’s used. If images from your video doorbell are shared with a cloud storage provider so you can look at them later, that’s very different than your images going to an image training data set that employees might see. Prior guests on the podcast have suggested this data be disclosed when an item is put in an online shopping cart, as well as directly on the packaging. I tend to agree. After all, it’s tough to return, say, a connected thermostat once you’ve taken it home and installed the app.

As part of this, I think somewhere in the easy-to-read section of the website or app a manufacturer should also disclose how they treat requests for data from law enforcement and civil subpoenas. Again, this helps a customer understand any potential fallout from using these devices.

How long that data is kept. Tied to the questions of data sharing are ones of data longevity. We went through this in the search engine world a few years back, when people started realizing that Google, Microsoft, and Yahoo kept search requests for some indefinite length of time. The industry tried to coalesce around a 6-month standard, but not everyone agreed. Absent a regulation, companies should disclose how long they keep customers’ temperature preferences from their smart thermostat or the record of recipes they’ve made in their smart oven. Even if we don’t ask for this information in relation to traditional devices, we should ask for it when it’s in relation to digital assistants. I’ve asked both Google and Amazon how long they keep our utterances data, and both said they keep it until the user deletes it. So, basically, we are back at square one on this issue. (You can manually delete your utterances from both platforms by following these steps.)

Two-factor authentication: Security should be assumed in these devices, even if today it isn’t. Consumers should expect, that devices will be patched up to the expiration date, that our traffic should be encrypted at rest and in transit, and that no one would even think about using a hard-coded password on the device. But to help prevent against user error, I’ve called for two-factor authentication (2FA) for smart home devices.

That’s because many people use the same password for all of their devices, and when those passwords are stolen, their devices can be “hacked.” This has been in the news recently with Nest cameras getting pwned. Few companies in the smart home even offer 2FA, and even fewer consumers use it. Ironically, Nest is one of the few that does offer it. Chamberlain is another. I would like to see more manufacturers use it and then more companies offer incentives to get consumers on board. For example, Nest could offer a discount on its cloud storage subscription for those who enable it.

These are just a few items that I think every manufacturer should embed and talk about as part of their smart device manufacturing process and marketing effort, respectively. Consumers should be able to trust that the makers of the devices they’re spending good money on will help them protect their data, their security, and their privacy. In fact, they should expect nothing less.