Is Your Home Listening to You?

When I was a teenager, science fiction books envisioned a future where people talked to their home to take care of mundane tasks. For somebody willing to spend the money on new appliances and devices that future is here today.

Just consider the Amazon Alexa voice assistant, which is installed in the largest number of devices. GE has built Alexa into its new stoves, refrigerators, wall ovens, dishwashers, washers and dryers, and air conditioners. Samsung has built Alexa into refrigerators, washers, dryers, air conditioners, and vacuums. Alexa is built into smart light bulbs, smart wall plugs, televisions, thermostats, smart door locks, security cameras, speakers, and numerous other devices. The chips and/or software to add Alexa to devices are getting cheap and it shouldn’t be long until the app is built into most electronics you might buy.

The convenience of talking to home devices is not without a cost, and companies like Amazon, Apple, and Google are listening to you through the devices. Like other voice assistants, Alexa listens all of the time waiting for a ‘wake word’ that activates the app. There are major privacy and security concerns related to the constant listening. We have to trust the company controlling the device not to listen to us all of the time because there is nothing stopping them from doing so.

Amazon swears they don’t listen or record except for a short period of time after the wake word is spoken. They also swear that they only preserve those recordings in an effort to improve Alexa’s responses to questions. If you are going to use Alexa in your home, you are trusting that Amazon is telling the truth. Back in 2017 Samsung got a huge black eye when they were unable to make that promise concerning their smart TVs.

The other big concern is hacking. There is zero chance that all of the companies making devices that include a voice assistant have iron-clad security. While Amazon really might not be listening to you, a hacker will surely be willing to do so.

To make matters even more uncomfortable, a lot of lawyers and privacy experts believe that if a person knowingly installs a device that listens and transmits information to a third party, that person has waived their Fourth Amendment privacy rights and any rights granted by the Electronic Communications Privacy Act. The concept has not yet been challenged in a court, but if it’s true, then people have no recourse against Amazon or anybody else using the information gathered from a voice assistant device.

My house has four Amazon Echos that we bought when the devices first hit the market. They are convenient and I use them to listen to music, check the weather or news, check the hours at stores or restaurants, and to make the occasional reminder in the middle of the night. My family has gotten uncomfortable with being listened to all of the time and we now unplug the devices when we aren’t using them. This kills all of the spontaneous uses of the devices, but for now, that feels safer than being listened to.

I’m going to be leery about buying any new household appliance that can listen to me. If I can’t disable the listening function, I’m not going to buy the device. It’s impossible to feel secure with these devices right now. It’s impossible to take the word of big company that such devices are safe. You only have to look at the current experiences with the hacking of Ring cameras to know that smart home devices are currently anything but safe.

Small ISPs have never worried much about the devices that people hang off their networks. ISPs provide the bandwidth pipe, and how people use data has not been a concern for the ISP. However, that is slowly changing. I have a lot of clients that are now offering smart thermostats, smart security systems, and other smart devices as a way to boost revenue. ISPs need to be careful of any claims they make to customers. Somebody advertising safety for a smart security system might have liability if that system is hacked and the customer exploited.

Maybe I’m being overly cautious, but the idea of somebody I don’t know being able to listen to everything said in my house makes me uncomfortable. As an industry person who has been following the history of IoT devices, I’m even more uncomfortable since it’s now obvious that most smart home devices have lousy security. If you don’t think Amazon is listening to you, I challenge you to activate Alexa and say something vile about Jeff Bezos, then see how much longer it takes to get your next Amazon shipment. Go ahead, I dare you!

Regulatory Shorts – July 2016

Scale_of_justice_2_newThere are some interesting things happening in courts lately that will be of concern to ISPs.

ISPs Might be Liable for Customer Piracy. In two court decisions, courts have said that ISPs can be held responsible by piracy committed by ISP customers. In the Alexandria, VA district court a jury found Cox Communications liable of copyright infringement from a lawsuit brought by BMG, the music publisher. BMG had argued that Cox should have disconnected customers who violate copyrights. There was a similar ruling in Manhattan district court against RCN, also brought by BMG. Both companies are currently vigorously fighting the rulings. This kind of ruling could have a chilling impact on ISPs. Net neutrality rules would make it hard, and maybe illegal, to block sites like BitTorrent. And yet ISPs might somehow be liable for what customers do on piracy sites.

Internet Firms Not Necessarily Liable for False Information. On May 16 the FCC handed down a narrow victory to Spokeo.com. The company had been sued by a Virginia resident who said that the site contained errors about his age, education, employment, and marital status. The court said that the plaintiff could not sue without having proven any real damage from the bad information.

The case was watched closely by Facebook, Google, and other internet firms that are worried about a negative impact from having inaccurate data. The court ruling seems to make it unlikely that class action suits could be brought against internet companies, but it did open the door to individual suits when real damage could be claimed.

Fourth Amendment Does Not Protect Home Computers. The federal district court in Virginia ruled that a criminal defendant had no ‘reasonable expectation of privacy’ for information stored on his home computer. The particular case came out of an FBI sting of Playpen – a TOR site on the dark web used to host child pornography. It’s a complicated and unprecedented case where the FBI seized the server and continued to operate the site, and to eventually arrest numerous users.

But the ruling is a bit troublesome because it implies that police have the power to remotely access the files on somebody’s computer without a warrant. That runs contrary to recent rulings about the security of information on a cell phone. Police have searched computers before of people who have been charged with crimes, but the ability to search the computers of people who have not been accused of any crime without a warrant is scary. I expect this to be appealed.

FBI says Location of Surveillance Cameras Must be Kept Secret. The FBI was successful in getting a judge to block Seattle City Light from divulging the location of FBI security cameras. City Light is part of the city government and would normally be required to respond to requests for information like this from the public.

One thing the court process revealed is that the majority of police surveillance cameras are installed without a warrant, which raises the issue of violating the Fourth Amendment. The judge in this case did say that he thought the FBI needed warrants to install cameras.

Europe Proposes Requiring an Online ID. Officials in the European Commission have suggested that European citizens be required to use a government issued ID when online. The purpose of this is supposedly to provide a trustworthy environment online for merchants and people to be able to know who they are dealing with.

The White House had proposed a similar voluntary system a few years ago in response to cyberbullying and other online issues. They suggested that if people adopted a verified and trustworthy identity online that they could be safer by only dealing with others who did the same. There are still a few states considering trials of the idea. But that proposal was very far away from being the mandatory requirements suggested in Europe.

The Best Explanation of Network Neutrality Yet. And finally, Stephen Colbert discusses net neutrality while on a roller coaster.

 

 

 

The Security / Privacy Battle

SpyVsSpyEvery time there is some traumatic terrorism event like what just happened in Paris there is a renewed call by governments for better surveillance and security measures. And every time that happens, the advocates of privacy sound a loud warning. What I find most interesting about this back and forth between the two sides is that it’s not events or even public policies that are driving the battle between security and privacy, but technology.

Just during the last decade there has been a number of technologies that have assaulted our privacy – encryption, big data, cloud computing, and advertising spyware. And we are fast approaching new threats from drones and from Internet of Things sensors everywhere.

The real battle between security and privacy happens when we introduce new innovations that can invade our privacy followed by countermeasures against those new technologies. There are plenty of politicians on both sides of the privacy issue who think that creating new laws is the way to protect privacy. But there are no laws that are going to flexible enough to keep up with the new threats we are constantly seeing in the real world.

Consider the traditional privacy laws. There have been wire-tapping laws on the books for decades which are now completely obsolete. The FBI convinced the FCC a few decades ago to create a set of laws called CALEA that gives the FBI the right to subpoena ISPs and get the records of suspected law breakers. ISPs and telcos spend a lot of money to stay compliant with these rules and yet I can’t think of one of my clients that has actually gotten a CALEA request from the FBI. ISPs do often get requests from local law enforcement asking for calling records under older wire-tapping laws, but not a peep out of the CALEA folks.

And this is because those laws were obsolete before the ink was dry on them. The CALEA rules were written not long after we had migrated from dial-up to DSL and there was no such thing as the dark web and disposable cell phones and all of the other ways that serious criminals use to avoid law enforcement.

What typically happens with a new technology is that it gives one side – the police or the bad guys – a temporary advantage. But there is always a technological counterpunch as somebody on the other side figures out how to defeat and neutralize each new technological development.

Edward Snowden showed us that law enforcement sometimes is so desperate for an edge that they collect data illegally in violation of the basic rights granted to US citizens by the fourth amendment. But even that is only a temporary edge. There are now numerous groups developing strategies to counteract widespread government surveillance.

There have been numerous attempts to pass surveillance and security laws starting with the Patriot Act. But industry experts say that most of the laws that try to give the government more power are ineffective, again because technology moves a lot faster than legislative bodies.

So what we see is a cat and mouse game. The NSA spies on us and so companies like Apple develop encryption that makes it hard or impossible for the NSA to gather anything useful. And there are more and more web services that either automatically encrypt or which offer that as an option.

It seems that the privacy advocates are winning the long term fight, and this is because there are ways around almost any tool the government or big business can use to spy on people. I’ve read several articles recently that talk about how even in China people are finding ways to bypass the strict security of the Great Firewall of China. But the fight is a long way from over because there are always going to be tools that come out that can be used to spy on people and there will then be ways to defeat those measures. We are likely to see this battle for decades to come.