Smart Home Privacy Checker insights

1 in 10 smart home apps collected data for user tracking

• After apps collect the data, they may also track you to show targeted ads or share your information with third parties or data brokers. In these cases, you end up paying twice for those Internet of Things (IoT) apps: initially, you pay for the device, and then you pay with your data, which might be used to generate revenue.
• Some apps go all out and use most of the collected data to track the users. The two apps that use the most data for tracking are myQ Garage & Access Control and CRAFTSMAN myQ Garage Access. They use 9 of the 10 collected data points, including your name, email address, product interaction, advertising, and even crash data.
• Smart device apps primarily monitor users through their device ID, email address, and product interactions. Nearly one-third of the apps tracking data track these data points. Some apps don't stop there — they also track the user's precise location. These include apps like Canary - Smart Home Security, Kenmore Smart, and NuWave Connect.

Tech giants Amazon and Google developed the most data-hungry smart home device apps

• Amazon's Alexa collects 28 out of 32 possible data points. That's more than 3 times more than the average smart home device. Moreover, all the collected data is linked — each piece of collected data is associated with an individual user profile. This data includes precise location, contact information (email, phone number), and health data. The four uncollected data points can be substituted by other data. For example, Alexa does not collect browsing history, but it does collect search history. It does not collect fitness data but gathers health data and other sensitive information related to it.
• Google gathers a little less than Amazon, collecting 22 out of 32 possible data points. That's still nearly triple the amount typically collected by other smart home devices. Like Amazon, Google links all collected data to the user. Some of the most notable collected data points are address, precise location, photos or videos, audio data, browsing, and search history.
• The Keurig coffee machine app ranks third in data collection among smart device apps, amassing 19 out of 32 possible data points. It gathers less information than the big two tech giants but still more than double the average for popular smart devices. Like the Amazon and Google apps, the Keurig app links all gathered data to individual users. It uses 8 data points to track the user across third-party networks. These data points include email address, browsing, and search history. This tracking is not entirely a surprise, given that the app not only controls the coffee machine but also has an online shopping function.

Privacy is an illusion under a security camera’s watch

• Outdoor security camera apps are among the top collectors of user data. On average, they gather 12 data points, which is 50% more than what's usual for other smart home devices. Plus, they link 7 out of those 12 points to the user's identity.
• The Deep Sentinel and Lorex apps are the reason why security cameras are so high on the data collection list. These apps are designed for security cameras (and, seemingly, no other devices), meaning all their collected data is for the sake of the user's safety. Deep Sentinel app description states, "Our Surveillance Team has eyes on criminals from the second they step on your front yard." But it's pretty clear they aren't just watching out for bad guys — they've got their eyes on the users, too.

12 apps have not provided details of their collection practices for at least a year

• App developers need to keep their privacy policies clear and updated to stay trustworthy and comply with the data collection laws. 2 of the 12 apps we've looked at, MekaMon and Cozmo, are used to control children's toys. These apps can gather detailed information like precise location, photos or videos, and audio recordings.
• Sometimes, there isn't enough time or resources to complete all the paperwork. However, a year should be enough, especially for a large company like Nvidia Corporation. Despite their transparency regarding their other applications, they haven't shared any information on data collection practices for its NVIDIA SHIELD TV app. Such inconsistency suggests that the company recognizes the importance of being open about data collection practices, but hasn't yet applied it uniformly.
• Everyone should be aware of how their data is used. That's why Apple could enforce apps to disclose data collection practices sooner. Apple's data collection policy states: "The developer will be required to provide privacy details when they submit their next app update." However, some apps might not be updated for extended periods, potentially delaying the disclosure of privacy practices. In 2022, Apple removed 60 apps for not following the Guideline 5.1.1 - Data Collection & Storage rule. That's tiny compared to the almost 150k they removed for violations of Design (guideline 4.0).

To access this data, go to Apple's legal resources. Under the App Store Transparency Report, click the 2022 Supplemental Data File, and see Apps Removed from the App Store Due to Guideline or DPLA Violation.