Smart Appliances Bring Convenience, But Risk Your Privacy


According to our October 2022 nationally representative survey, Americans who don’t have smart devices connected to the Internet are more likely to say they’re concerned (70 percent are at least somewhat concerned) about the digital security of those devices than they are Privacy implications (64 percent are at least somewhat concerned). The numbers are slightly lower, but still high, for Americans who own large-scale connected smart devices: 55 percent and 47 percent, respectively. But based on our findings, you should be more worried about manufacturers spying on you, not hackers.

In our tests, we monitored internet traffic from 12 smart devices across five brands (GE, LG, Maytag, Samsung, Whirlpool) and four device types (fridges, stoves, dishwashers, washing machines) to see how chatty they were. We have not found any security vulnerabilities in these products and all personal information has been encrypted. But we found that all of them are constantly collecting data and sending it back to the manufacturer.

How much data? Each appliance sends between 3.4MB and 19MB of data back to the manufacturers each week. That might not seem like a lot, but considering it’s all text (not images, video, or audio), that’s the equivalent of 24,000 to over 135,000 text messages. We also only used the devices once a day, far less than the average consumer. With normal use, these devices would likely send back even more data.

“As we all know, devices can work perfectly without an internet connection,” says Steve Blair, who conducts privacy and security testing for CR. “So most of the data is probably just additional data collected by the manufacturers.”

Because the data was encrypted, we couldn’t “see” what type of data was being collected (a good thing in terms of data security). We asked the big brands, but most would just say they collect usage and performance data. However, Kenmore gave us a detailed overview: its devices collect data on a number of attributes, such as: B. Power status (on/off), door open/closed, filter status, cycle details, temperature information and energy consumption.

LG and Samsung go further and collect your zip code, phone numbers, date of birth, geolocation and more through a device’s smartphone app. “LG and Samsung definitely collect more personal data than other manufacturers,” says Blair. “Zip codes, phone numbers, date of birth, geolocation and more are obviously not relevant to product performance and service. Therefore, we believe they are engaging in data collection practices that could harm consumers.”

These apps may also include third-party trackers that collect additional data from your phone that manufacturers can use to troubleshoot problems, notify future product developments, serve ads, or even sell to third parties. For example, there are 10 third-party trackers built into the LG ThinQ app. Blair says that in his experience, 10 trackers are on the high side among mobile apps.

Most manufacturers claim that all of this data is collected to improve their products, but our results show that at least some use it to create data profiles about their consumers. Again, LG and Samsung go a step further and collect data about their customers from third-party sources, which they use to improve those profiles. Samsung expressly states in its privacy policy that it sells its customers’ data. It was the only company in our testing to do so.

John I. Taylor, LG Electronics senior vice president, says that every data point the company collects serves a specific purpose, such as: B. finding the nearest customer service center using zip codes and geolocation data, or checking if a user is over 16 years old by date of birth. As for the third-party trackers, Taylor says only five are actually used in the US, for practices like analytics and user profiling. “Customer profiles are also used in aggregate to provide insight into consumer trends” and “analyzed to identify customer interests and preferences,” he says.

“Samsung takes the privacy of its customers very seriously and we design our products with privacy and security at the forefront,” said Khang Nguyen, vice president of engineering at Samsung SmartThings (the company’s smart home platform) via email. “SmartThings collects some user data in order to optimize the user experience, always informing the user about our privacy practices or asking for permission before beginning a collection.”

Samsung also addressed the part of its policy that suggests selling data in certain situations. Nguyen says the language comes from the California portion of their privacy policy, which is designed to comply with the state’s consumer privacy law, the California Consumer Privacy Act (CCPA). It defines “sell” much more broadly as “selling, renting, releasing, disclosing, distributing, making available, transferring, or otherwise communicating, whether oral, written, electronic, or otherwise, a consumer’s personal information by the business to a third party for monetary or other valuable consideration .”

“Because CCPA defines these terms (sale/sale/etc.) so broadly, certain mobile advertising transactions of our Samsung Ads business could be considered ‘sales’ under this definition,” Nguyen says.

In short, we don’t know for sure if Samsung actually sells user data.

“This is a major disadvantage of the Internet of Things; It creates a lot more opportunity for potential data breaches,” said Justin Brookman, director of technology policy at CR. “In many cases, data collection can be benign or even beneficial. But data collection is almost always invisible, and consumers have no idea what is being collected, why, or who it is being shared with.”