Smart Appliances Are Everywhere. So Are the Privacy Risks.

The idea that simple appliances would (or should) be connected to the internet predates even the widespread use of wireless tech in homes. In 1990, more as a joke than anything, techies John Romkey and Simon Hackett introduced at a tech conference the first Internet Toaster, which could be activated remotely (a separate gadget to put a new slice of bread in the toaster came later). 

There were wireless gadgets in the home before that, of course: People were using cordless phones and remote controls for their TVs.

But in a very short amount of time beginning in the mid to late 1990s—as millions adopted email, began surfing the web, and added WiFi networks to their homes to do those new internet activities conveniently—new ecosystems of devices began to emerge from different companies and electronics groups.

Since then, many more gadgets have emerged. Gadgets with screens that could connect to other devices arrived when smartphones took off after the 2007 introduction of Apple’s iPhone. This meant that creators of consumer gadgets and appliances didn’t need to include all the functions you’d need to operate a device on the device itself or through a cumbersome website; they could create tools to control the device using mobile apps across different platforms, from computers and phones to tablets and even smartwatches.

The early days of connected devices were a big mess for a long time, with competing home networking standards that didn’t play well together and devices that came and went from short-lived startups or established brands that tried to dip their toe into connected-home products, only to retreat due to lack of interest from buyers.

That changed over time as the ecosystems evolved and large tech companies including Apple, Amazon, and Google backed smart home initiatives and integrated their own products and software within them. That made it easier for people to ask Siri or Alexa to turn off their smart lights or to change the temperature on their smart thermostat with a smartphone swipe. Before long, you could use gadgets to play music from a streaming service while checking on the status of a home security camera, functions you could also access on your phone, Apple Watch, or laptop.

All that connectivity came with a price: the more appliances and smart TVs, phones, and apps that are talking to each other and connecting to the outside world, the more vulnerabilities are introduced. This, of course, has led to data breaches, dicey customer-data practices from some companies, and new questions about how the information collected might be used.

Analyst firm Juniper Research estimates that by 2028, there’ll be 28 billion internet-connected devices that are protected by cybersecurity solutions globally. The number of those devices that aren’t traditional computing devices has already outnumbered laptops and phones for several years; it’s not your imagination that every new gadget, appliance, or even the car in the garage is internet-enabled. “You’re not wrong,” says Donnafay MacDonald, Research Director at Info-Tech Research Group. “Everything now has IoT in it.”

As Romkey reflected later to The Avast Blog, years after helping usher in the so-called “internet of things” era with his connected toaster, “There are such wonderful possibilities for science, medicine, the environment, and just everyday convenience. And there are such nightmarish science fiction scenarios, particularly around security vulnerabilities that are epidemic in the IoT.”

The billions of internet-connected devices in our lives, and particularly in our homes, may contain features that are incredibly useful; they help keep us organized with voice timers, display our family calendar on the fridge, even alert us to danger at the front door through the lens of a doorbell camera.

But experts like MacDonald are increasingly troubled by the sheer amount of data that these devices are collecting, which can take the form of simple text files tracking, say, the number of times a robotic vacuum cleaned your floors and what the dimensions of those rooms are to much more personal information such as your home address or photos and video a device’s camera may have captured and stored.

Device makers that collect that data may use it for market research to improve their products, or sell some or all of it to third parties.

“It goes back to the old adage, ‘Knowledge is power,’" MacDonald says. “The reason why companies are putting IoT into devices is to gather data on customers.”

In many cases, companies have warned us in advance that they’re doing this, but we ignored the message. When using a device for the first time, which requires opting in to a long digital document no one bothers to read—the end-user license agreement (EULA)—it’s typical to scroll to the bottom without reading and tap “Agree.”

“So there’s the information that is being collected that you actually have signed up for, even though you may not know you signed up for it by virtue of the EULA,” says Michael Daniel, president and CEO of Cyber Threat Alliance, a nonprofit security advocacy group. “A lot of people don’t even realize what they’re agreeing to have collected about them,” Daniel says. 

In some cases, an app for an internet-connected product might ask for additional information or access to, say, the contact list on your phone, something that Steve Blair, who leads security, privacy, and testing at Consumer Reports, says he’s encountered.

“In that instance, I could infer that it was so that you could share some sort of access code with somebody,” Blair says. “These are things that aren’t particularly relevant for the product itself or the service, but this is additional data that’s being collected.” When the data is something like access to a bank account or credit card for billing, that requires a certain amount of trust given over to the device maker.

The data they’re collecting, Blair says, can add up; in one case, he found a device sending the equivalent of 135,000 text messages worth of data per week back to the company that made it. “What does a dryer have to say at that volume?” he asks.

When there’s a breach of security at companies that collect data, it can result in the exposure of massive troves of data files containing billions of data records, as happened with a Chinese IoT grow light company, Mars Hydro, in early 2025.

Apart from the data that companies collect for their own purposes, the nature of connected appliances and gadgets is that because they’re online, they’re vulnerable—and often much more vulnerable than computers and phones that are kept up to date with regular software fixes for security.

Many devices with internet connectivity, particularly less expensive ones, “are produced on pretty thin margins, so (manufacturers) often don’t spend a lot of time building security into them,” Daniel says. “Every device is a little bit different and there’s a lot more variety, so that makes them a lot harder to protect, a lot harder to defend in many ways.”

Devices that aren’t fully protected could make the data that’s being collected, from personal information to billing info, open to hacking. The information collected itself might not be the danger, however; a bad actor could use the information gathered off an IoT device to impersonate you, to steal your identity or tap into financial accounts, for instance.

“It’s not necessarily ‘I’m going to sit there and spy on you and videotape you and publish that information,’" says MacDonald. “It might be secondary of why they’re getting into your network to steal your information.”

Hackers might also accomplish this by installing undetectable software on devices, known as spyware or malware, that can be used to collect enough information for identity theft.

Using the devices hackers can get access to is not out of the question either. Many appliances, from smart TVs to some refrigerators and smart hubs, have cameras and microphones built into them, not unlike smartphones. Hackers could collect data from devices on a home network for some of the same purposes (ransomware installations, ID theft), or to invade someone’s privacy and exploit it in other ways.

These types of threats are not as common as security breaches against institutions or hacking of phones and computers … yet. Daniel says that it’s likely that more data breaches will affect IoT products as that market keeps growing.

He says, “I think the bad guys have not yet quite caught up to how much data is being collected in those spaces, but they will."

If you use home devices that connect to the internet, you’ll have to accept that in most cases they will collect data and send that data back to a company. But you don’t have to feel powerless to minimize the amount of information that’s collected, or to opt out of services you don’t really need. Here are seven tips to protect your data:

1. Keep the software current. On the protection side, Daniel says that one thing that’s important that many people don’t do with products that aren’t phones or computers is to keep the device’s software up-to-date. That can be a cumbersome process sometimes: Nobody’s combing the internet habitually looking for software to keep their vacuums and food processors secure. But, Daniel advises, “Make sure that to the extent that there are updates for those kinds of devices, that you do keep them updated, because that’s actually important.”

2. Look for firmware updates. That may require visiting the website for the product and looking at its support page to see if there are any firmware updates. An update might also be available within an app for an IoT device. If you’re concerned about the security of an appliance or gadget, reach out to the manufacturer to check if updates are available.

3. Review privacy settings. Daniel also suggests going into apps for devices and looking for any privacy settings that can be enabled and any data-collecting options to opt out of. “As little data as you can get away with and still have the device function,” Daniel says.

In some cases, apps are not intuitive to navigate, making it harder for some to figure out how to remove data-collection options or to enable enhanced privacy. In the past, some of that has been by design, with some tech companies accused of intentionally making it harder to avoid paid subscription services or hiding privacy options to make it harder for consumers to access them. There have been efforts from federal and state agencies in the U.S. and in other countries to take some of those companies to task for deceptive design or business practices.

4. Consider security before purchasing. MacDonald believes thinking about these types of issues, such as the data that devices and their apps collect, should start before a purchase is even made. “Don’t just bring them into your home thinking it’s safe,” she says. She advises turning off “every single feature that is not adding value to you. Does your fridge need to be connected to WiFi? Ask those questions.”

5. Reconsider toys with cameras. As for any devices such as toys or tablets that are going to be used by children, those options are even more important to explore, she says. “I would ask the question, ‘Does my child having access to this device supersede the potential threat of someone gaining access to my child? Let’s say the toy has a camera in it. Does the value outweigh the risk?”

6. Have good password hygiene. In addition, make sure you don’t reuse passwords that you’re already using on other accounts or devices when you’re setting up IoT devices. Using passcodes or biometrics as passwords, if that’s an option, is even more secure than a password you might forget or that could get hacked.

7. Create a network for some devices. One step MacDonald strongly advises is setting up a separate guest network on a home router just for IoT devices. If they get hacked, they’ll be separated from the rest of your home network, making it less likely anyone outside could steal information from devices on your main network. That way, she says, “you’re safeguarding the rest of your network from them infiltrating your laptop or getting into your phone.”

Bonus: Support Consumer Reports. If you’re concerned that companies are doing whatever they want with data with no regard to customers or critics, that’s not quite true. In some cases, the companies making IoT devices change their data-collection policies when they’re flagged by organizations such as the Federal Trade Commission, security researchers, or even by individual reviewers, such as those at Consumer Reports. In the case of the washing machine with the elaborate screen on it—made by Samsung and running Tizen software—the company changed course on a feature that wouldn’t allow the product to be used until customers agreed to terms of service after the Consumer Reports team reached out. 

“They’ve changed quite a bit of their policies to the betterment of the consumer based on our input,” Blair says.

Consumer Reports is also behind The Digital Standard, a website and hub for information used by testing organizations, researchers, and product teams to ensure IoT products meet standards for security, privacy, ownership, and governance. Some of the types of information vetted by Digital Standard include privacy policies for devices and whether companies sell data they collect and why.

One area that’s evolving rapidly, in step with the rapid adoption of tools like OpenAI’s ChatGPT and Google’s Gemini, is the addition of AI features to existing products like smart TVs and even air fryers.

What you should know is that while some products are integrating AI by including features such as chatbots, the terms “artificial intelligence” and “AI” are very broad, and could mean a lot of things. In some cases, manufacturers are repackaging old machine learning features and rebranding them as AI, even though the concept or feature may have already been around for a while.

That doesn’t mean you should let your guard down on AI’s data collection. Daniel points out that when new AI features are rolled out in an update for a product you own, that’s a good time to check if privacy or data-collection options have changed and to opt out if they’re not providing a clear benefit.

“Typically, devices with AI systems are collecting more data than people realize,” Daniel says. “So, if they’re updated to have AI functionality, you need to make sure that they didn’t also change what they’re collecting.”

Another option, especially if you have deep concerns about AI’s environmental impact, is to avoid buying or using devices that rely on AI to function.

If Amazon’s ecosystem gives you pause, you could forgo their universe of products by abandoning Alexa speakers and disconnecting a Ring doorbell, for instance.

It’s more difficult to opt out of apps for devices you plan to continue using, of course. In some cases, certain functions or features are only available within a companion app, such as setting automatic timers for smart vacuums or changing settings on a smart thermostat from outside the home.

What’s clear is that it’s getting more difficult, as technology evolves, to find home products that aren’t app-enabled via WiFi or that aren’t adding supposedly new AI features.

“I have an air purifier at home,” says Stewart at Consumer Reports. “To reset the filter reminder, I had to download an app and pair it with the app. And then it was on my WiFi, and I really don’t want any air purifiers on the WiFi.”

Blair agrees with the sentiment that some internet-enabled products seem like solutions for problems that weren’t in dire need of one.

“It seems like it’s the brave new world and I’m not sure anyone really asked for it,” Blair says.