Connected Devices Share More Data Than Needed, Study Says

Smart speakers and streaming sticks are among the household gadgets transmitting information to advertising companies and other third parties

A smart speaker emitting binary data Lacey Browne/Consumer Reports, iStock

If you ask a smart speaker for the weather or to play your favorite song, you’d expect it to send your request out over the internet and quickly bring back the appropriate response: the five-day forecast or a good jam.

You might also expect that’s all it’s doing while it’s out on its online errand.

But that’s not always the case, a new study from Imperial College London and Northeastern University has found. In fact, more than a dozen popular internet of things (IoT) devices regularly send and receive data that are not necessary to complete the request they’ve been tasked with. In some cases, the study has found, the devices appear to send information to companies in the marketing and advertising industry.

Websites and apps often do the same thing—except in this case, we’re talking about devices like smart speakers, streaming media players, security cameras, and internet-connected switches that you’ve paid for and installed in your home, whose behavior tracking may be even less obvious and nearly impossible to rein in.

More on privacy

Asked to name the capital of Italy, a Google Home smart speaker in the study sent data to five different destinations that weren’t required to figure out the answer, researchers found; an Echo Dot from Amazon contacted seven extraneous locations.

Roku’s Streaming Stick+ got in touch with eight unneeded destinations when it was asked to play a YouTube video, while Amazon’s Fire TV Stick contacted 11, setting a record for unnecessary connections among the 31 devices in the study.

How do we know all that data sharing wasn’t required? When researchers blocked those extra connections, the devices were still able to complete the tasks they’d been assigned.

“We didn’t expect so many destinations to be blockable,” says Dr. Anna Maria Mandalari, a researcher at Imperial College London and the lead author of the new study, which she and her co-authors will present later this summer at the Privacy Enhancing Technologies Symposium, an academic conference.

It’s rarely clear what the devices are sending in these non-essential transmissions. That’s because the communication is encrypted. Encryption is an important privacy and security precaution that keeps sensitive information from falling into the wrong hands, but it also makes it harder for researchers like Mandalari to understand what data IoT devices are transmitting.

In certain cases, though, the answers seem clear. Several devices communicated with a server associated with DoubleClick, a digital advertising tool from Google, the study found. A major part of DoubleClick’s business is to use consumer data to target ads.

In other situations, it was harder to tell. Many devices sent non-essential messages to their own manufacturers, the researchers found, or to outside companies that provide infrastructure such as cloud services. Those transmissions could contain relatively harmless analytics information or enable cloud synchronization—or they could be collecting data on consumers.

“We don’t know if they’re good or bad—just that they’re not necessary,” says Dr. David Choffnes, a computer science professor at Northeastern University and study co-author. “We’re doing a whole lot of guessing, because we have to. This is the best we can do with the tools and info we have today.”

Choffnes and another co-author, Dr. Daniel Dubois, are frequent collaborators with Consumer Reports, and Dubois is a research fellow with Consumer Reports Digital Lab.

While researchers and consumers are left to hazard those guesses, there are few limits on the data that companies can collect or send off to third parties, privacy experts say.

“You should be entitled to expect that these devices are just working for you—you paid for them, after all,” says Justin Brookman, director of consumer privacy and technology policy at Consumer Reports. “But the U.S. has weak privacy laws, so companies have a ton of leeway to decide what to do with your data.”

Asked to respond to the study, Amazon and Roku said the connections the researchers labeled as unnecessary shouldn’t be looked at that way.

“The premise that blocking these endpoints doesn’t overtly negatively impact the end user experience is false,” a Roku spokesperson said. “Connections to the endpoints perform a variety of activities, such as providing telemetry to our service so that we can improve the product, improve the user experience, and keep our platform safe.”

An Amazon spokesperson said that the traffic “is used to provide and improve the experience for our customers. For example, helping ensure devices are working well, collecting device health metrics, connecting to related Amazon and third-party services, and improving content delivery.”

A spokesperson for Google responded only by pointing at an online help page that describes how Google Assistant parses voice requests.

In general, consumers don’t have much control—if any—over the data that many IoT devices send and receive over the internet. For now, at least, there’s no simple way to block unneeded traffic without rendering the device unable to do what you’ve asked it to.

However, Mandalari, Choffnes, and their colleagues are transforming the system they created for their research into a program that consumers can install at home. The system, IoTrimmer, would live on users’ home internet routers and quietly block extraneous traffic.

Using the testing method from the study, IoTrimmer could separate needed traffic from unneeded connections for each popular IoT device, and would allow consumers to tweak settings for specific devices. The researchers hope to release the tool to the public by the end of the year.

The fact that most of the data sent out from IoT devices is encrypted makes it hard to build a set of blocking rules that works for everyone, says Dr. Pardis Emami-Naeini, a researcher at the University of Washington who was not involved in the study.

A non-essential connection that’s worth restricting for one consumer—perhaps because they’re particularly privacy conscious—might be important to another consumer who likes hyper-personalized movie recommendations.

“We wouldn’t want to design something that doesn’t comply with a wide range of preferences,” she says.

To sort essential connections from extracurricular communication, the researchers devised a system that automatically blocked a different portion of a device’s internet traffic every time they made a request.

If the device failed to complete the request when some part of its internet traffic was interrupted, it was clear that it needed that connection, according to the researchers. But if it could still do what it was asked when some of its traffic was blocked, the connection that was cut off wasn’t necessary for the task, they concluded.

As a rule, Choffnes says, IoT devices should share information only on a need-to-know basis. If communicating with a third party isn’t required to complete a simple task, then the device should just leave that company out of it. If it doesn’t, Choffnes and his colleagues hope to shut the gate tight so that consumers are the ones making the choice.

Headshot of CRO author Kaveh Waddell

Kaveh Waddell

I'm an investigative journalist at CR's Digital Lab, covering algorithmic bias, misinformation, and technology-enabled abuses of power. In the past, I've reported for Axios and The Atlantic, and as a freelancer in Beirut. Outside work, I enjoy biking and hiking in and around San Francisco, where I live, and doing the crossword while cheating as little as possible. Find me on Twitter at @kavehwaddell.