Is Your Robotic Vacuum Sharing Data About You?
CR tests models from iRobot, LG, Samsung, Shark, and others to see whether these robovacs keep your data secure and private
Robotic vacuums are smart little suckers. Most use mechanical sensors, optical sensors, and advanced software to get the job done. And most connect to the internet, which puts them in the same category as video doorbells and webcams, which collect personal and environmental data to serve the user better.
As part of Consumer Reports' Digital Lab initiative, we evaluate devices that collect data about consumers, and we recently tested robotic vacuums. We found that on the whole, their potential vulnerabilities aren't as worrisome as those for video doorbells, but that manufacturers could still adopt more robust security measures. After all, in some cases we're talking about a bot with a camera connected to the internet scooting around your house.
How We Test for Data Security and Privacy
For data security, we assess whether a robotic vacuum incorporates security measures such as encryption. We also look for, among other features, two-factor authentication, automatic software updates, and email notifications when a user logs in from a new device or IP address.
For data privacy, we examine privacy setting options and publicly available documents, such as privacy policies and terms of service, to see how manufacturers collect and use your data, including whether they disclose how they collect it and whom they share it with. Our experts use The Digital Standard, an open-source set of criteria that CR created with other organizations, for evaluating digital products and services. We score robotic vacuums on more than 70 indicators.
Below is a closer look at our findings, as well as the details on robotic vacuums from our tests that score well for keeping your data secure and private, and how they vacuum. CR members can see the results of all the robotic vacuums we test in our robotic vacuum ratings.
Robotic Vacs’ Data Security Results
The good news is that all of the manufacturers encrypt users’ sensitive information, such as usage data and user credentials. Our labs didn't see any sensitive information being sent unencrypted during testing, and no serious security flaws or vulnerabilities were found. Other key findings:
- Of the companies we test, only iRobot earns an Excellent rating in data security. In addition to using encryption, the company issues regular updates to patch security vulnerabilities. Its internal policies limit and monitor employee access to user information, and invite outside security researchers to monitor its products for vulnerabilities. “We supplement internal expertise with extensive engagement with the security research community to provide the broadest view possible to identify, react to, isolate and resolve potential security issues,” says Mike Gillen, director of product and data security at iRobot.
- Samsung, Ecovacs, and Shark earn a Very Good rating for data security. However, these companies don't disclose enough information about how they limit and monitor employee access to user information. Ecovacs and Shark don't have a program for security researchers to report bugs or vulnerabilities.
- In terms of password security, iRobot, Ecovacs, Samsung, and Shark all meet at least two of the following criteria from The Digital Standard: passwords must be at least 8 characters (up to 20), reasonably complex, and may contain special characters.
Robotic Vacs’ Data Privacy Results
The bad news is that none of the robotic vacuum companies in our tests earns high marks for data privacy. The information they provide is vague at best when it comes to explaining what data is collected and how it’s collected.
- Eufy earns a Fair rating in this department and is the worst of the companies we test. In our data privacy review process, where we assess how much publicly available information a company offers on its privacy protection measures, Eufy had the least amount of information available. Here's what they had to say about the issues we raised: “Right now, the data the robot collects enables it to effectively clean the home and provides customers with information about cleaning performance. Eufy will endeavor to take our privacy and security measures to the next level,” said Vicky Guo, a spokesperson for Eufy. “We will never violate our customers’ trust by selling or misusing customer-related data, including data collected by our connected products.”
- Ecovacs, iRobot, LG, Neato, Samsung, and Shark provide more details about their privacy policies than Eufy, and also allow consumers to request the information that’s collected about them. However, none of these better-ranked companies allow consumers to obtain all of their private and public data, and few do a good job of updating consumers about changes to their privacy policies. Each earns a Good rating for data privacy.
Most Secure and Private Robotic Vacuums
These five robotic vacuum models rank high in our security and privacy tests, and are great at vacuuming, too. The two Eufy models aren't connected to WiFi, so they can’t collect and share data about you. As such, you won't see data privacy and security scores for them below.