“Who are you? Why do you hide in the darkness and listen to my private thoughts?”
William Shakespeare (Romeo and Juliet)
Our dysfunctional love affair with technology does not begin and end merely with facial-recognition gadgetry. It extends to a legion of devices that eavesdrop on us day and night, even during the most intimate moments of our lives.
Many of the ubiquitous, innocent-seeming devices are hooked up to the internet, controlled by dazzling apps loaded onto our smartphones. Together, the nosey devices comprise the Internet of Things, or IoT, which includes everything from smart espresso machines and smart refrigerators to smart doorbells and smart toys.635
Gartner, a Connecticut-based global consulting company, estimates that 8.4 billion smart gizmos were connected to the internet in 2017.636 As one early 2017 headline screamed: IOT DEVICES WILL OUTNUMBER THE WORLD’S POPULATION THIS YEAR FOR THE FIRST TIME.637
Gartner predicts the number of IoT gadgets will mushroom to 20.4 billion in 2020. Individuals will own about two-thirds of the devices and businesses the other third. “Aside from automotive systems, the applications that will be most in use by consumers will be smart TVs and digital set-top boxes,” says Peter Middleton, Gartner’s research director, “while smart electric meters and commercial security cameras will be most in use by businesses.”638
There is now even a search engine, Shodan, specifically designed to locate the clever widgets anywhere on the planet. Billing itself as “the world’s first search engine for Internet-connected devices,” Shodan invites users to locate smart webcams, buildings, refrigerators, power plants—everything and anything that makes up the mushrooming IoT universe.639
Because IoT devices operate via the internet, they can be readily appropriated by determined hackers. In 2012 a blogger codenamed someLuser reportedly used Shodan to find hundreds of unsecured, internet-connected Trendnet security cameras. someLuser promptly hijacked the cameras’ live feeds and streamed them online for all the world to see. They included video feeds from malls, offices, warehouses, parking lots, even children’s bedrooms, complete with their addresses pinpointed on Google maps.640
In March and November 2017, Wikileaks released documents revealing how the CIA routinely hacks IoT devices to spy on people. The exposé shocked many but not those in the know. “The idea that the CIA and NSA can hack into devices is kind of old news,” says Matthew D. Green, a professor at the Johns Hopkins Information Security Institute. “Anyone who thought they couldn’t was living in a fantasy world.”641
According to the Wikileaks documents, the CIA purchased many of the hacking techniques from third parties with shadowy monikers like Baitshop, Fangtooth, and Anglerfish. One CIA-friendly hacker, code-named Weeping Angel, created a way to target certain Samsung smart TVs, commandeering the sets’ built-in microphones and cameras to spy on people.
“Weeping Angel places the target TV in a ‘Fake-Off’ mode, so that the owner falsely believes the TV is off when it is on,” explains one leaked CIA paper. “In ‘Fake-Off’ mode the TV operates as a bug, recording conversations in the room and sending them over the Internet to a covert CIA server.”642
Samsung claims it has since repaired the zero day, the technical term for a serious hacking vulnerability. But the company’s web page about privacy still gives customers this heads-up:
“Your SmartTV is equipped with a camera that enables certain advanced features, including the ability to control and interact with your TV with gestures and to use facial recognition technology to authenticate your Samsung Account on your TV. The camera can be covered and disabled at any time, but be aware that these advanced services will not be available if the camera is disabled.”
Once again, the issue is convenience—a universal theme, as we’ll see, with smart devices. Let’s face it: most of us are unwilling to forgo the convenient features of a very expensive smart device—in this case, being able to control a TV set from the couch—even if it means watching TV comes with the risk of the TV watching us.
Each time we click the little “I Agree” box next to the End User License (EUL) of any IoT, we give it our blessing to spy on us. And yet we do so routinely. Indeed, IoT makers count on most of us never even reading the lengthy consumer contracts written in super-fine print, because we’re so eager to play with our new smart toy.
Worse, there’s a lucrative market for the personal information surreptitiously collected by IoT devices. Third parties happily pay big bucks to know our zip code, politics, Google searches, Tweets, Facebook posts, browsing preferences, purchases on Amazon, movie-watching habits, the make and model of our car, and on and on. Even if they don’t know your name, armed with all that information, marketers know pretty much who you are.
“Your identity is what they’ve compiled,” says Gary Reback, a Silicon Valley attorney. “That is kind of scary when you think about it. I just don’t think people think about it enough.”643
Michael Patterson, CEO of a Maine-based cybersecurity firm, personally avoids using navigation apps on his smartphone. “Maybe they keep track if I’m speeding a lot,” he worries. “Maybe they sell it to insurance companies.”644
Is he being paranoid?
Before answering, consider the following story.
James Scott, a senior fellow at Washington, DC’s Institute for Critical Infrastructure Technology,645 recounts seeing a conspicuously large group of people visiting a top US intelligence agency. Curious, he asked an agency employee who they were. “Oh, that’s Google,” the employee answered. “They are always here begging us to buy their data.”646
“We need legislation that basically forces these companies to be very, very clear on what information they are taking from us when we install these apps,” says Patterson. He likens it to cereal makers, which are required to give us clear-cut nutrition facts. “I want nutrition facts on every piece of software I install . . . [that lists] all the information they’re taking.”647
As of this writing, unfortunately, no such legislation is in the works. So the IoT spy network continues its furtive activities mostly unchecked.
Here is a sampling of smart devices secretly tattling on us, in ways most of us would never expect.
Smartphones
Topping the list of snooping IoT devices are our smartphones, which essentially are powerful, pocket-sized computers. “A smartphone has many additional features compared with a regular cell phone,” notes Moroccan researchers Mehdia Ajana El Khaddar and Mohammed Boulmalf, “such as a color LCD screen, wireless capabilities—that is Wi-Fi, Bluetooth, infrared, etc.—a large memory and a specialized operating system (OS) with an offer of many downloadable applications.”
Downloadable applications.
Apps, for short.
As of March 2017, reports statista.com, there were 2.8 million available apps at Google Play Store and 2.2 million apps available in Apple’s App Store, the two leading app stores in the world.648 Apps are a major boon to our daily lives, helping us navigate through traffic, know what weather to expect, check in at airports with electronic boarding passes, connect with a faraway friend by text—the list seems endless.
But apps are also a major bane to our personal privacy. Take, for instance, the growing number of smartphone apps spying on our behavior using something called ultrasound cross-device tracking (uXDT) technology.
Using a smartphone’s microphone, these apps listen for inaudible beacons—think dog whistle—secretly emitted by ads playing on the radio, TV, internet, your own smartphone, and even physical locations, such as retail stores. By knowing which ads you hear/watch, and the places you frequent, the app makers are able to piece together a profile on you. That, in turn, helps them know which products to push at you.649
Shopkick, Lisnr, and SilverPush are the main providers of the uXDT technology, of which SilverPush is by far the largest.650 According to German researchers at Technische Universität Braunschweig, there were only six SilverPush uXDT-enabled apps in April 2015. By December 2015, the number increased to thirty-nine. As of May 2017, there were 234.
On its website, SilverPush pitches its invasive technology to prospective clients with unabashed candor. “Next time don’t just reach your customers, know them,” it declares. “Next generation Advertising 2.0 is here.”651
SilverPush is tightlipped about its uXDT clients, so we can’t be sure which apps are spying on us with ultrasonic beacons—although it appears none are currently operating in the United States.652 For the aforementioned German researchers, SilverPush’s high level of secrecy indicates “the step between spying and legitimately tracking is rather small.”653
Of course, we can easily protect against uXDT snooping by refusing to give apps permission to use our smartphone’s microphone. But app makers know we’re not liable to do that. Even if suddenly we all did, app makers would only need to offer deep discounts to anyone willing to play ball, and no doubt many of us would do just that.654 [See SPY: MEMORY LANE.]
The unavoidable reality is smartphones, boon that they surely are, have become “small tracking devices,” says Michelle De Mooy, acting director of the Center for Democracy and Technology’s Privacy & Data Project. “We may not think of them like that because they’re very personal devices—they travel with us, they sleep next to us. But they are in fact collectors of a vast amount of information including audio information.”655
Robot Vacuum Cleaners
Robot vacuum cleaners rely on a system of infrared sensors, laser light, and in some cases low-resolution cameras to clean floors without bumping into things or getting cornered. It’s called simultaneous localization and mapping (SLAM) technology.
A robot vacuum uses the technology to create digitized maps of a home’s interior. That way, if it runs low on power, for instance, it can stop, find its way back to the recharging station, plug itself in until fully powered up, then return to where it was and resume the job.
In 2017 Reuters revealed iRobot—the Massachusetts-based manufacturer of the popular Roomba vacuum cleaners [see ROBOT: MEET YOUR NEW BFF]—plans to share the maps of customers’ houses with other vendors. Colin Angle, iRobot’s CEO, defended the plan by noting it’s the customers who are allowing such sharing to occur. “There’s an entire ecosystem of things and services that the smart home can deliver, once you have a rich map of the home that the user has allowed to be shared.”656
The user has allowed.
Check.
Colin Angle counts on customers mindlessly checking off the “I Agree” box next to the EUL for iRobot’s HOME app. And why shouldn’t he? The app allows us to control Roombas from anywhere in the house with just our smartphones. Why would we deny ourselves that singular convenience, especially after paying up to $800 for the IoT gadget?657
Thus, Angle is technically correct. It is entirely with our knowledge and consent that the little spies rove about, vacuuming up everything they can learn about us and our domiciles and storing it in a cloud.658
Angle denies iRobot is selling the personal information to third parties, piously averring in a written statement, “iRobot will never sell your data.”659 Instead, he says, iRobot is giving the data away for free.
But Angle’s giveaway scheme is crafty. Here’s how it works.
He plans to give away the Roomba maps of customers’ homes to the makers of other smart-home devices. They include smart stereo systems that conform optimally to a room’s acoustics; smart climate-control systems that customize airflow to each room, according to its needs; smart lighting systems that control for a room’s windows, the season, and time of day; and smart security systems that know where everyone and everything is in a house at any given time.
In return for Angles’ free intelligence, these other vendors will naturally be incentivized to make their smart-home devices uniquely compatible with iRobot’s products and the maps of our houses. This inevitably will increase iRobot’s share of the market and profits.660
Wireless Headphones
Bose, famous for its high-end stereo systems, sells a suite of enormously popular wireless headphones. They include the QuietComfort, QuietControl, SoundSport, and SoundLink product lines.661
Like nearly all IoT devices, the wireless headphones come with a smartphone app—which, yes, features a finely printed EUL and prominent “I Agree” box. The Bose Connect app enables customers to, among other things, easily curate and control their song libraries via their smartphone touchscreens.
But, hold on.
In a federal, class-action lawsuit filed in Illinois’s Northern District on March 18, 2017, attorneys allege: “Unbeknownst to its customers . . . Defendant designed Bose Connect to (i) collect and record the titles of the music and audio files its customers choose to play through their Bose wireless products and (ii) transmit such data along with other personal identifiers to third-parties—including a professional data miner—without its customers’ knowledge or consent.”662
On its webpage, Bose insists: “Bose Corporation (‘Bose’) respects the privacy of our users.”663 But then it immediately lists all the information it collects on users:
• Your software and hardware attributes—including Device operating system version, MAC address, and hardware model information
• Device identifiers such as IP address and Device IDs
• Your time zone
• Information about when you use the App—such as date and time and duration
• Network information such as network type and carrier
• Information about the Bose Products you connect to the app—such as Bose Product model, name, serial number, and product settings (e.g., volume, bass/treble level)
• How you use the App during your current session and over time, including the media content to which you connect while using the App (e.g., song or podcast title, artist, and playing time)
And then, as a postscript, Bose discloses this gem:
“To gather the information discussed in this section, we or our service providers may use web logs or applications that recognize your Device and gather information about your use of the App, including software developer kits (“SDKs”), pixels, scripts, or other tracking mechanisms.”
That’s what now passes for respecting a users’ privacy.
“Indeed, one’s personal audio selections—including music, radio broadcast, Podcast, and lecture choices—provide an incredible amount of insight into his or her personality, behavior, political views, and personal identity,” reads the lawsuit. “In fact, numerous scientific studies show that musical preferences reflect explicit characteristics such as age, personality, and values . . .”664
Segment, a San Francisco-based data-mining firm, is allegedly one of the third parties receiving all that personal information from Bose’s headphone apps. On its website, Segment—which boasts having 15,000-plus clients—claims it can “capture data from every customer touch point” and then send it to wherever “it can be used most effectively.”665
Put bluntly, Segment collects and processes personal information from a legion of IoT snoops then pimps it out to the world’s highest bidders.
Listening Devices
The age of IoT lends fresh meaning to the old admonition, “Be careful what you say; the walls have ears.” Today, ears are literally everywhere, having become a big part of the smart-technology boon.
Our cars have ears, with voice-activated systems like Dragon Drive,666 Ford Sync,667 and GM IntelliLink.668 Our children’s bedrooms have ears, with popular sound monitors by VTech, Safety 1st, and Motorola.669 Even wristwatches such as Fitbit,670 Apple Watch,671 and CoWatch have ears.672
Consider, too, the voice-activated assistants in our homes. Amazon Echo,673 Google Home,674 and Apple HomePod675 are smart, modern-day genies that are always all-ears [see ROBOT: MEET YOUR NEW BFF].
But how smart are we for buying into it all?
Without her parents’ knowledge or permission, a six-year-old Dallas, Texas, girl used an Echo Dot to order herself a KidKraft Sparkle Mansion dollhouse and a large tin of sugar cookies. When they found out, her parents donated the mega-dollhouse to a local children’s hospital.676 Now, the entire family watches what they say around the big-eared Echo Dot. “I [now] like whispering in the kitchen,” confesses the girl’s mom.677
Remarkably, the saga doesn’t end there.
The story aired on the CW6 News’ morning show in San Diego, ending with anchor Jim Patterson quipping, “I love the little girl saying, ‘Alexa ordered me a dollhouse.’” Immediately, Echo devices all over the city hearkening to the anchor’s voice each began attempting to do the very same thing—order a dollhouse.678
You see, the technology is relentless and unforgiving. The minute we say the magic wake-word—in this case, “Alexa,. . .”—the smart device instantly fires off our verbal request via the web to a cloud, where our words are analyzed, and the genie’s response is formulated. In effect, the cloud is the genie’s brain.
Typically, an audio file of all our requests is permanently stored in the cloud. It helps the genie remember our preferences, as well as the idiosyncrasies of our voice.
There are ways to disable this recording feature to protect our privacy. But, here again, few of us do that, because it kneecaps the genie. Whereupon it becomes, as one Wired reporter wryly put it, little more than a paperweight.679
Kids Toys
In July 2017 the FBI issued a stern warning to parents about smart toys. “These toys typically contain sensors, microphones, cameras, data storage components, and other multimedia capabilities—including speech recognition and GPS options,” it said. “These features could put the privacy and safety of children at risk because of the large amount of personal information that may be unwittingly disclosed.”680
That’s precisely what happened with the web-connected stuffed animals called CloudPets, made by a California company named Spiral Toys. Briefly, here’s how the plush toys work:
1. Using the CloudPets’ smartphone app, a loved one can send messages to a child from anywhere in the world.
2. A grownup at home receives each message, approves it, and forwards it wirelessly to the child’s CloudPet.
3. The CloudPet’s heart responds by blinking, whereupon the child squeezes the animal’s paw to hear the message.
4. The child can record a response by again squeezing the paw. The message is then transmitted directly via a nearby smart device to the loved one anywhere in the world.681
In early 2017 several security experts—including Australian Troy Hunt, a Microsoft Regional Manager—gained access to an unsecured cloud server containing the account information of more than 800,000 Cloud-Pets users. The trove of stored data included children’s names, photos, email addresses, and 2.2 million recorded personal messages.682
Parents “probably didn’t think through the fact that when you connect the teddy bear [to the web],” says Hunt, “your kids’ voices are sitting on an Amazon server.”683 It was information anyone could find simply by using the IoT search engine Shodan.684
Spiral Toys maintains no personal information was stolen and, in any case, has since then fixed the problem. “To our best knowledge, we cannot detect any breach on our message and image data, as all data leaked was password encrypted.”685
But Hunt and the other experts disagree, citing evidence the database was stolen more than once by hackers and held for ransom. They also point out many of the passwords were extremely weak and easily guessed. “Anyone with the data could crack a large number of passwords, log on to accounts and pull down the voice recordings,” explains Hunt.686
Red flags also have been raised concerning IoT dolls Hello Barbie and Cayla, as well as hereO kids’ watches.687 The list of hackable toys is quickly growing, says the FBI, thanks to companies chasing after a quick buck. “Security safeguards for these toys,” it warns, “can be overlooked in the rush to market them and to make them easy to use.”688
Adult Toys
Couples using We-Vibe vibrators—made by Ottawa-based Standard Innovation—can control one another’s smart dildos via the web. “Turn on your lover when you connect,” the product website says, “and play together from anywhere in the world.”689
The We-Connect smartphone app lets you control your partner’s vibrator, with rousing modes like the pulse, wave, crest, peak, and cha cha cha. Also, says the website, the app lets you “Build excitement with secure in-app voice, chat and video.”690
But there’s a problem with all of it.
In late 2016 a pair of hackers, codenamed g0ldfisk and followr, discovered roguish voyeurs standing within thirty-five feet of the smart dildos—say, just outside the house—could hijack them via Bluetooth and make them dance to their tune, so to speak.691
And that’s not all.
An Illinois woman identified simply as “NP” filed a federal class-action lawsuit against Standard Innovation, claiming: “Defendant programmed We-Connect to secretly collect intimate details about its customers’ use of the We-Vibe, including the date and time of each use, the vibration intensity level selected by the user, the vibration mode or pattern selected by the user . . . and incredibly, the email address of We-Vibe customers who had registered with the App, allowing Defendant to link the usage information to specific customer accounts.”692
“It’s one matter collecting data about your usage of a smart coffee machine,” remarks Ken Munro of Pentest Partners, a British firm that tests the security of IoT devices. “It’s a whole different matter gathering data about your sex toys.”693
In a settlement announced in March 2017, Standard Innovation agreed to pay NP and the other plaintiffs a total of $5 million in Canadian currency—about $3.9 million in American money.
The company also agreed to “(i) purge email addresses provided by application users as part of the We-Connect application registration process . . . and (ii) purge the following data elements: the time and date of each use, the vibration intensity level selected by the user, the vibration mode or pattern selected by the user, the temperature of the device, and the battery life.”694
It was a fitting climax, one might say, to a very heated matter.
At this point, you might be thinking: Who needs secret police, when so many IoT devices are spying and snitching on us? And doing so lawfully. With our blessing.
“You know something is wrong when the government declares opening someone else’s mail is a felony,” quips author and blogger Elizabeth Ann Bucchianeri, “but your internet activity is fair game for data collecting.”695
If you’re wondering how much information about your internet behavior is being noticed, here’s an easy experiment you can do.
If you have a Google account—and who doesn’t these days?—log into https://myactivity.google.com/ and behold all the information that is stored about your online activity. It includes topics you’ve searched, websites you’ve visited, and videos you’ve watched.
And that’s just Google, which is relatively transparent about the lowdown they have on us. Think of all the IoT gadgets with which we interact daily, each one stashing away juicy tidbits of highly personal information about us for other people to see—total strangers halfway around the world, even.
For children now being born, their electronic dossiers begin right away. Hospitals digitize medical records and exchange them online. And schools expect kids to use electronic tablets for notetaking and the web for research.
Gennie Gebhart, a researcher at the San Francisco-based Electronic Frontier Foundation, warns that today’s surveillance culture “threatens to normalize the next generation to a digital world in which users hand over data without question in return for free services, a world that is less private not just by default, but by design.”696
It’s a world run by what experts are calling the Internet of Everything, or IoE. A world that jeopardizes not just our personal privacy, but our civilization’s very existence.
On October 21, 2016, we got an unsettling peek at this dubious IoE world, when web service came to a screeching halt throughout North America and Europe. Twitter, Spotify, Reddit, The New York Times, Pinterest, PayPal, and other major websites went completely dark.
The culprit? Mirai, a nasty bit of malware that infects IoT devices. On that eye-opening October day, hundreds of thousands of Mirai-infected security cameras, routers, and DVRs helped spread their contagious disease throughout the world wide web at the speed of light.697
In 2017, in a report ominously headlined, “A New IoT Botnet Storm is Coming,” Check Point—a major Northern California cybersecurity company—issued a warning about a vicious new malware named IOTroop. The report’s three subheads read:
• A massive Botnet [IOTroop] is forming to create a cyber-storm that could take down the internet.
• An estimated million organizations have already been infected.
• The Botnet is recruiting IoT devices such as IP Wireless Cameras to carry out the attack.
According to the report, IOTroop is “evolving and recruiting IoT devices at a far greater pace and with more potential damage than the Mirai botnet of 2016.” It appears to be exploiting “vulnerabilities in Wireless IP Camera devices such as GoAhead, D-Link, TP-Link, AVTECH, NETGEAR, MikroTik, Linksys, Synology and others.”698
Welcome to the beginnings of the IoE world.
Way back in 2008, a cheery IBM predicted the IoE would usher in the era of a “Smarter Planet,” comprising everything “from smarter power grids, to smarter food systems, smarter water, smarter healthcare and smarter traffic systems.” The IoE would surely create a tsunami of data, said IBM, but not to worry, the company was already busy creating algorithms to make sense of it all.699
Today’s nascent IoE—with its flood of information, data, analytics, and algorithms—is, of course, great news for IBM’s bottom line. It spells unlimited j-o-b s-e-c-u-r-i-t-y for the company’s super computers, such as Watson. But for the rest of us, big data and big algorithms foreshadow big brother.
Think about it: smart devices can only become “smarter,” as IBM foresaw, by learning more about us. Not just our voices, faces, behaviors, preferences, politics, and sex lives, but everything. For that reason, I honestly can’t see how the idea of an IoE—of a “smarter planet”—is ultimately good for our bottom line.
“The internet, our greatest tool of emancipation, has been transformed into the most dangerous facilitator of totalitarianism we have ever seen,” cautions Julian Assange, founder of Wikileaks. “Left to its own trajectory, within a few years, global civilization will be a postmodern surveillance dystopia . . . In fact, we may already be there.”700