ICO issues warning over smart devices harvesting personal data
The Information Commissioner’s Office (ICO) has issued a warning about the risks posed by smart devices harvesting personal data.
The ICO also announced a crackdown on connected devices, announcing plans for new rules and action to be taken against manufacturers who fail in their data security obligations.
The warning comes in response to a new report from Which? that conducted a detailed audit of connected devices, revealing that almost all required location data, despite this information not being key to the products functionality. The report revealed that some brands of speakers automatically share customer data with TikTok and Meta, to smart TVs that insist on knowing viewing habits.
The Which? report stated “Based on our testing, Chinese brand Ezviz’s devices, sold by major high-street retailers including Argos, had by far the most tracking firms active. These included Pangle (TikTok’s business marketing unit), Huawei, as well as Google and Meta.”
Every single brand assessed by Which? used tracking services from Google, while Blink and Ring also connected to parent company Amazon. Google’s Nest product demands the user’s full name, email, date of birth and gender.
Andy Ward, VP International, Absolute Software, added: “Connected devices are the lifeblood of a modern workplace but are also a minefield when it comes to data security. The ability for malicious third parties to listen in, steal passwords and confidential information means that organisations should think first before implementing new devices that could present a major security risk.
Key to this effort must be ensuring rigorous and regular cyber defences are in place, along with the ability to track, locate and freeze devices in the event of loss or theft.”
ICO chief Stephen Almond, Executive Director of Regulatory Risk said: “People should be able to enjoy the benefits of using their connected devices without having excessive amounts of their personal data gathered. This simply isn’t a price we expect to pay.
“To maintain trust in these products companies must be transparent about the data they collect and how they use it, and ensure that the data is not used or shared in ways that people would not expect.”
Cyber expert Oseloka Obiora, CTO, RiverSafe said: “It’s time to wake up and smell the coffee around the risks posed by smart devices, which bring with them both a data privacy and cyber risk. The rise of smart offices can create an exciting work environment, but open up a myriad of security challenges, from eavesdropping in the boardroom to offering a backdoor into the business for hackers to exploit. New devices should be approached with a level of caution, with data policies checked and confidential information properly protected at all times.
“The most effective defence against identity theft is personnel awareness. Strong and consistent cyber awareness programmes are crucial to minimising the opportunistic data privacy compromises,” he added.