Do you want to see exactly what data your smart thermostat collects and how it uses that information? Do you want to know what your video doorbell knows about who comes to your house and when? Are you interested in who can see that map of your bedroom that your robot vacuum cleaner generated? Or at least would like to reassure you no one else knows these intimate details?
Today, the Connectivity Standards Alliance (CSA), the group behind Matter, announced the creation of a new data protection working group. The group will develop a global “Alliance Data Privacy Specification” to certify the data privacy of smart devices and the services they use, and provide information on how that data is used in a clear, digestible way – that is, without that you need to wade through thousands of words in privacy policies or simply entrust companies like Amazon, Google, Samsung and others with that data.
“We want to help customers better understand what data is collected, how it is used, and whether it meets existing privacy requirements.” reads the statement posted today on the CSA website. “By acting as an advocate on behalf of consumers, the Alliance can provide guidance on every facet and act as advocates of fairness.”
“We want to help customers better understand what data is collected, how it is used, and whether it meets existing privacy requirements.”
Data is today’s gold rush. Everyone wants it, many people want to sell it, and most of the time we want to keep it for ourselves, thank you very much. But when it comes to putting connected devices in your home and clicking “I agree” on that privacy policy, we’re just giving that away. We may get useful services in return, but that doesn’t mean we should hand out data to anyone who asks for it in exchange for a little convenience.
To date there is no federal legal framework in the US that restricts what data is collected of your smart home devices or how it is used. While there has been movement around data privacy law here, we are still a long way from anything resembling the European General Data Protection Regulation. The CSA’s new working group aims to solve this problem through industry regulation. It wants to build a simple framework to detail how companies use your data and how they tell you about it.
Whenever and whatever Congress comes up with, a global data privacy specification for the smart home will still be needed. The CSA notes that the amount of data generated by connected devices in our homes and other spaces is only increasing: “Protecting our rights will become more and more challenging. Resolving this issue now is imperative for the overall health of the IoT industry,” the organization said.
Wait, doesn’t Matter solve all of this? No. The new smart home standard governs interoperability between devices and has some solid security requirements behind it related to what can be shared between them and how. However, when it comes to your data, Matter’s current framework is about protecting data from cybersecurity attacks rather than regulating how companies can use it. As Michelle Mindala-Freeman of the CSA told me The edgetoday the “data relationship” in Matter remains “between you and the individual manufacturers.”
For example, the Matter-enabled TP-Link Tapo smart plug I tested this month can be controlled locally via Matter, but for now you’ll still need to install the Tapo app – and agree to the privacy policy — to update the firmware. Matter is supposed to allow firmware updates directly through the platform, but that’s not currently in place and you’ll still need to download the manufacturer’s app.
All of this is why platforms that provide local control are becoming increasingly popular in the smart home. If a server doesn’t log every time you turn that light off, no one will know but you. Matter devices work locally, although the platform you control them from may not. While Apple’s Apple Home uses a local framework and stores data on your own iCloud that only you have the keys to, Amazon’s Alexa and Google Home rely heavily on the cloud.
Some smart home platforms provide full local control as a primary selling feature – see Home Assistant And Hubitat, For example. This allows devices to communicate and process data locally, greatly reducing (but not necessarily eliminating) the need to contact an AWS server or similar servers.
However, fully locked down data may not be a good thing for the smart home as a whole, where many companies use depersonalized aggregated data to improve services and add new features to products already in your home.
Matter’s current framework is more about protecting data from cybersecurity attacks than regulating how companies can use it
Obviously it’s complicated. And this new data privacy working group is still in its infancy. It needs a lot of nutrition to grow into something viable. As with the recently announced Health and Wellness Working Group for health technology data sharing, the CSA will need companies to come forward and help develop the specification, just as they did with Matter.
With big names like Apple, Google, Amazon, Samsung, Comcast and others on its membership roster of over 300 members, the CSA has a good place to start. But whether these companies will be as eager to collaborate on managing what is essentially a gold mine for their business opportunities as they are on making smart plugs talk to each other remains to be seen.
In recent years, many of the biggest tech companies in the smart home space have made their data and privacy policies more readable and understandable by using colorful and well-designed privacy hubs (see Google And Alexa). They have also made it easier for users to opt out of certain data collection, as well as to extract and delete data.
But in all of these polished privacy promises, there’s still a lot of flowery language that can obscure exactly how much of your data is used for advertising and other “services.” A strong data privacy specification would have to cut through this kind of cruft to be effective.
If Big Tech comes back to the table to flesh out a data privacy framework for the smart home, here are some talking points I suggest they get to work on:
A wish list for a data privacy specification
- Make it clear who owns the data generated by the device (ideally the consumer).
- Indicate exactly which data is collected and for what purpose.
- Give users the option to opt out of any or all data collection.
- Clearly identify which features you lose based on those choices.
- List expiration dates for data retention.
- Provide tools to verify the company’s compliance with stated policies.
- Identify any data the company collects to “improve its products and service.”
- Make it clear whether this data is anonymised.
- Identify what data, if any, the company sells to third parties or to share with third parties (including its own services).
- Ensure easy download, transfer and deletion of all data.
While data privacy makes less headlines in the smart home space than vulnerabilities in connected cameras or malfunctioning smart ovens, it is much more important. Multiple small data points from our homes can create a much clearer picture of our daily lives than any single video stream. That data, misused or falling into the wrong hands, can have significantly worse consequences.
Janice has been with businesskinda for 5 years, writing copy for client websites, blog posts, EDMs and other mediums to engage readers and encourage action. By collaborating with clients, our SEO manager and the wider businesskinda team, Janice seeks to understand an audience before creating memorable, persuasive copy.