The Most Privacy-Risky Smart Home Apps: How Much of Your Data Is at Stake?
Synced
Published August 2024
With the growing adoption of smart home devices, mobile apps that control and monitor these devices have become increasingly popular. We use them to manage our homes remotely and automate various tasks, such as controlling lighting, temperature, security systems, and even home Wi-Fi networks.
These apps typically collect users' data, gathering different types of personal information. The App Store lists 14 data types that each app may collect, which include contact info, health & fitness info, financial info, location, sensitive info, contacts, user content, browsing history, search history, identifiers, purchase history, usage data, diagnostics, and other data.
Data collection is sometimes necessary for the app's functionality or for improving user experience, but it also introduces privacy risks that can be detrimental to users, if the data is not properly secured or if it is misused by the app developers or third parties.
There are several ways in which these smart home apps can risk users' privacy:
- Unauthorized Access: If the app does not have strong security measures, there is a risk that hackers or unauthorized parties could access the collected data. This could lead to identity theft, financial fraud, or other malicious activities.
- Data Misuse: Even when data is collected legitimately, there is a risk that it could be used for purposes beyond what the user agreed to, such as being sold to third parties, used for targeted advertising without consent, or shared with other companies.
- Lack of Transparency: Users may not be fully aware of what data is being collected, how it is being used, or with whom it is being shared. This lack of transparency can lead to a loss of trust and a sense of violation when users discover that their data has been used in unexpected ways.
- Potential for Profiling and Discrimination: Collected data can be used to create detailed profiles of users, which could then be used in ways that lead to discrimination or bias, such as in targeted advertising, pricing discrimination, or even surveillance by governments or organizations.
The more data an app collects, the more information is available that could be exposed in a data breach, used for unintended purposes, or accessed by unauthorized parties. This increases the likelihood of privacy violations and the severity of the consequences. Conversely, apps that collect less data pose a lower privacy risk, as there is less information available to be compromised.
Smart Home Apps, Graded by Privacy Risk
We analyzed 100 smart home apps on the App Store, studied how many types of users' data they collect, and then graded them based on the level of privacy risk they introduce.
Privacy Risk Level
The higher the number of data types collected, the greater the potential for privacy violations.
- Extremely High Privacy Risk (75% and above)
Apps in this category collect the majority of the 14 data types listed, posing a significant threat to user privacy. - High Privacy Risk (50% to 74.9%)
These apps collect a substantial number of data types, indicating a high level of privacy risk for users. It is concerning but not as severe as the "Extremely High Privacy Risk" category. - Moderate Privacy Risk (25% to 49.9%)
Apps in this category collect a moderate amount of user data, posing a reasonable level of privacy risk. - Low Privacy Risk (0% to 24.9%)
Apps here collect minimal user data, reducing the potential for privacy breaches. While no app is entirely risk-free, those in this category pose the least threat to user privacy, as they gather only the most essential information.
Amazon Alexa & Google Home Pose an Extremely High Privacy Risk
Amazon Alexa and Google Home, collecting 92.9% and 85.7% of users' data respectively, are considered to pose an extremely high privacy risk. Their extensive data collection may be due to the wide range of features and functionalities they offer, which require access to various types of user information.
For example, Amazon and Google collect location data for Home/Away routines and location-based automation features, which can automatically activate or deactivate smart home devices when users enter or leave their premises. A potential risk is that their location history could be exposed to potential threats, allowing unauthorized individuals to know where they live and work, compromising safety and privacy.
Another example is search history data, which is not commonly collected by most smart home apps. Among the 100 smart home apps we studied, only 9% collected users' search history data, and Amazon Alexa and Google Home are among them. Both apps use search history data because they are part of the wider ecosystem of digital assistant services, which rely on analyzing user search queries to provide personalized recommendations and responses. The potential risk is that this search history data could be misused to profile users and target them with personalized advertising or other undesirable purposes without their knowledge or consent.
Low Privacy Risk Doesn't Mean Zero Risk
Among the apps posing low privacy risk is Wyze, which claims to be collecting only 21.4% of users' data. However, this doesn't mean that users can have the utmost confidence that their information is safe.
In fact, Wyze has suffered repeated data breaches in the past. The two most recent incidents happened back in February 2024 and September 2023, when users could see video footage from other people's Wyze security cameras.
This highlights the importance of not only considering the amount of data collected by the app, but also the overall security practices and track record of smart home app providers in protecting user privacy and data.
Your Data, Their Revenue
Our study revealed that 43% of smart home apps collect users' data specifically for advertising and marketing purposes.
Among the apps collecting data for advertising, 19% take the additional step of sharing users' data with third parties for advertising.
The amount of users' data collected for advertising or third-party sharing varies across the different smart home apps, but Amazon Alexa is the #1 app that collects the most users' data for advertising purposes.
When collected for advertising and marketing purposes, users' data like search history, usage data, purchase patterns, and more can be leveraged to create highly targeted ads and profiles. While personalized advertisements may be helpful for some users, they can sometimes feel intrusive. Advertisements themselves are driven by the company's interest in generating more revenue, trading off user privacy for commercial gain.
Third-party data sharing for advertising amplifies the privacy risk, as users may not be aware of how their data is being disseminated and used by third-party companies for targeted advertising or other purposes without their knowledge or consent. This can lead to a concerning loss of control over personal information and a diminished sense of privacy.
Your Data, Tracked
We discovered that 14% of smart home apps use users' data to track users across apps and websites owned by other companies.
Alfred Home Security and myQ Garage & Access Control are two apps that use the most users' data for tracking, leveraging 29% of the 14 data types we examined.
Tracking involves linking data collected from an app with data from other companies' apps, websites, or offline properties. This linked data is then used for purposes like targeted advertising, analytics, or sharing with third-party services.
Tracking is different from third-party data sharing discussed previously in that it is a broader and more pervasive process. It continuously monitors a user's activity across multiple platforms, linking data from different sources to create a unified profile that can be used for a variety of purposes, including but not limited to advertising.
This cross-platform tracking allows companies to follow users as they move through different digital spaces, gaining insights into their habits and preferences that are far more detailed than what can be obtained from data collected within a single app. The practice can lead to a sense of being constantly tracked and monitored, while some users may not even realize that they're being tracked across multiple platforms.
Smart Home Apps that are the Safest to Use
Finally the good news - 17% of smart home apps claim to be collecting data totally anonymously, while 4% do not even collect any users' data.
Anonymous data collection means that the data is stripped of any identifiers that could link it back to individual users, such as names, email addresses, or device IDs.
The opposite of it is the data collection tied to the user’s identity, which is the more common practice - 79% of smart home apps studied collect data linked to users’ identity.
The idea behind anonymous data collection is to protect user privacy while still allowing developers to gather insights that can improve their products or services.
While this doesn't mean a zero privacy risk, it does suggest a reduced likelihood of personal data being misused or traced back to individual users.
Research Methodology
The study used Apple's Privacy Nutrition Labels featured in the App Store, which provide a standardized way for users to understand what types of data an app may collect and how that data may be used. Every app developer is required to disclose this information, though the accuracy and completeness of the disclosures are not independently verified by Apple.
For grading apps based on their level of privacy risk, we calculated the number of data types each app claims to collect overall, regardless of the purpose and whether the data are linked or not to the user identity.
For the list of apps that collect users' data for advertising, marketing, and third-party sharing, we analyzed the 'Developer’s Advertising or Marketing' and 'Third Party Advertising' data uses.
For the list of apps that track users' data, we refer to data collected under the 'Data Used to Track You' section.
For the list of apps that collect data anonymously, we identified the apps that collect data only under the 'Data Not Linked to You' section and not any data under the 'Data Linked to You' section.
Don't miss out on tech
Subscribe to our newsletter to stay up to date on the latest tech trends and guides on the best gadgets around.