Smart Device Listening

We've all had that unsettling experience: a casual conversation about a new appliance, a holiday destination, or a fleeting interest, only for eerily specific ads to start popping up on our phones minutes later. It’s a common, if unnerving, understanding that our digital companions – whether it's Google's ever-present assistant or Apple's Siri – are, in some capacity, always listening, seemingly translating our spoken words into targeted advertising. But what about the other "smart" devices infiltrating our homes, from air fryers to smartwatches? Are they also silently gathering data, pushing the boundaries of what's acceptable when it comes to our most private spaces?

In a significant move to safeguard consumer privacy, the Information Commissioner's Office (ICO) has released new guidance for manufacturers of smart home appliances, aiming to rein in what some describe as "disproportionate surveillance" by everyday gadgets. The guidance comes after an investigation by consumer champion Which? uncovered alarming data collection practices by certain smart devices, including air fryers, smart TVs, and smartwatches.

With an estimated four out of five people in the UK owning at least one smart appliance, the new rules are designed to protect a vast segment of the population from potentially intrusive data collection.

The Which? investigation highlighted several concerning instances. Three air fryers, manufactured in China were found to record audio on owners' phones without a specified reason and some were observed sending personal data to Chinese servers, although this was noted in their respective privacy notices.

The new guidance mandates that manufacturers and developers adopt a "data protection by design and default" approach. 

Smartwatches and fitness trackers are also explicitly covered by the new guidance, with the ICO advising extra caution for "special category data" like a user's BMI or fertility information. The Which? study found that the Huawei Ultimate smartwatch requested nine "risky" phone permissions, more than any other device in the investigation. These risky permissions typically include access to precise location, audio recording capabilities, stored files, or the ability to view all other installed apps. Huawei has stated that all requested permissions have a justified need, and there is no suggestion of illegal behavior by any of the companies mentioned in the study.

Australian Context: A Similar Path Towards Stronger Protections

The UK's proactive stance on smart device privacy resonates strongly in Australia, where similar concerns about data collection and security have been growing. While Australia does not have an identical regulatory body to the ICO, the Office of the Australian Information Commissioner (OAIC) plays a key role in upholding privacy rights under the Privacy Act 1988 (Cth).

Significantly, Australia has recently introduced its own legislative measures to address these issues. The Cyber Security Act 2024 (Cth), which received Royal Assent in November 2024, is a landmark piece of legislation that includes provisions for mandatory minimum cyber security standards for smart devices. These "Cyber Security (security standards for smart devices) Rules 2025" are set to come into effect on March 4, 2026.

These Australian rules will require manufacturers and suppliers of internet-connectable products intended for consumer use to comply with specified security standards. Key requirements include:
​

• No universal default passwords: Each device must have a unique password or allow the user to define their own.
• Vulnerability reporting mechanisms: Manufacturers must have a public policy for reporting security issues and provide contact information for doing so.
• Minimum security update periods: Manufacturers must disclose the duration of security support for their products' software or hardware.
• Statement of compliance: Both manufacturers and suppliers will be required to provide a statement confirming their device meets these standards.

The OAIC has also been actively engaged in promoting "privacy by design" for all digital products, including AI systems, and has issued guidance emphasizing transparency, accuracy, and the need for informed consent, particularly for sensitive personal information collected by IoT devices.

Ep344

Image created by AI