Air fryers are demanding permission to listen in on conversations and sharing data with TikTok, TVs are wanting to know users’ exact locations at all times, says the consumer product testing body Which?.
As well as knowing customers’ precise location, all three air fryers it tested wanted permission to record audio on the user’s phone, for no specified reason. All of the devices on test wanted to know users’ precise locations. The UK data privacy regulator the ICO is due to publish new guidance for smart product manufacturers in spring 2025, Which? notes. This guidance must include really clear advice on how consumers’ data can be used and the transparency required of businesses, Which? argues. Which? adds that it’s concerned that manufacturers based abroad could take advantage of the challenges of enforcing compliance with guidelines.
Harry Rose, Which? magazine editor, said: “Our research shows how smart tech manufacturers and the firms they work with are currently able to collect data from consumers, seemingly with reckless abandon, and this is often done with little or no transparency.
“Which? has been calling for proper guidelines outlining what is expected of smart product manufacturers and the ICO has confirmed a code is being introduced in spring 2025 – this must be backed by effective enforcement, including against companies that operate abroad.”
Comments
Megha Kumar, Chief Product Officer and Head of Geopolitical Risk, from cybersecurity consultancy CyXcel, said: “The regulatory and data protection regime for smart devices is rudimentary and fragmented worldwide, and a growing data breach and cyber risk. This is due to many reasons.
“The market for smartphones and computers is dominated by a few large firms such as Apple, Samsung, Dell and Microsoft which have the funds to invest heavily in data protection and cybersecurity, and are bound more stringently by data protection laws that govern which data are collected, for what purpose and stored for how long. By contrast, other connected devices such as air fryers and TVs are manufactured by a wider range of vendors, some of unequal reputation and often with a poor track record on data compliance and cybersecurity.
“A lot of connected products such as smart kitchen gadgets are white labelled products with an unclear and complicated supply chain that crosses many countries, especially a whole range of small Chinese manufacturers. This makes it impossible for consumers to know which supplier is actually responsible for data collection, and which company is abiding by the data laws of which country. When making purchasing decisions, consumers often prioritise cost, but that potentially stores up greater risks for the future, not only because of potentially unlawful data collection but also because these devices are connected to the same WiFi network in our homes as work laptops or sensitive data-holding hard drives.
“Compared to smartphones and laptops, excessive data collection from household connected devices carries an even greater risk of data breaches: most people are not an even aware of the scale and volume of the data collected by these devices, even though they have access to personal/domestic environments. Making matters trickier, most people use some of the connected devices for 5-10 years. People replace their smartphones more frequently than their fridge. There have been several cases where hackers have compromised the safety and security of individuals by hacking their digitally connected heating systems, for example.”
Adam Brown, managing security consultant at software firm Black Duck, said: “The Cyber Resilience Act [CRA], which came into play this year, enforces stricter cybersecurity standards for all products with digital features sold in the EU and aims to safeguard from security vulnerabilities by requiring manufacturers to implement mandatory cybersecurity measures throughout a connected product’s lifecycle. However, “excessive smart device surveillance” may not fall within the requirements of the CRA. Bringing connected devices into your home network opens doors for potential surveillance activity. And while an individual may not be a target for control or surveillance, as a part of a larger group, they may be.”
