Thursday, 27 July 2017

The Spy Who Came Back with the Dirt

Pretty much all the news places I visit were reporting this past week how the company that makes the Roomba vacuum cleaning robot is planning to embark on a new mapping adventure (see here for one example). The plan is to have its robot armada, that has already invaded our houses, send the internal map of their owners residences back "home". As in, its makers "home", where they will be selling the internal map of your house away.
[Adequate disclosure: yours truly has had a Roomba getting entangled with cables for several years now; however, mine is a dumb model. All it does is clean, generate noise, and get stuck.]
The question is, should I, should you, should we, allow this private information - the internal layout of our residences - to be given away? Bear in mind, once it's gone, it's gone; you will no longer have control over it.
If you've been reading this blog you would pretty much know by now that I am on the very conservative side of things here. I would not want my private information taken out of control, period. But am I being exceptionally stupid in this particular case, even by my own rigid standards?
Let's examine the arguments.

Favouring the side of letting the data go is the undeniable assumption that we are not exactly talking Top Secret material here. I'm pretty sure my home's building plans are on the public record somewhere, and even if they aren't then they will be once the house is put on sale and the real estate agency publishes the floor plan for the world to see. Because that's how you buy and sell real estate in this world.
The key factor here appears to be not the floor plan itself but rather the way the resident has chosen to personally furnish the place. The Roomba would be able to tell where you put your sofa, how big your sofa is, where you put your TV, where you put your speakers, etc. Picking that information apart may offer some potentially life enhancing use cases: you could be offered acoustics advice on how to improve the sound quality of your stereo, to pick on one example. To be honest, I don't really know what could be done with this data to enhance our lives with, but I will admit there may well be positive outcomes. It's just that I don't know; we don't know, and I doubt Roomba's makers know. All they know is that they can make a buck.
Then there is the negative. As Bruce Schneier alerts us, there could be implications to this data given away when something goes wrong. Say, if you want to make an insurance claim and the info your innocent Roomba had collected is, all of a sudden, used against you. Again, we simply don't know what this data will end up being used for, but we do know that once you give it away you cannot claim it back.
I will therefore go one paranoid step further and issue a generic privacy advice on allowing one's personal data to be given away. It is simply this: we already know that companies such as Google and Facebook collect all the data they can about you. Similarly, we know that third party trackers, companies such as Acxiom, do so "covertly" behind the scenes, and they are perfectly willing to sell your data to the highest bidder; that's how they make their money. With this data fed to big data processing algorithms, who knows whether tomorrow morning they will find a correlation between someone placing their TV at the corner of the room and that someone willing to spend $10 above average on shoes, hence the "need" for companies such as Amazon to charge them extra on shoes?
Make no mistake about it. It might not be willingness to pay extra for shoes, but with all that data, these companies will find something on you that could be exploited. That is the reason they exist in the first place, and they seem to be making a decent living! Last I heard, Google and Facebook are earning more money than I do.

To this still theoretical risk I will add a much more down to earth, clear and present danger type of a practical risk. By letting the Roomba in your house connect to the Internet, you may be exposing yourself to a major security risk. How? Think of all the vulnerabilities out there with Windows (WannaCry?) and other operating systems that are always on the run to patch up the latest problem. Do you think your Roomba is immune to those problems? And when was the last time you've patched your Roomba up?
Again, this is no theoretical threat. This month alone we have learnt that the Android system as well as Apple's iOS (10.3.3) have been patched up in order to fix a Broadcom wifi chip vulnerability that allowed your phone to be pwned by merely having wifi switched on! [Also bear in mind only a tiny minority of Android users actually have access to this patch. This is one of the core reasons I am firmly on the iOS side of the smartphone equation.]
My point here is not whether you want to let Roomba's maker have access to your floor plan, but whether you want to let your Roomba have access to the internet in the first place. I argue you shouldn't; nor, for that matter, should you let your run of the mill "smart TV" connect to the internet, because these are clearly a weak security link. If you do want to enjoy smart TV features, do so through well supported and patched up devices such as an Apple TV or a PlayStation 4.

Bottom line is, letting Roomba file a report on your floor plan is but one of many tiny steps each of us is taking, knowingly or unknowingly, towards the loss of control over our privacy. I am suggesting here that before we lose such control we need to make proper cost/benefit analysis. At this stage, at least, the benefits for us are theoretical at best while the risks, some lesser and some worse, are very much there.
I therefore recommend a conservative approach to one's privacy.

No comments: