The new Nest Hub Max is displayed during the 2019 Google I/O conference at Shoreline Amphitheatre in Mountain View, Calif., on May 7, 2019. (Justin Sullivan/Getty Images)
A new study by UK consumer watchdog Which? has found that some smart devices, such as watches, TVs, speakers, and even air fryers, are spying on consumers.
The group looked at products in four categories and gave them privacy scores based on how they handle user data and permissions.
According to Which?, researchers discovered that many devices collect information beyond what they need for basic functions. In a Nov. 5 statement, Which? said the extra data could potentially be shared among other companies for marketing purposes, advising companies to put user privacy before profits.
In the air fryer category, all three tested products asked for permission to record audio on users' phones without explaining why. The Xiaomi air fryer app was found to connect to trackers from Big Tech companies like Facebook and China's Tencent, depending on where the user is located. Researchers also found that the Aigostar air fryer asked for some optional information like gender and birth date during setup, again without a clear reason.
Researchers said both the Aigostar and Xiaomi air fryers sent personal data to servers in China, which is listed in their privacy notices but still raises concerns about security.
In a statement to Which?, Xiaomi contested that the permission to record audio from the Xiaomi Home app isn't applicable to their air fryer, which doesn't work through voice commands or video chat.
"Respecting user privacy has always been among Xiaomi's core values, which includes transparency, accountability, user control, security, and legal compliance," they said.
The Huawei Ultimate smartwatch stood out in the study for requesting the most "risky" phone permissions.
According to Which?, these permissions give the watch access to sensitive parts of a user's phone, such as precise location, audio recording, and the ability to see all installed apps. Huawei defended these requests, saying they were all necessary for the watch's functions and that user data isn't used for marketing or advertising.
Researchers also found some trackers active on the Huawei watch, but the company said they only work in certain areas.
"We are very clear both on the devices at set-up, and on the companion app Huawei Health, which permissions are required and why, and users have full control over turning them on or off at any time," a Huawei spokesperson said in a statement, published in the study.
The study also looked at two popular smartwatches sold on Amazon: the Kuzil and WeurGhy models. Researchers found these to be basically a copy of Huawei, which they noted highlights a common issue of lesser-known brands selling similar items online.
During the study, both watches needed user consent to work fully; without it, they only worked as basic watches. Neither watch provided information on how long they would receive security updates, which is required by law. One positive researchers found was that they weren't found to use any trackers.
Smart TVs were another area of concern in the study. The group found that TV menus were full of ads and asked for a lot of user data. Both Hisense and Samsung TVs required a postcode during setup. When asked, the companies said users could enter a partial postcode and that it was only used for local content. Samsung claimed providing a postcode wasn't required, but Which? found it seemed to be mandatory in their tests.
"We employ industry-standard security safeguards and practices to ensure that the data are secured. Customers are also given the option to view, download or delete any personal data through their Samsung accounts," Samsung said in their own statement.
Hisense said they are compliant with all UK data privacy laws and said they only use postcodes to offer regional specific content, but if users are concerned, they could request partial postcodes instead.
LG TV also asked for a postcode, but it wasn't required. For Samsung, the company's TV app requested eight risky phone permissions, including the ability to see all other apps on the phone. Hisense wasn't found to connect with any detectable trackers, but researchers have found that both Samsung and LG were linked to several sites, including Facebook and Google.
For smart speakers, the Bose Home Portable speaker and its app asked for the fewest phone permissions when being set up, but the ones they did ask for were reportedly "stuffed with trackers," from Facebook, Google, and a marketing company called Urbanairship. The same speaker also failed in getting proper consent for data tracking, according to the study.
The Amazon Echo speaker allows users to skip some data-sharing requests but with a catch. Both the Amazon Echo Pop and Google Nest require users to create an account with them and don't allow them to choose which tracking to enable, which gives them a low privacy rating overall, according to Which?.
One thing all tested devices had in common was asking for users' exact location.
The study emphasized the issue of how easily smart tech devices can collect too much data without being clear about its use. It noted that the Information Commissioner's Office (ICO) plans to release new guidelines for smart product makers in Spring 2025 in the United Kingdom. Which? said that these guidelines most importantly should explain how consumer data may be used by companies and what information they must share with users.
However, researchers noted that companies based outside the UK could find ways around these rules.
Harry Rose, editor of Which? magazine, said the study highlights how many smart tech companies are recklessly collecting consumer data without regard for privacy.
"Our research shows how smart tech manufacturers and the firms they work with are currently able to collect data from consumers, seemingly with reckless abandon, and this is often done with little or no transparency," he said.