Skip to main content

The CSA is addressing smart home data privacy, and it’s about damn time

The CSA is addressing smart home data privacy, and it’s about damn time

/

The organization behind Matter has formed a data privacy working group to create a privacy certification for smart devices. But once again, it will rely on buy-in from Big Tech.

Share this story

If you buy something from a Verge link, Vox Media may earn a commission. See our ethics statement.

Image from CSA data privacy working group announcement depicting a stylized padlock and the words “Connectivity Standards Alliance Announces Data Privacy Working Group.”
The organization behind Matter wants to create a data privacy specification for the smart home.
Image: CSA

Do you wish you could see exactly what data your smart thermostat collects and how it uses that information? Would you like to know what your video doorbell knows about who visits your home and when? Are you interested in who can see that map of your bedroom your robot vacuum generated? Or would you at least like to be reassured that no one else knows these intimate details? 

Today, the Connectivity Standards Alliance (CSA), the group behind Matter, announced the formation of a new Data Privacy Working Group. The group will develop a global “Alliance Data Privacy Specification” to certify the data privacy of smart devices and the services they use as well as provide information about how that data is used in a clear, digestible manner — that is, without requiring you to wade through thousands of words in privacy policies or simply trusting companies like Amazon, Google, Samsung, and others with that data.

“We aim to support customers in better understanding what data is being collected, how it is used, and if it complies with existing privacy requirements,” reads the statement posted on the CSA website today. “Acting as an advocate on behalf of consumers, the Alliance can offer guidance to each facet and act as proponents for fairness.”

“We aim to support customers in better understanding what data is being collected, how it is used, and if it complies with existing privacy requirements.”

Data is the modern-day gold rush. Everyone wants it, lots of people want to sell it, and most of the time, we’d like to keep it to ourselves, thank you very much. But when it comes to putting connected devices in your home and clicking “I agree” on those privacy policies, we are just giving that stuff away. We may be getting useful services in return, but that doesn’t mean we should be doling out data to anyone who asks for it in exchange for a bit of convenience. 

To date, there is no single federal legal framework in the US that limits what data is collected from your smart home devices or how it is used. While there has been movement around data privacy legislation here, we’re still a long way from anything resembling Europe’s General Data Protection Regulation act. The CSA’s new working group aims to solve this problem with industry regulation. It wants to build a simple framework to detail how companies use your data and how they tell you about it. 

Whenever and whatever Congress comes up with, a global data privacy specification for the smart home will still be needed. The CSA identifies that the amount of data generated by connected devices in our homes and other spaces is only growing: “Protecting our rights will become increasingly challenging. Solving this problem now is imperative to the overall health of the IoT industry,” says the organization.

Wait, doesn’t Matter fix all of this? Well, no. The new smart home standard regulates interoperability between devices and has some solid security requirements behind it related to what can be shared between them and how. However, when it comes to your data, Matter’s current framework is about protecting data from cybersecurity attacks rather than regulating how companies can use it. As Michelle Mindala-Freeman of the CSA told The Verge, today, the “data relationship” in Matter “remains between you and the individual manufacturers.”

For example, the Matter-enabled TP-Link Tapo smart plug I tested this month can be controlled locally through Matter, but for now, you still need to install the Tapo app — and agree to its privacy policy — to update the firmware. Matter is supposed to allow for firmware updates directly through the platform, but that’s not currently in place, and you still need to download the manufacturer app.

All of this is why platforms that offer local control are increasingly popular in the smart home. If a server isn’t logging every time you turn off that light bulb, no one but you knows about it. Matter devices work locally, although the platform you control them through may not. While Apple’s Apple Home uses a local framework and stores data on your own iCloud that only you have the keys to, Amazon’s Alexa and Google Home rely heavily on the cloud.

Some smart home platforms offer full local control as a primary selling feature — see Home Assistant and Hubitat, for example. These allow devices to communicate and process data locally, significantly limiting (but not necessarily eliminating) the need to reach out to an AWS server or its ilk. 

However, totally locked down data may not be a good thing for the smart home as a whole, where many companies use depersonalized aggregated data to improve services and add new features to products already sitting in your home.

Matter’s current framework is more about protecting data from cybersecurity attacks than regulating how companies can use it

Clearly, it’s complicated. And this new data privacy working group is still in the embryonic stages. It will need a lot of nourishing to grow into anything viable. As with its recently announced Health and Wellness Working Group for sharing health tech data, the CSA will need companies to step up and help develop the specification, just as they did with Matter.

With big names such as Apple, Google, Amazon, Samsung, Comcast, and others on its 300-plus member roster, the CSA has a good place to start. But whether these companies will be as eager to work together on managing what is essentially a gold mine for their business opportunities as they were on making smart plugs talk to each other remains to be seen. 

Over the last few years, many of the largest tech companies in the smart home space have made their data and privacy policies clearer to read and easier to understand using colorful and well-designed privacy hubs (see Google and Alexa). They’ve also made it easier for users to opt out of some data collection and extract and delete data.

But in all of these polished privacy promises, there is still plenty of flowery language that can obfuscate exactly how much of your data is used for advertising and other “services.” A strong data privacy specification would need to cut through this type of cruft to be effective.

If Big Tech does come back to the table to hammer out a data privacy framework for the smart home, here are some talking points I suggest they get working on pronto:

A wish list for a data privacy specification

  • Make it clear who owns the data generated by the device (ideally the consumer).
  • List exactly what data is being collected and for what use.
  • Give users the option to opt out of any or all data collection.
  • Clearly identify what functions you lose based on those choices.
  • Outline expiration dates for the retention of data.
  • Provide tools for verifying that the company is complying with its stated policies.
  • Identify any data the company aggregates to “improve its products and service.” 
  • Make it clear whether this data is depersonalized.
  • Identify what data, if any, the company is selling to third parties or sharing with third parties (including its own services).
  • Allow for the easy download, transfer, and deletion of any data.

While data privacy grabs fewer headlines in the smart home space than vulnerabilities in connected cameras or malfunctioning smart ovens, it’s far more important. Multiple small data points from our homes can create a much clearer picture of our daily lives than any video stream. That data, misused or finding its way into the wrong hands, could have significantly worse outcomes.