Smart Lock Vendors Under Fire For Collecting Too Much Private Data

Like most internet of broken things products, we've noted how "smart" door locks often aren't all that smart. More than a few times we've written about smart lock consumers getting locked out of their own homes without much recourse. Other times we've noted how the devices simply aren't that secure, with one study finding that 12 of 16 smart locks they tested could be relatively easily hacked thanks to flimsy security standards, something that's the primary feature of many internet of broken things devices.

One such vendor, Latch, has increasingly had its products used by landlords eager to simply access to their properties and sell the technology as an advantage. That hasn't gone over all that well in New York City, where some residents have sued their landlords over the use of the locks, which many residents found cumbersome and difficult to use. Latch at the time reached out to us to note this shouldn't be a major obstacle, since users have the option of a smartphone app, a door code, and a physical key card to access their properties.

But there's another issue that has popped up regarding these products: the amount of data they're collecting and doling out to property managers. Privacy experts, for example, say the company's terms of service are overly broad, allowing the sharing of too much data with valued partners and landlords:

"Smart locks can be a great convenience and even privacy-enhancing for residents by allowing them to change codes when they wish or to allow one-time entry by a service provider, but they need strict privacy design and information governance to ensure they don't cause more harm than good," Jules Polonetsky, CEO of the Future of Privacy Forum, a nonprofit advocating for principled data practices in support of emerging technologies, tells OneZero. "[Latch's] privacy policy allows some uses I would urge them to reconsider."

Latch says it's currently reviewing its privacy practices and revising its privacy policy "to remove any possible ambiguity and to make our strong record of privacy protection crystal clear." The problem, of course, is that with few privacy guidelines in the States, there's not much really ensuring that companies are following through on their promises. The FTC can take action against unfair and deceptive statements under the FTC ACT, but such efforts take years to materialize and usually result in little more than a wrist slap. Lawsuits similarly result in a lot of sound and fury, but may take years to result in any substantive action.

This is an issue that has come up increasingly in the realm of smart electricity meters, which can provide utilities with an unprecedented amount of detail regarding your daily habits, ranging from which appliances you most frequently use, how long you're home, and when you're not. The EFF has argued that this data should be protected by the Fouth Amendment, given 65 million of the devices have been installed in the United States over the last few years -- 57 million of them in consumer homes.

It's again a good example of how while everybody fixates on Facebook's (admittedly terrible) privacy practices, it's just one small part of a much larger problem that will soon go from bad to absurd. With your cell carrier, ISP, smart locks, electrical utility, and every IOT device in your home collecting data on every single move you make, it's not hard to envision a future where every step you take is monitored and monetized (and often poorly secured), with little serious recourse for consumer rights. It's a problem that's still not taken particularly seriously, despite the threat of looming privacy legislation perched just over the horizon.