Ever get the feeling you’re being watched? You might be right…
A new investigation by consumer group Which? has found evidence of excessive smart device surveillance — from air fryers demanding permission to listen in on conversations and sharing data with TikTok, to TVs wanting to know users’ exact locations at all times.
Via a ranking across four categories, Which? gave products privacy scores on things like consent and data access. Researchers found data collection often went well beyond what was necessary for the functionality of the product — suggesting data could, in some cases, be being shared with third parties for marketing purposes.
In the air fryer category, as well as knowing customers’ precise location, all three products investigated wanted permission to record audio on the user’s phone, for no specified reason, Which? found.
The Xiaomi (1810.HK) app linked to its air fryer connected to trackers from Facebook (META), Pangle (the ad network of TikTok for Business), and Chinese tech giant Tencent (0700.HK), depending on the location of the user.
The Aigostar air fryer wanted to know gender and date of birth when setting up an owner account, again for no clear reason, but this was optional. The Aigostar and Xiaomi fryers both sent people’s personal data to servers in China, although this was flagged in the privacy notice.
Xiaomi said that respecting user privacy has always been in its core values. It said that it adheres to all UK data protection laws, and “we do not sell any personal information to third parties”, adding that its air fryer does not use the record function as it doesn’t operate through voice commands.
Aigostar didn’t respond to a request for comment.
Chart: Which? ·Which?
The Huawei Ultimate smartwatch requires privacy consent to work properly. It requested nine “risky” phone permissions, Which? found.
Here, “risky” means giving invasive access to parts of someone’s phone. These included precise location, the ability to record audio, access to stored files or an ability to see all other apps installed.
The company said all had a justified need. Huawei also said that no user data is used for marketing or advertising purposes. Which? found some trackers active on the Huawei watch, but Huawei said they are active only in certain regions.
Best selling Kuzil and WeurGhy smartwatches were found to be essentially the same product — this is a common problem on marketplaces where little-known brands sell near identical white-label goods.
Both required consent to work. If declined, the product will only operate as a watch, without the accompanying smart features. There was none of the legally required information on how long the smartwatches would be supported with security updates. However, both watches did not appear to use any trackers.
Among smart TVs, the Hisense (0921.HK) and Samsung products Which? tested required a postcode at set up – though both brands said customers can use a partial postcode and that it was only used for some content localisation features. Samsung (005930.KS) claimed supplying a postcode was not mandatory but Which? found it appeared mandatory in its tests.
The LG set asked for a postcode, but providing it was not mandatory. Samsung’s TV app requested eight risky phone permissions, including being able to see all the other apps on the phone. The Hisense did not connect to any trackers that researchers could detect, but Samsung and LG linked to a number of them, including Facebook and Google (GOOG).
Hisense said it is compliant “with all UK data privacy laws and only capture the postcodes of our customers to enable them to receive regional specific content, enhancing their user experience. If users are concerned, then many of our TVs will accept a partial postcode.”
Samsung also said it employs “industry-standard security safeguards and practices to ensure that the data are secured.”
The analysis of smart speakers found that the Bose Home Portable speaker and app take the fewest upfront phone permissions of all the products on test, but are stuffed with trackers, including Facebook, Google and digital marketing firm Urbanairship. The Bose speaker also fared poorly on how it secured customer consent for data tracking.
By contrast, Amazon (AMZN) Echo gives useful options to skip various requests to share data. Consumers need an Amazon or Google account to use the Echo Pop or Nest Mini, respectively. They use trackers that Which?’s researchers expected to see, mostly their own, however users cannot selectively opt out.
“We design our products to protect our customers’ privacy and security and to put them in control of their experience,” Amazon said.
All of the devices on test wanted to know users’ precise locations.
Which?’s research highlights how manufacturers are currently able to collect excessive data from consumers, often with little transparency about what it will be used for.
The ICO is due to publish new guidance for smart product manufacturers in Spring 2025. This guidance must include really clear advice on how consumers’ data can be used and the transparency required of businesses.
Care about what you share: Some data collection is optional during setup, and that means you can opt out (although potentially with consequences in terms of functionality). Only share what you are comfortable with.
Check permissions: On iOS and Android, you can review permission requests before downloading an app, and check what each app has access to in your settings.
Deny access: Also in your phone settings, you can potentially deny or limit access to data such as location, contacts, and so on. Although, that might stop or limit aspects of the app.
Delete recordings: Using the Alexa and Google Assistant settings, you can set your voice recordings to be deleted automatically rather than stored after a period of time.
Read the privacy notice: Do at least browse the policy, particularly the data collection sections. You have the right to object to a company processing your data.
Download the Yahoo Finance app, available for Apple and Android.
