New Bill Would Force Hardware Makers To Disclose Hidden Mics, Cameras
from the watching-you-watching-me dept
Back in February, you might recall that Google took some heat from owners of their Nest home security platform, after they suddenly discovered that the Nest Secure home security base station contained a hidden microphone the company had never publicly disclosed. The reveal came via a Google announcement sent to Nest customers informing them the hidden mic would soon be turned on, allowing the integration of Google Assistant on the platform. Given tech's shaky history on privacy, some folks were understandably not amused:
This is not “messing up.” This is deliberately misleading and lying to your customers about your product. https://t.co/FZcf55L1bU
— Eva (@evacide) February 21, 2019
While Google ultimately admitted the "error" and updated its hardware spec sheet, the episode did a nice job illustrating the fact that whether we're talking about products getting better or worse, you don't really own the products you buy, and your agreement with the manufacturer in the firmware-update era can pivot on a dime, often with far less disclosure than we saw here, or none whatsoever. When it comes to privacy (especially given the flimsy security in many IOT devices), that's kind of an important conversation to be having.
Likely responding to the resulting fracas, Senator Cory Gardner has introduced the Protecting Privacy in our Homes Act, which would require tech companies to include a label on products disclosing the presence of recording devices. Gardner's been trying to shore up the internet of broken things for a few years now, though the efforts usually stall in process and his IOT Cybersecurity Act, introduced last Spring, has struggled to gain much traction in a distracted and well lobbied Congress. Says Gardner of this latest effort:
"Consumers face a number of challenges when it comes to their privacy, but they shouldn’t have a challenge figuring out if a device they buy has a camera or microphone embedded into it. This legislation is about consumer information, consumer empowerment, and making sure we’re doing everything we can to protect consumer privacy."
Outside of legislation, there's not a whole lot being done to ensure the millions of devices we've connected to the internet annually have reasonable security and privacy safeguards in general. Like so many issues, the IOT industry doesn't much care -- they're on to selling the next greatest thing and have little interest in retroactive security and privacy updates. Consumers often don't care -- in part because they're completely clueless to the scope of the problem (especially if functionality is hidden). And lobbying ensures government usually doesn't much care either.
That has left much of the problem in the laps of consumer groups, researchers, and activists, though many of these efforts (like Consumer Reports quest to shame companies for bad security and privacy practices in product reviews) can only accomplish so much without industry and government's help. Ultimately this just means we're going to see a lot more hacking, privacy violations, and related scandals (and even potentially tragedies) before we start taking the problem of IOT privacy, security, and transparency seriously.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: assistant, cameras, cory gardner, hidden microphones, iot, microphones, privacy
Companies: google
Reader Comments
Subscribe: RSS
View by: Time | Thread
This time you DO mention GOOGLE because can't avoid it.
Just gives you opportunity to NOT mention others, such as AMAZON, which should be unavoidable on this topic. -- And of course the key aspect is corporatism and surveillance capitalism, which you're for.
So, passive whimpering is YOUR "ultimate". Just wait for DOOM to be delivered by corporate actors. No action, not even protest. -- And I think I'm a pessimist!
This is just another story you run long after everyone else, and not at all excited, just state "resign yourself to more of same".
Don't ever dare call yourselves "activists", Techdirt!
[ link to this | view in chronology ]
Re: This time you DO mention GOOGLE because can't avoid it.
I'm curious if there was anything Techdirt could possibly write that you wouldn't attack and pretend supports your strawman version of what Techdirt believes? You complain for years that they don't ever attack Google (despite them constantly doing so) and then you mock them for getting to the story and not mentioning Amazon (a company techdirt regularly complains about). You insist that they support coparatism, despite them regularly calling out bad behavior by big companies (and ignoring that you regularly support "corporatism" in the form of abusive copyright laws that allow big companies to censor free speech by abusing the law).
So, honestly, what would Techdirt write that would have you agree with them?
[ link to this | view in chronology ]
Re: Re: This time you DO mention GOOGLE because can't avoid it.
"We apologize for our stance as Big Tech shills all those years and are closing down this partisan website today."
:D
Then again, he might be able to rant about this too.
[ link to this | view in chronology ]
Re: This time the truth will set you free
Why can’t you just admit you lied when you said oud never darken our doorstep again bro?
[ link to this | view in chronology ]
Re: This time you invoke Common Law
Don't ever dare call yourselves "activists"
Please go back to your "Common Law Court" where you can enjoy your "Midwest" values Blue Balls. All you care about is your racist adgenda.
https://www.splcenter.org/fighting-hate/intelligence-report/1998/hate-group-expert-daniel-l evitas-discusses-posse-comitatus-christian-identity-movement-and
[ link to this | view in chronology ]
They aren't perfect, but I think food nutrition labeling requirements are a good model to start with on this front.
Standardized fonts, colors, and sizes in a conspicuous place on the exterior packaging that state clearly whether there are cameras, microphones, and wifi or other antennas. You could even add in some (audited) power consumption stats for operating and standby modes while we're there.
[ link to this | view in chronology ]
Re:
It would also be nice to disclose if a piece of hardware requires the ability to connect to an online server to function as advertised on the box. This goes for things like computers as much as for doorbells and thermostats.
[ link to this | view in chronology ]
Re:
WARNING: This product was produced in a facility that contains terrible software.
[ link to this | view in chronology ]
I'm not saying it's a bad idea but I would bet that consumers could just class-action, or if there's an arbitration clause, petition to get a fraud prosecution launched against the retailer/manufacturer that did it already.
[ link to this | view in chronology ]
Re:
It is Appalling that this legislation wasn't put on the books decades ago.
[ link to this | view in chronology ]
Another on the list of 'Solutions that shouldn't be needed.'
The fact that a law like this is actually needed is just all sorts of messed up, and I would hope that it will sail clean through as a result. People should not have to wonder if a particular device has a mic and/or camera on it, that should be presented up-front and told to them well before purchase so they can make an informed decision on whether or not they want it in their house/on their body.
[ link to this | view in chronology ]
All I'm going to say about this,
is the technology to discover hidden microphones and cameras is stupidly simple. Simple to the point that you'll never be able to design a camera or microphone that can't be detected. Easily. It's a few second to 10 second affair with some very common and cheap (comparatively) scientific/industrial devices/instruments. Things most builder/maker type folks probably already have.
[ link to this | view in chronology ]
Re: All I'm going to say about this,
do continue
[ link to this | view in chronology ]
Re: All I'm going to say about this,
That might not work as long as the microphone or camera is left inactive.
Like for a few years, until they sold enough of their spy devices and decide it's finally time to turn them on.
[ link to this | view in chronology ]
Re: Re: All I'm going to say about this,
Most of them employ motion detection. So... you set up a simple emissions detection circuit in... anything. Then leave, and come back, and check the logs. Boom, you'll know if you are bugged immediately. You'll detect the emission from the bug.
[ link to this | view in chronology ]
Re: Re: Re: All I'm going to say about this,
The example in the article is different. The microphone was left inactive. Not waiting for a trigger (motion, schedule) but for a full firmware update. The microphone was not recording nor transmitting anything for years.
So you buy your product, test it, nothing is found short of actually opening the device to physically look for microphone.
Then, a year later, firmware update and "Boom", you're spied on unknowingly... unless you regularly test all your devices just for this kind of case.
[ link to this | view in chronology ]
Re: Re: Re: Re: All I'm going to say about this,
So, you can always win. You always have the upper hand. All you have to do is suspect a bug, and it's over for them if you really think about it. The only option a would-be bugger has is trying to hide your signal in other loud noise. But even then, a dedicated person is going to be able to weed you out.
[ link to this | view in chronology ]
Re: Re: All I'm going to say about this,
It's a null logic thing. Finding something talkative, that talks with conditions that it can not avoid, is ridiculously easy to find. The kind of technology necessary to avoid detection simply does not exist with our science. It would have to be able to draw energy without being detected, use energy without being detected, transmit data with sufficient strength to penetrate walls, meaning it's going to be on very defined frequencies out of sheer necessity. Even if ALIENS with superior technology were bugging you, they'd not be able to get around the fact that only certain very defined frequencies would need to be used to transmit, and they'd have NO WAY AT ALL to stop you from looking for those transmissions.
When you really think about the situation, logically, it's crazy easy to detect bugs if you suspect them. It's all exploiting the necessary design features they need in order to function at all.
[ link to this | view in chronology ]
Re: All I'm going to say about this,
Not so much now that we know all kinds of things that aren't cameras and microphones per se can be used as them. An accelerometer has been used as a microphone, a wifi chip as a camera, in recent research papers. Speakers worked as microphones decades ago.
[ link to this | view in chronology ]
Re: Re: All I'm going to say about this,
I'd like to see the reference to the wifi chip as a camera. The accelerometer as a microphone is not hard to imagine, though.
[ link to this | view in chronology ]
Re: Re: Re: All I'm going to say about this,
Wi-Vi: See Through Walls with Wi-Fi Signals (Adib; Katabi — 2013)
(Presumably, more recent wifi chips with more directional antennae will make this easier.)
[ link to this | view in chronology ]
Re: Re: Re: Re: All I'm going to say about this,
Thanks for the link. However, I think calling that a camera is stretching it quite a bit. If you look at the "Evaluations" section, there are screenshots of the type of signals one sees. "Motion Sensor" might be a better description even if it can do a little better than just detect motion.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: All I'm going to say about this,
On the other hand, it can see through walls—unlike an actual camera—and that's from 6 years ago. It's a stretch much as the accelerometer as microphone (its audio quality was not good), but these attacks do tend to get stronger over time. The first cameras were bad too.
[ link to this | view in chronology ]
Re: Re: Re: Re: Re: Re: All I'm going to say about this,
IR cameras, among others, can see through a lot of walls.
[ link to this | view in chronology ]
Re: All I'm going to say about this,
My favorite cheap bug detector: a spark gap emitter along with a channel hopping fm receiver circuit. You can build something yourself crazy cheap with a TDA7000, or just get a cheap multi frequency scanner. You'll hear an echo after your sparkgap. Even if it's (common now) encrypted radio from the bug to the endpoint, you'll see/hear the "hop". More importantly, you can set any modern chip to stop on signal in the noise. Typically modern hidden transmitters have channel hopping, and you can find it hopping channels if you are looking for that pop. It's not going to hop channels so fast that you can't hear a few before it does. The fun thing is, once you've found the 3 or 4 channels it hops between, you can identify the type of bug. It's like a fingerprint.
[ link to this | view in chronology ]
Re: All I'm going to say about this,
Those techniques are not so useful for Internet connected devices, which you will expect to be sending packets over your WiFi.
[ link to this | view in chronology ]
So how about someone introducing a bill that gives people back the right that the stupid courts took away, that when you buy something, paying out godd, honest, hard earned cadh, you actually DO own whatever the 'it' is? The judge(s) who took that right away must have been pain one hell of a lot!
[ link to this | view in chronology ]
Great, but will it come with a government spying label?
What about the massive amount of data mining and spying from government entities like the ones revealed by Wikileaks? I don't think the government will pass any laws that will stop their own activities.
[ link to this | view in chronology ]
Whatever happened to the criminal code regarding the clandestine recording of sound and/or video on private property and without the private party's knowledge or consent?
I suppose the EULA/TOS that you unknowingly "agree" to at purchase covers this thoroughly. As always, buyer beware.
[ link to this | view in chronology ]
Cops are head crackers not thinkers.
Why would anyone believe that cops have any intelligence is beyond me.
[ link to this | view in chronology ]
I just refuse to buy any hardware from Google. They're going to spy on me any and all ways. So if I get a NEST, they know what Temp I like. It senses movement so they know when someone is walking by it and are home. The same goes with their Alarm. The Mic, Not a fan at all, but now they know when you are coming and going. Add this stuff to your Android phone and Google services that you use, and now they know you better than you know yourself. No thanks!!!
[ link to this | view in chronology ]
PP in our Homes Act That's taking it from spying to flashing, isn't it?
[ link to this | view in chronology ]
Here is a technologically lowbrow solution here. It's known as wire cutters (or a soldering iron). A barely more advanced solution involves a really old device called a "switch." Get acquainted with technology or technology will get acquainted with you.
[ link to this | view in chronology ]
Re:
It's hard to cut the wires or desolder the connection if you don't know the mic is even there.
[ link to this | view in chronology ]
Re: Re:
Start practicing hardware and software hacking. Own your property.
[ link to this | view in chronology ]
Re: Re:
<headscratch> Uh, okay, I left out "screwdriver" that would have suggested opening up the device, should one be required.
[ link to this | view in chronology ]
Can someone please help me understand this situation better, because I'm a bit lost.
Nest was independent before they were bought by Google, correct? Were the microphones in the thermostats then?
I'm not defending Google for not knowing, but I sure would like to know when the microphones were introduced.
[ link to this | view in chronology ]
Re:
I'm assuming they were added by Google for integration into their Google Home eco system.
[ link to this | view in chronology ]