Smart devices and your privacy
Revised: August 2020
A vulnerability in your fitness tracker can reveal your fitness profile and location. Your TV knows you’ve been binge watching old episodes of Friends. Your smart toaster could be co-opted to participate in a cyberattack.
Simple steps such as checking how your personal information will be used and shared and turning off Internet-connected devices when you don’t need them can help reduce privacy risks.
On this page
More and more everyday objects are connected through the Internet and the number and type are increasing rapidly. Some examples include:
- security systems
- digital assistants
- connected toys
- digital health technologies
These devices make up the Internet of Things (IoT). In general, the IoT is the networking of physical objects, allowing them to connect through the Internet and share data. These connected devices can function independently without requiring human intervention or decisions. Many also work alongside your smartphone, computer or tablet, allowing you to access IoT device-related data and control your device.
Increased connectivity offers benefits, such as tracking your fitness progress or monitoring your home’s security when you are away. Digital health technologies, such as glucose monitors or devices that deliver medication can help you better manage chronic health conditions. However, they can also create risks for your privacy.
As the IoT grows, your daily activities and behaviours are increasingly being tracked, measured and analyzed. This raises questions such as:
- Who will be able to see your information?
- How will your information be used?
- What can you do to control how your personal information is used and shared?
Read on to learn the basics of protecting your privacy while benefitting from Internet-connected devices and identifying those IoT devices where the privacy risks may outweigh the device’s benefits.
Get in the habit of reading privacy information
Before you purchase a smart device or download a companion app, learn about what personal information is collected and the privacy controls offered. If you’re not comfortable with how a product or service handles personal information, don’t use it. Some questions to ask before making a purchase:
- What personal information is being collected?
- Does this make sense in light of the service being offered?
- Is it shared with third parties? Are you comfortable with this?
- How long is personal data retained?
- Can you delete information held about you?
Does the device manufacturer state that it follows any security or privacy standards? A number of organizations have developed industry standards, including the:
- ISO (International Standards Organization)
- NIST (National Institute of Standards and Technology)
- OTA (Online Trust Alliance)
Does the manufacturer state that it will provide security updates in the future if required? If the device and app (if applicable) can’t be updated, the device may present a security threat in the future.
Take control of your personal information
Collection and storage
- Check whether it is possible to not provide some information and still use the product as intended
- If you don’t think you should have to provide certain information, say no or ask why it is being requested
- Only activate the functions you actually need or want
- Take advantage of mute buttons or software toggles that serve as “do not collect” switches
- Limit the ability of your device to track your location—make sure that location tracking (GPS) functions are not running as background apps unless required to do so
- GPS is not the only way you can be tracked; Wi-Fi and Bluetooth also have technology that tracks your location
- Set your device to turn off Wi-Fi and Bluetooth when you aren’t using them
- Make sure that audio recording functions are not running as background apps
- Avoid devices that have “always on” microphones so that audio recording will be off unless you are actively using the app or device
- Favour products that clearly indicate when information is being collected, for example devices with lights or sounds that tell you when the device is recording
- Delete data on the device and delete your account when you don’t need it anymore
- You may be uncomfortable sharing your personal information with third parties for reasons unrelated to using the device (advertising, for example)
- You should be able to tell the device manufacturer that you don’t want your information used for those purposes and still use the service
- Deactivate automatic sharing of information with social media
- You may even want to shut down the connection between your device and your social media accounts entirely
- Turn off Wi-Fi and Bluetooth when not using them
- If you have friends visiting, advise them in advance if conversations will or may be recorded, or better yet, turn off your device
See our tips on using privacy settings for home digital assistants for more information.
Take care of security
The security of IoT devices and the networks they connect to is very important. You need to be vigilant about security for all smart devices, even more so when the objects have access to sensitive data, such as health information or data about your children. If you don’t have a lot of technical expertise and want to create a “smart home” with many such devices, hire a technical security expert to help you set up a secure network.
Secure the device
- Change the default password on the device (if there is one, as these are often widely known and easily accessed by hackers)
- Make sure your passwords are strong and don’t re-use the same password across multiple devices or services
- If the device doesn’t have a password, then add one if possible
- If not, create a separate network for it
- Change default user names and PINs, whenever possible
- See if the device has an option to disconnect and become a “dumb” device, in case a security threat that cannot be guarded against presents itself down the road
For further guidance, see our Tips for creating and managing passwords.
Secure the online account/app (if applicable)
To set up and manage your device, you may need to create an account on an online service, such as one offered by the manufacturer or a service provider. If you set up an online account, use a unique password, only share information you are required to share and delete it if you no longer need it.
- During registration, provide only the minimum information necessary: use a pseudonym instead of your real name and never provide your real birthday
- Make sure that you use a strong password for the account, as well as for the device itself and use different passwords for each
- Some products allow you to access or control them when you are away from your home’s Wi-Fi network, to view security camera footage, for example
- If you don’t need to use this feature, check if you can disable it
- Make sure that you can only pair the device by pushing a button on the actual device or entering a password to prevent others from accessing it
- Also secure the phone from which you access online account with a strong password
Secure the network
A network is only as secure as its weakest link. IoT devices can be challenging to set up in a secure way. This is where a security expert can help you the most.
- Is your router secure? A secure router is essential to the security of your home’s network
- If you’ve installed a device in your home and connected it to your network, your router’s settings might expose it to the internet, making it visible to other online users
- These users could include hackers who may use it to access your network and the information stored there
- To reduce the impact if you are hacked, don’t connect everything in one network
- At minimum, create a guest Wi-Fi network just for IoT devices to keep them separate from your computers and other more secure devices
- Don’t use personal information when naming your Wi-Fi network (such as Julie’s network)
- Also, avoid using default names established by the manufacturers (such as TP-link-628B, Dlink-M24), since these naming conventions can be particularly valuable to cybercriminals
- Ensure the network is password protected — and choose WPA2 when prompted
- Check to make sure the device does not expose a network access point
- It will show up in the list of Wi-Fi devices available to connect to if it does
- Review the list of access points with the device off and then review again after turning it on. If a new access point appears, it is likely the device
- This can give anyone in range of the device access to your network (known as a pivot)
Security isn’t a one-time affair
- Manufacturers update the firmware (a type of software that controls your device) for smart home devices often
- Either check for these updates regularly or set the device to update automatically since doing so ensures your device is always current to the latest security settings
- Usually you will be prompted when a new update is ready to install via a pop-up message, from the app’s settings menu or the device itself
- Sometimes, automatic updates are not available, or you need to install an update manually
- Make sure you have a backup of your data and/or configuration settings so that updating the device software does not overwrite the data or settings
- Ensure the apps you use with your device are up-to-date and secure—you can usually update apps by using the app store from where you installed them
- Before getting rid of an IoT device, erase your personal information by resetting to factory defaults or destroy the device if it has access to your network or has stored account information
For more information, see our Privacy guidance for manufacturers of Internet of Things devices. You can also read our research paper, The Internet of Things: An introduction to privacy issues with a focus on the retail and home environments.
- Date modified: