Years ago, my wife and I discovered our shared love for all things IoT. While she has pursued this passion through Smart Cities, I had not spent much time in this field in during the last few years. That’s been changing lately, and I wanted to share my journey so far.
The easy onboarding
Like most people, we started with devices and services that provided a quick and easy integration experience. We were using known vendors, and that made it simple to set everything up. The vendors handle most of the challenging parts, letting us enjoy the convenience of connected devices.
We started with an Amazon Echo Dot in our kitchen. As a bilingual family, we noticed the Echo favored one language and user profile, which made it less practical for our needs. Around that time, Amazon announced Amazon Sidewalk; our devices were now providing network connectivity to other Amazon devices within range of them. Since you can be held liable for the traffic on your networks, that raised immediate concerns. Worse still, Amazon admitted that they were gathering, sharing, and using data from some of their devices (like Ring) without consent. We quickly moved on. In 2023, Mozilla rated multiple Amazon products (including the Echo Dot and Fire Stick) as “Privacy Not Included”. I’m confident we made the right call!
After our disappointing experience with Amazon, we decided to explore alternative solutions. We switched to Google Home, which was a huge leap forward in quality. It understood multiple languages, was personalized to each member of the family, and it had broad compatibility with other devices. Over the last year, however, it began to misinterpret certain commands. For instance, saying “turn off living room” sometimes resulted in the dining room lights turning on. My wife also noticed that many of our conversations seemed to result in ads for related products. I can’t dismiss that concern. Google’s current data privacy policy is quite broad, so there’s a lot they can do with the data they collect and share. In fact, their Nest help document contains this tidbit:
Your device interactions via the Google Assistant or other Google services (such as YouTube) may be used to personalize your Google experiences, including to show you relevant ads. For example, the text of your voice interactions with the Google Assistant can inform your interests for ad personalization … When you use our connected home devices and services, we keep your audio recordings separate from advertising and don’t use them for ad personalization, but when you interact with your Assistant by voice, we may use the text of those interactions to inform your interests for ad personalization.
It’s not as if their recent settlements haven’t raised any red flags about how they gather and use the data. In fact, Mozilla has recently been forced to rate their Nest Hub as “Privacy Not Included”.
We also noticed that our Nest WiFi (which provides a really strong network throughout the house) seemed to have very limited configurability. It was largely self-configuring, so it chooses the WiFi channels and bands to use. Several core features (such as IPv6) never worked properly. Then they announced the early versions of the devices would be moving into end-of-life. At that time, they will no longer allow access to any settings, forcing users to upgrade. The simplicity of the Google Home experience was starting to feel like a Faustian bargain.
At the same time, Google wasn’t the only ones using our data. The smart plugs we use were continuously sending information to Tuya’s data centers. Like many businesses, they reserve the right to use the data for a variety of purposes. Our GE Lighting (Savant) Cync lights are also sending data to the cloud. The more we looked, the more data we saw being sent to third parties.
In short, the smarter our home was becoming, the more data it was funneling to other companies for their benefit!
Change is in the air
We decided it was time for a change. Using a Raspberry Pi, I began exploring Home Assistant. If you’re not familiar with it, HA is an open-source home automation platform that focuses on privacy and local control. While it can be integrated with all of the various vendors we had been using, it also supports a wide variety of devices and services that don’t require cloud connectivity or control. It doesn’t require a subscription to use it, and it can provide a way to use many of the “smart” features of the devices on my local network.
This motivated me to dive deeper into how my devices operate and what data they share. For example, my Tuya smart plugs have support for local connectivity. Instead of the commands being sent to Tuya’s servers, they can be sent directly to the device using a defined protocol. By using the LocalTuya integration in Home Assistant, our smart plugs are now controlled locally, eliminating the need to communicate with Tuya’s servers unless we opt into their cloud services.
The GE Cync lights, however, were designed solely for cloud control, and efforts to make them work locally remain unsupported. Savant (the owner of GE Lighting) has not provided any support for local control. In fact, they have a privacy policy that gives them quite a few rights to use the data they collect.
Next, we examined the thermostat. We had high hopes for the ecobee given the company’s history of supporting local control and privacy. They have even resisted attempts from Amazon to share user data without consent. Their newer devices are designed for cloud access. In fact, they try to push you to register and use their application to get access to the installation instructions (although there is a PDF available on their site). They advertise an open API, but they are no longer allowing anyone to register for access. As a result, Mozilla gives it a thumbs-sidewise mixed review for privacy. I’m still trying to understand how well it works if I restrict its network access.
Revising our goals
Going forward, we decided that any new products we install in our home need to meet a few basic requirements:
- Connectivity based on published, open standards. We want to minimize proprietary protocols and APIs so we know what data is being shared.
- Supports local control. While we may opt-in to cloud functionality and services, we don’t want to be forced to do that.
- Can integrate with our home automation solution. We may still use some products with Apple or Google, but that should be our choice.
- A clear privacy policy for any cloud services they provide, and it should not allow for data sharing without consent.
- For audio/video devices, prefer local storage. Again, any cloud usage should be at our discretion. It should also not provide an open license for the vendor to use or share the data without consent. Too many vendors are using the data for training their models, providing access to personal data, or selling the data to third parties.
We started to explore our options to replace or upgrade some of the systems in our home. We have found several devices that meet our criteria. We even discovered that it’s possible to retrofit some existing devices (such as home alarm systems) to enable local monitoring and configuration. I’ll provide more details in a future post.