The unintended consequences of convenient smart home technology
June 26, 2018 12:14 PM   Subscribe

Domestic abusers are using the likes of internet-connected thermostats, doorbells, speakers, lights, and other smart home devices to establish their power or harass their partners. One woman alleged that her air conditioning turned off without her controlling it, another woman alleged her front door lock code frequently changed, and another alleged that her doorbell repeatedly rang when no one was there. One woman told the New York Times that she resorted to pulling her smart thermostat out of the wall.

In 2014, NPR investigated spyware, and spoke with domestic violence counselors and survivors around the country. It found that cyberstalking is now a standard part of domestic abuse in the U.S.

In 2015, an Australian organization called SmartSafe published research on Women's Technology Safety, a study that surveyed domestic violence sector workers. It found that 98% of them had had clients who had experienced technology-facilitated stalking and abuse.
posted by hepta (76 comments total) 39 users marked this as a favorite
 
Another issue is abusers using technology that was explicitly designed to allow you to track, control, and block. This technology is generally marketed toward parents, but I wonder how large a percentage of customers is abusers using it against their adult partners.

Of course, this technology can be wielded against children in abusive or harmful ways as well.
posted by Kutsuwamushi at 12:24 PM on June 26, 2018 [18 favorites]


"Domestic Violence" is an eerily well-timed short story from Madeline Ashby about domestic abuse through smart home tech.
posted by figurant at 12:30 PM on June 26, 2018 [15 favorites]


What I see as nearly completely missing in the connected home world is the idea of multiple users clearly delineated. All connected devices should have multi-account setups so that each resident in the house can both interact with the device on their own terms and have their usage audited.

The closest I know of is the Echo, which supports multiple same-household users. I'm not sure how well it does, since my partner and I haven't merged Amazon households, but in theory it can.
posted by ChrisR at 12:38 PM on June 26, 2018 [2 favorites]


Every time I hear stories about how easy it is to hack things like smart houses and Alexas and what-not, I realize that frugality and luddite tendencies are probably protecting me these days. I tend to get the cheapest, most basic system there is available and then use it until it disintegrates; I'm still wheezing along with an original model iPad mini, for instance. I also think about how what saved the Galactica in the re-imagined Battlestar Galactica was that its computer system was too old, so it was passed over by the virus the Cylons released that took down most of the other ships in the fleet.

I wonder if an enterprising white-hat hacker could start doing volunteer work offering assessments of women's smartware systems. Something like: you make an appointment, and they come over and check out all your devices. If they detect that someone else has taken control of the account, they take it back and give you the sole ownership and password. The article says that victim's unfamiliarity with how the tech behind this works is part of what makes them vulnerable; someone offering to help them adjust some simple settings would be tremendously valuable, I'd bet.
posted by EmpressCallipygos at 12:46 PM on June 26, 2018 [40 favorites]


My family are definitely not luddites, generally we're reasonably close (as budget allows) to the cutting edge on what we own, and definitely on the cutting edge of awareness on the current capabilities of tech.

Smart Home devices are an immature technology that caught on well before it was ready. Devices with embedded malware that can't be updated, third/fourth/fifth-rate security setups, EULAs that basically have no privacy protection of end users, cloud services that shut down and effectively brick an expensive device.... no.

I'll keep my dumb thermostat, dumb lights, dumb TVs and dumb stereo systems, thank you very much.
posted by tclark at 1:05 PM on June 26, 2018 [39 favorites]


"Domestic Violence" is an eerily well-timed short story from Madeline Ashby about domestic abuse through smart home tech.

... and who could forget Demon Seed?
posted by ZenMasterThis at 1:08 PM on June 26, 2018 [4 favorites]


I cannot think of any good reason to have any of this shit in your home. I get that privacy is dead, but inviting google and amazon and apple into your house to monitor your every breathe is a bridge too far for me. Domestic abusers can use it against you now, but eventually others will too. One day the AC in your house will be tuned to the temperature X company believes is more likely to make you buy or do Y.
posted by GoblinHoney at 1:10 PM on June 26, 2018 [10 favorites]


There is an AskMeFi question up right now about this exact kind of situation.

ChrisR has a good point. My colored lights are connected to one account: mine. Which was fine when it was just me here but now there's my boyfriend and he just kinda gets to live with my lighting decisions. There's no way to give him a separate account. This is something *all* account systems tend to struggle with to be honest - it's just so much *easier* to assume that only one person will ever want to connect to the thing.

We as a society really need to figure out how to make it easy to say things like "the person who hooked this dwelling or possession to the Internet is now on the outs with the person who owns it". But we also need to make it harder for someone to steal your stuff by lyng about that. Which is where it starts to get complicated.
posted by egypturnash at 1:14 PM on June 26, 2018 [6 favorites]


I have a really hard time not reading comments (here and elsewhere) commenting that there's no point to having smart home technology as somewhat victim-blaming.

Most of the women mentioned in the NYT piece appear not to have chosen to use smart home devices, and just removing them from their houses that they share with their abusers strikes me as an ineffective and likely dangerous move to make.

I get that people here are just expressing their (100% reasonable) frustration with smart home devices and the poor privacy they afford, but I do think it's marginalizing the role that these devices plyay specifically in abusive relationships.

In particular, I would aruge that, privacy concerns aside, if you, as a company, offer smart home devices or services and do not have a plan to at least attempt to prevent their use to abuse others, you are complicit in the abuses committed with your hardware and software.
posted by thegears at 1:17 PM on June 26, 2018 [39 favorites]


My criterion has been, and shall remain the following:

Is there a reason that this device needs to send/receive any information at all to function the way it is intended? If yes (house lights, etc), is there any reason that information cannot be sent on my local network to a PC/laptop/tablet that contains the settings, but must be sent out to the wider internet?

If I get a "no" to either of these questions, I don't get it. And virtually everything that gets a "yes" in the first question gets a "no" to the second.
posted by tclark at 1:20 PM on June 26, 2018 [9 favorites]


if you, as a company, offer smart home devices or services and do not have a plan to at least attempt to prevent their use to abuse others, you are complicit in the abuses committed with your hardware and software.

Most developers don't think about, or even really care about people using their systems for abuse. I probably don't need to make a list, everyone reading this comment could probably come up with 5 companies who embody this before they even get to the end of this sentence.
posted by tclark at 1:24 PM on June 26, 2018 [16 favorites]


We used to say that it's a tradeoff between convenience and security. But these days it's more accurate to say it's a battle between flashy bling and PUT EVERYTHING YOU OWN AND HOLD DEAR AT RISK. Bling is winning.

I'm a CS guy with decades of experience, i.e. I'm no luddite. But you will not find any "smart" Internet-connected devices in my house. They offer a tiny bit of convenience (so I can change the thermostat setting from work? That's... interesting, I guess?) but in return they will grab as much data about you as they can get away with. And that's without even considering the huge safety concerns in the article. Stay away from all smart devices; it is not in the interests of the device makers to multiply the cost by 10x to add the code to safeguard your rights.

I realize I'm screaming into the void but Doorbells do not need to be on The Internet!
posted by phliar at 1:28 PM on June 26, 2018 [59 favorites]


It's kind of an unintended consequence, but it's also (sadly) a directly foreseeable consequence of craptacular rush-to-market smart home (= surveillance technology) systems, built with sub-par code/security/privacy/hardware, lack of standardization, and marketed through venal business models that basically depend on hardware and software vendors using sensors and information architectures and algorithms to vacuum up your data so that it might be monetized in some unknown way in the future and thus generate 'value' for shareholders and VCs, etc., etc., etc.

These things are as leaky as a paper sieve. And then combine this with a complete lack of any understanding by the user of how IoT works, CYA'd/expoited by vendors with EULAs and clickthroughs, and it's a personal privacy disaster. And I am not blaming the user for that in any way. People are used to physical lock and key and walls and doors models. You know when your door is locked and who has a key. IoT/platforms are so radically different the vast majority of users have no reference point.

Grrr.
posted by carter at 1:30 PM on June 26, 2018 [5 favorites]


In particular, I would aruge that, privacy concerns aside, if you, as a company, offer smart home devices or services and do not have a plan to at least attempt to prevent their use to abuse others, you are complicit in the abuses committed with your hardware and software.

Yes, agree 100%. What to do about it though? One possible avenue might be legislative frameworks - and hopefully not legislative frameworks designed by industry lobbyists.
posted by carter at 1:35 PM on June 26, 2018


"I have a really hard time not reading comments (here and elsewhere) commenting that there's no point to having smart home technology as somewhat victim-blaming.

Most of the women mentioned in the NYT piece appear not to have chosen to use smart home devices, and just removing them from their houses that they share with their abusers strikes me as an ineffective and likely dangerous move to make."

I understand your sentiment. I do not mean to diminish those for whom the technology is used for abuse or those who do not choose to have it in their homes. The domestic abuse angle is just another good reason to reject the technology and surveillance as a society. I think that's where the frustrations are really aimed with the anti-smarthome sentiment -- at businesses for creating and pushing the tech and at general people for embracing it with open arms. Businesses should have systems in place for these kinds of concerns, but they're a business and businesses never do what they should do, only what they have to. Legislating these things seems an even more far-fetched proposition, and realistically any such legislation would be deeply flawed and come tacked with a whole bunch of other nonsense, a lot of which would themselves be Major Problems. Ultimately the blame should be on the companies. Otherwise it becomes like the litter problem, businesses not only produce an ocean's worth of garbage constantly, but they hand it to us and then blame us for it. Companies and people already abuse the technology, that much is fact, but often it doesn't seem like there's another to do that isn't futile -- I think in that circumstance bemoaning the goobers who have been suckered in to the tech seems natural, though it is unproductive and negative.
posted by GoblinHoney at 1:35 PM on June 26, 2018 [3 favorites]


So... okay. I was in an abusive and completely crazy situation for awhile when I was quite young. I left when I was about 20. He continued to try to contact me for quite awhile after that, and it was scary, but eventually things settled down and I moved on. Probably five years later, I created an Amazon Wish List for... Christmas? A birthday? It was searchable by my name so my family could find it. Shortly thereafter, a box of stuff shows up at my door, unannounced. My ex has sent me a whole box of books. That I wanted. Because he could.

They didn't give up my address, so far as I know, they just let him send stuff to it. It was scary, but at the same time, it wasn't the fault of the technology. He was abusive and therefore whatever tools were available, he was going to use them. I'm still a little afraid of being on the internet under my real name, and I'm 37 and haven't heard from him since roughly that time. But I don't think it's inherently terrible that something like Twitter, if I use it under my real name, allows people to contact me who know my real name. I want that, sometimes! Just... sometimes I don't.

"Stop using these things" isn't exactly a valid solution to these problems, you know? They're out there and lots of people like them and are buying them and never using technology again is not a valid way for women to avoid abuse, even in cases where they do control what devices are in the home. We do need to expect that companies that provide these technologies provide ways to deal with abuse when possible, and make women aware that these things are possible and how to tell if this is happening to you and what to do if you discover it is. If the solution was avoiding stuff that people can use to abuse you, though, our lives would get very small, because that list is super long.
posted by Sequence at 1:39 PM on June 26, 2018 [46 favorites]


Just to clarify: my own "I'm glad I'm a luddite" comments were not intended as a bash against people who choose to go the SmartHome route, and I apologize if it came across that way. I intended it as more of a self-mock - "wow, I'm so technologically backward that it ended up being a good thing somehow, that's kinda weird."

I did mean it about how it'd be cool if someone started a volunteer "we will help you reclaim your home heating system password" service, though.
posted by EmpressCallipygos at 1:53 PM on June 26, 2018 [2 favorites]


It's not just home devices, either. A good many cars have a geofencing and/or tracking feature that's intended to permit parents to monitor and set limits on their children's use of the car. That, too, can become a weapon in the hands of an abuser.
posted by Lunaloon at 1:57 PM on June 26, 2018 [2 favorites]


I'm trying to think of how a smart-home system might be designed in such a way as to help DV victims, or at least reduce the harm they cause. Fundamentally you have the issue that you don't want random guests that might visit your house to be able to take control of these systems, which makes it difficult to design something where being physically present is automatically the way to backdoor a device into doing something that whoever configured it didn't intend. I could potentially see some sort of interaction with the device being able to phone-home a signal that could be used to summon help discretely, but I suspect that in most cases what a DV victim would really want is a way to disable the systems without alerting their abuser to the fact that they're disabled. Or provide some mechanism of connecting them to an external support network that can help extricate them from the abuse. The really big problem I see is that an abuser might not have one overarching smart-home system; they'll have Alexa or whatever for one set of things, but the abuser will monitor interactions with Alexa via some home security system's cameras on some other system wholly unrelated to it, things like that.

A legal framework might help here, but given how difficult it is for DV cases to be heard let alone prosecuted already, I'm skeptical about just how helpful it would be.
posted by Aleyn at 2:03 PM on June 26, 2018


I wonder how hard it actually would be to detect evidence of this kind of malicious tampering and follow up with it if we as a society actually cared about enforcing limits on stalkers and abuses controlling their exes.

That doesn't necessarily help the problem of the sheer level of gaslighting these devices enable for partners who are currently experiencing abuse, but I'm fairly sure it would help a lot with the issues faced by people who leave.
posted by sciatrix at 2:12 PM on June 26, 2018 [8 favorites]


I cannot think of any good reason to have any of this shit in your home.

If you have any kind of physical disability, being able to use your phone or voice to change lights and heat etc is fantastic. Maybe you're nursing your baby and want the lights to go out but don't want to disturb the baby. You work a weird schedule and want to be able to set up the home to warm up when you come home at a different time every day.

I too am a luddite (also cheap) and avoid having anything connected to the internet except my phone, computer, and tv for netflix, but I can see where it's useful for people.
posted by jeather at 2:16 PM on June 26, 2018 [28 favorites]


The only smart device in the house is the roomba, and only because it was the one with SLAM.

Opt out of sending your floor plan to iRobot? Yes please...
posted by The Power Nap at 2:20 PM on June 26, 2018 [1 favorite]


I continue to stand by this timeline of developers' privacy thinking.
posted by hanov3r at 2:24 PM on June 26, 2018 [2 favorites]


There is a balance.

For example, I don't need to be able to change my thermostat from work. But... it really is nice to have the thermostat know I am coming home and start warming or cooling the house, so that it is the temperature I prefer when I arrive - without keeping it running all day OR dicking around with what is invariably a god-awful fiddly interface to program the damned thing. If I come home late, it kicks on in time for me to get home. If I come home early, it kicks on in time for me to get home. The rest of the time, it's on an energy saving mode. If I leave home for a week, it's on energy saving mode the whole time.

However. Thermostat is an older model with no audio interface or camera. If a new one includes these things, I'm not upgrading. I do not have an always-on listening device in the house. I do not have a "smart appliance". No "smart" bulbs or doorbell or locks or what have you. The convenience of the thermostat is enough for me to outweigh concerns over privacy. The remainder? Nope. Physical key works fine, physical doorbell (it's wireless, but physical) is fine, I am totally cool with actually touching light switches and the lights don't need to pulse along with the music or change color with my mood and the weather. TV, Blu-Ray player, etc. have "smart" features that will do Stuff when connected to the network... BUT I don't have them connected. I have the option NOT to connect them and still have them work. Like the thermostat, if the new version won't work unless it IS connected, I'm not buying.

Everyone has a line between "convenient" and "invasive". That's my line: If I can CHOOSE to connect it, maybe. If I HAVE to connect it, gtfo.
posted by caution live frogs at 2:31 PM on June 26, 2018 [4 favorites]


I dislike any category of solution that comes down to "don't use it". Others have addressed that better than I can, upthread, so I won't expand on why.

The right solution is a combination of social norms -- it should be visibly weird, creepy, and alarming if someone indicates that they can't get at settings in their home -- and development practices. The former requires every non-abusive person to do what I did yesterday on reading this (and should have done ages ago, but just kept not getting around to): Send my partner a complete rundown of every smart device in our home, and logins and passwords for each of them. The latter requires developers to assume more than one adult person will be interacting with their devices, and to build their account::device mapping systems to account for it.
posted by ChrisR at 2:37 PM on June 26, 2018 [3 favorites]


I'm a woman and I work as a network engineer and do a bunch of infosec stuff. Whenever possible, I actively point out that one of the failure scenarios to consider is "abusive stalker ex" when looking at things like, say, tracking what computers go where based on wifi system records.

But it's clear many/most companies in this sector aren't looking at this as a thing they need to worry about. And with it very easy for someone to install things into their household that are vulnerable to people messing with it by default, nevermind with a malicious actor having physical access to the device, it's unsurprising that this is happening to vulnerable and less-technically-savvy people (who tend to be women) in relationships.
posted by rmd1023 at 2:44 PM on June 26, 2018 [15 favorites]


I cannot think of any good reason to have any of this shit in your home. I get that privacy is dead, but inviting google and amazon and apple into your house to monitor your every breathe is a bridge too far for me. Domestic abusers can use it against you now, but eventually others will too. One day the AC in your house will be tuned to the temperature X company believes is more likely to make you buy or do Y.

It has been pointed out in the past that much of the thoughtless products and services that Silicon Valley comes up with can be explained as solving problems for 20-something tech workers (generally single males) in the Bay Area and not, for example, literally anybody else in the world.
posted by Celsius1414 at 2:49 PM on June 26, 2018 [15 favorites]


If my abuser breaks down my door, is it the fault of the door for being flimsy or my abuser's for breaking it down?

No system will be perfect. And I am not saying that systems cannot be perfected, or that currently they are not awful with privacy and control. They are awful and they can be perfected and it's a conversation that's absolutely needed. But in the context of this FPP I think it's worth bearing very carefully in mind that the responsibility is not for the vulnerabilities to stop being there. Any vulnerabilities that exist will be abused for the sake of furthering abuse by abusers, no matter what the progress on privacy concerns. Does that mean it's pointless? No. It means that it's not just about the tech, it's about abusers.
posted by E. Whitehall at 2:53 PM on June 26, 2018 [2 favorites]


The closest I know of is the Echo, which supports multiple same-household users. I'm not sure how well it does,

You have to tell it each time you want to switch accounts, it won't do it automatically based on voice recognition or anything like that.
posted by solotoro at 2:56 PM on June 26, 2018


Doorbells do not need to be on The Internet!

For those mulling MetaFilter merch, I would buy a t-shirt with this on it.
posted by chavenet at 3:01 PM on June 26, 2018 [4 favorites]


One of the shortcomings of modern smart systems is easy to address. Today, the servers for all these smart devices have log entries showing who did what when or who inspected whom when.

Making those viewing logs visible, in-app and on-device, permanently and without deletion offered, would go a long way towards providing clear paper trails in cases of abuse.

Device owners deserve to know when their partner logs in and checks up on them. Anything less enables power imbalance and abuse. If I can’t see how often someone has checked the Nest app thermostat setting to see if I’m home, how can I ever feel safe granting them access at all?
posted by crysflame at 3:05 PM on June 26, 2018 [3 favorites]


E. Whitehall
If my abuser breaks down my door, is it the fault of the door for being flimsy or my abuser's for breaking it down?
This situation is more akin to the abuser having the key to the door—and the victim not having it.

As the article points out, smart-home tech is still pretty new, and we're all getting our heads around the ramifications. One of the ramifications is that as designed it is surveillance technology. I hope that once we're all more accustomed to the technology, people realize that fact, and realize that they can and must take the keys away from their abusers.
posted by adamrice at 3:10 PM on June 26, 2018 [3 favorites]


"It has been pointed out in the past that much of the thoughtless products and services that Silicon Valley comes up with can be explained as solving problems for 20-something tech workers (generally single males) in the Bay Area and not, for example, literally anybody else in the world."

That actually makes a ton of sense. That completely falls in line with my idea of someone who'd need an automated service to kick on the swamp cooler, turn on a light, or email them about eggs or whatever. The one useful case I've heard is for folks with disabilities, like, someone with a legitimate reason to need assistance in managing a lamp. I'm struggling with my own feelings on this as the day has progressed. I'm thinking part of my visceral reaction to someone who desires the luxuries promised by these technologies is my classism, it reminds me of a butler or servant, someone else to do menial tasks you should do yourself. I can see the problems with my feelings here but it's easy to shore up with the other deep problems with the tech and capitalists behind it.

"If my abuser breaks down my door, is it the fault of the door for being flimsy or my abuser's for breaking it down?"

It's both of their faults and probably society's too! The abuser for being an aggressive possession breaker. The door manufacturer, frame manufacturer/installer, and the hinge manufacturers for making a thing that failed to do the thing it was supposed to do. Society for creating an environment in which door manufacturers have cause to make less effective doors, for accepting the capitalist faustian bargain, for creating a society in which doors are necessary, and fostering an environment that produces stalking behavior and does too little to address it. If you're ever laying blame soles at one entity, you're letting someone, something, or yourself off too easy.
posted by GoblinHoney at 3:12 PM on June 26, 2018 [5 favorites]


If my abuser breaks down my door, is it the fault of the door for being flimsy or my abuser's for breaking it down?

Or perhaps the fault of the door manufacturer saying "Buy this secure door!" when in fact it could be easy for others to get a key without you knowing. Not an exact analogy of course.
posted by carter at 3:17 PM on June 26, 2018 [4 favorites]


As the article points out, smart-home tech is still pretty new, and we're all getting our heads around the ramifications. One of the ramifications is that as designed it is surveillance technology. I hope that once we're all more accustomed to the technology, people realize that fact, and realize that they can and must take the keys away from their abusers.

I recently looked at an apartment that was all smart-home enabled with Alexa integration provided by the landlord. It was an okay apartment but an always on constant surveillance landlord controlled smart home setup? Noped the fuck out of there so fast the estate agent may have heard a boom.
posted by srboisvert at 3:21 PM on June 26, 2018 [15 favorites]


I'm thinking part of my visceral reaction to someone who desires the luxuries promised by these technologies is my classism, it reminds me of a butler or servant, someone else to do menial tasks you should do yourself.

That would appear to be anthropomorphizing the technology behind this things, and computers HATE when you anthropomorphize them.

There are tasks that people don't want to do themselves - yes, even something as simple as getting out of my chair to hit the light switch. There are tasks that are easily handed over to technology. You're not a better person because you choose to do those things yourself, despite years of your parents telling you that hand-washing the dishes will build your character, and I'm not a worse person because I want to be able to say "Hey, Siri, turn on my bedroom lights" and have it happen.

Instead of heaping blame on the people using the technology, let's continue to point the blame at the appropriate places - the abusers and the tech industry that still doesn't know how to code for them.
posted by hanov3r at 3:22 PM on June 26, 2018 [11 favorites]


Role Based Acess Control (RBAC) is great for hierarchies, bad for equality. I think we need to rethink authentication from a different angle. Maybe “equality based access control”?
posted by nikaspark at 5:29 PM on June 26, 2018 [1 favorite]


That doesn't necessarily help the problem of the sheer level of gaslighting these devices enable [...]

It's pretty amazing that our society adopted the term as a metaphor for psychological manipulation, and, despite having been fully warned of the possibility of abuse, went on to create devices that let psychopaths do this literally.
posted by Joe in Australia at 6:00 PM on June 26, 2018 [18 favorites]


You can still buy X-10 home automation gear and, while it's very outdated technology with recently added WiFi capabilities, internet connectivity isn't needed for it to work.
posted by CynicalKnight at 7:58 PM on June 26, 2018 [3 favorites]


If you're ever laying blame soles at one entity, you're letting someone, something, or yourself off too easy.

The nice thing about these sort of "everybody is to blame" stories is that it ends up as a great way to diffuse blame. "Oh well there's too many factors, so nothing can be done."

I mean, instead of pointing out how inextricably complicated things are, let's try pointing at one thing that can make things better. Like expanding anti - stalking laws to cover smart devices.
posted by happyroach at 8:16 PM on June 26, 2018 [6 favorites]


My husband and I were just discussing how disconcerting we find it that many of the younger couples we know track each others daily whereabouts using their cars or cell phones. They don't (aparently) do this for nefarious reasons, more, it seems, for convience of knowing when someone is going to get home or whether they remembered to stop at the store and get dog food or whatever. These couples are not creeped out in the least by their partner watching them. I, however, feel horrified by the idea, and so does the husband. We both have tracking and location services turned off on our phones now, and its not because we are doing anything we dont want the other to know about, we just cant sit comfortably with the idea of anyone watching our lives unfold via our cars/cell phones/tvs whatever .
posted by WalkerWestridge at 9:17 PM on June 26, 2018 [2 favorites]


Kids these days sure seem to be lazy...

I still use X-10...it's exactly as much home automation as I actually need.

If you're into DIY video monitoring, I recommend checking out Zoneminder.com.
posted by littlejohnnyjewel at 9:41 PM on June 26, 2018


I'm a woman and I work as a network engineer and do a bunch of infosec stuff. Whenever possible, I actively point out that one of the failure scenarios to consider is "abusive stalker ex" when looking at things like, say, tracking what computers go where based on wifi system records.

But it's clear many/most companies in this sector aren't looking at this as a thing they need to worry about. And with it very easy for someone to install things into their household that are vulnerable to people messing with it by default, nevermind with a malicious actor having physical access to the device, it's unsurprising that this is happening to vulnerable and less-technically-savvy people (who tend to be women) in relationships.


Apologies for just quoting this wholesale and saying THIS! But also, this is why we need more diverse workplaces. Ramifications are important. Some of us are the sort of overthinkers who see this shit in a hot second.
posted by desuetude at 11:22 PM on June 26, 2018 [4 favorites]


What to do about it though?

As a local priest for the High Church of Technology in my little village, what I do about is argue loudly and forcefully against "smart" devices every time I'm given the slightest opportunity to do so in person. I would consider any other position to be a fundamental betrayal of those who rely on me for sound tech advice.

I'm a CS guy with decades of experience, i.e. I'm no luddite

I'm a Luddite exactly because of my decades of experience in embedded systems programming and IT admin.

If they detect that someone else has taken control of the account, they take it back and give you the sole ownership and password.

Weak re-used passwords will be the root cause for some of these security breaches, of that there is no doubt; but anybody who actually believes that using strong, unique passwords on their Internet of Shit device control "cloud" accounts is enough to protect them against exploitation of the raft of security flaws these devices are well known to ship with is operating under a false sense of security.

Seriously, if you have reason to be concerned about being spied upon by an abuser, and you are at all in a position to remove all "smart" devices from your home, just do. Turf them all out. Any convenience you lose will be more than compensated for by improvement in the quality of your sleep.

In particular, you do not want a "smart" door lock.
posted by flabdablet at 3:05 AM on June 27, 2018 [11 favorites]


Old-school X10 has no security at all, and could easily be controlled by an abuser with an RF remote driving past your house.
posted by scruss at 4:56 AM on June 27, 2018


I honestly don't understand the zeal with which so many are embracing all this IoS stuff. I can't discern much in the way of actual need so much as it being a sense of "Oooo! New shiny!" or just sheer laziness (or a combination of both.)

As an aside, there's some "consulting" company here that sponsors our local NPR station, and their ad extols their expertise in IoT, "the Cloud" and blockchain. It's like they're advertising their value as the doorman at Hell's mouth.
posted by Thorzdad at 5:52 AM on June 27, 2018 [1 favorite]


Hey, all you anti IoT people... maybe let's not turn this into a "Why do people even use this shit?" conversation? People do, for lots of reasons ranging from straight up need in the case of certain kinds of disabilities all the way to "it's neat, and I like it." I think there's room for a conversation around how to make them safer without all of the crapping on the very idea, which comes off as victim-blaming at best.

On the actual topic, I'd love to know what else, as someone whose partner is waaaay less techy than me, and mostly accepts my playing around in this space with bemused grace, I can do to make sure that we exemplify the right way to act in this scenario? She legit does not care about this stuff except to find the Echo a bit creepy, so asking her to understand "Well, here's the hub that controls the lights and here's the Pi that automates how our thermostat responds to the presence sensors..." is more than is reasonable.
posted by ChrisR at 6:26 AM on June 27, 2018 [5 favorites]


I can't discern much in the way of actual need so much as it being a sense of "Oooo! New shiny!" or just sheer laziness (or a combination of both.)

Everytime I can't figure out why other people like stuff I don't like I attribute it to laziness too. It's fun.
posted by skewed at 6:31 AM on June 27, 2018 [2 favorites]


I can change the thermostat setting from work? That's... interesting, I guess?

It could save you money now by enabling you to turn heat/AC off when you're away, maybe more money in the future when we may get more variation in pricing during the day. This sort of shiftability in demand is seen by many as key to managing energy systems with lots of intermittent renewable generation.
posted by biffa at 7:00 AM on June 27, 2018


Future Crimes is already outdated.
posted by Pig Tail Orchestra at 7:38 AM on June 27, 2018


One of the things I dislike very much about casting skepticism about IoT use as victim-blaming (at best!) is that it sidesteps the fact that the adoption of immature technology which cedes control of your house to a third party involves the evaluation and acceptance of risk, a conscious decision that everyone* who has an Echo or Alexa or smart fridge has made. For some people, like the differently abled, the risk posed by this technology is clearly outweighed by the benefits of voice and smartphone control. For others, it is less need-driven and more "because it is cool" - which is fine, everyone is free to make their own choices - but the risk/reward calculation is less compelling. Especially and particularly when many of these devices have extremely spotty records regarding privacy and remote exploits, it is perfectly reasonable to be skeptical of someone's decision to hook into it, because there is a known and large risk associated with these devices and when those known risks come to roost it is an unavoidable fact that the decision to use the device in the first place played an enabling role in whatever shenanigans went down. The IoT fan did not force the bad actor to harm them, but they opened up the attack vector which allowed the harm to be perpetrated.

The main takeaway is that the current iteration of IoT devices are not trustworthy and using them puts people at a high risk of being hacked. It is everyone's personal decision, of course, but the acceptance of that risk means that crying foul when things go awry is going to fall on a lot of deaf ears.

Clearly in the context of this article, the main problem is men who harass and stalk. IoT adoption has just given them new and more horrible ways to be evil, and the companies who produce these devices don't give a shit about these nefarious uses because they are making money and there are apparently no consequences to their bottom line. And because these devices can be exploited remotely and anonymously, they are orders of magnitude more vulnerable than doors, windows and bike locks. I mean, forget jealous exes, what if some gaggle of 14-year-old shitheels decided to DDoS your entire house? That is a very real possibility.

So until there are industrial standards for IoT security - these devices, in my opinion, should be licensed and certified similarly to FDA approval because of the risk they pose - it is just plain unsafe to use them unless you absolutely have to.

* Of course many people will find themselves in living situations where those decisions have been made for them, which sucks.

For things like home automation through voice control there is a clear market for a system which does voice processing locally and uses a mesh network like ZWave to provide connectivity between devices without exposing the home to the internet.
posted by grumpybear69 at 7:59 AM on June 27, 2018 [2 favorites]


It could save you money now by enabling you to turn heat/AC off when you're away, maybe more money in the future when we may get more variation in pricing during the day.

In fact, this is why I have a smart thermostat: my city gives me a break on my electricity bill in order to allow them to turn it off during Peak Energy hours in late afternoons, often when I'm not home anyway to use it. I was considering asking why functionality of Smart Devices is always linked to the internet rather than a LAN-type system, but then I answered my own question when I was thinking about how and why I use the few devices that I do own.

I'm quite willing to give thermostat access to certain remote interested parties in my house, with my informed consent and explicit agreement. If I want to override the city's ability to turn off my AC, I also can do that, and the thermostat won't ask me again. We have ways to make this modification beneficial for everyone without allowing, say, the city to malevolently turn off my specific A/C forever.

Why can't we modify this technology in order to make it less accessible for abusers? Why is the answer to abusers exploiting technology to blame people who would like access to that technology? Why isn't the answer punishing the abuse?
posted by sciatrix at 8:02 AM on June 27, 2018


And--that's actually my problem with the whole "you should be skeptical of the Internet of Things, because they're insecure and open you up for abuse, so if you did have one what are you expecting?" narrative.

Why the hell is the "what are you expecting" sentiment leveled at consumers and not at the lacking consumer protections that we should be demanding on a legislative level? Why is there not outrage at the short-sightedness of technological companies? Where are we collectively directing our blame?
posted by sciatrix at 8:03 AM on June 27, 2018 [1 favorite]


Because until those consumer protections are in place and the companies are held accountable, the IoT devices aren't safe, and we know this.
posted by grumpybear69 at 8:06 AM on June 27, 2018 [2 favorites]


Old-school X10 ... could easily be controlled by an abuser with an RF remote

True, but then they're already skulking around your shrubbery just like the old school stalkers ringing doorbells and digging through garbage cans, as opposed to repeatedly locking you out of your house while sitting on the toilet at a Tim Hortons in FlinFlon
posted by CynicalKnight at 8:29 AM on June 27, 2018 [4 favorites]


My dad keeps sending my brothers and me paragraphs-long emails about deals on WiFi camera systems and possible uses for them (to bachelor brother: “you can keep an eye on your dog!” To city-dwelling me: “You can see who is trying to break into your house/garage!” with a creepy side of “monitor the baby sitter”). My dad is 110% untreated anxiety, and this technology just provokes additional anxiety and helps him avoid the fact that he and everyone around him would benefit from him going on anti-anxiety medication. He has a WiFi camera pointed toward his basement sump pump in case it fails while he is away, despite the fact that it will fail if the power goes out AND SO WILL THE WIFI AND CAMERA, and don’t you need light to see anything on said camera pointed toward a dark basement hole?

I don’t care, these creepy cameras should all get infected by a million malware viruses and brick themselves off the face of the earth.
posted by Maarika at 8:37 AM on June 27, 2018 [1 favorite]


we know this

Who's we? Think outside Metafilter, think outside the community of tech folks. Think about your general consumers who may or may not have a technology background.

Does everyone know this? I think it's pretty reasonable for a consumer not to know about these safety vulnerabilities. This is literally why consumer protections are supposed to exist: so you don't have to know encyclopedias about every medicine you taste or car you buy to make sure you're not going to put yourself at risk of your life or livelihood to use a given product for the purposes it's marketed for.

That's what I mean about blame. And it really bothers me to see that kind of dismissive "oh yeah but we know these things aren't safe" just waved about without pausing. How the heck do you think we get consumer protections?! It's by looking at situations like this, yelling that of course the consumer shouldn't have needed to know this ahead of time, and demanding that someone do something about it. "Just don't buy that product, idiots" is not a solution that actually gets you anywhere.
posted by sciatrix at 8:38 AM on June 27, 2018 [6 favorites]


I'd love to know what else, as someone whose partner is waaaay less techy than me, and mostly accepts my playing around in this space with bemused grace, I can do to make sure that we exemplify the right way to act in this scenario?

If you absolutely must put "smart" stuff in your house, go more Pi and less proprietary.

The main security risk of typical Internet of Shit devices is that they're super-cheap under-engineered garbage with a market life of a year or two if you're lucky, and either no way or exploitable ways of applying security patches to the proprietary software that runs on them, which will generally be thrown together in a hurry by people not paid enough to know what they're doing.

Automating your home with open-source stuff, especially open-source stuff running on top of a distribution platform like Debian whose fundamental reason for existing is keeping auditable software up to date, is considerably less unsafe.

But the single safest option remains choosing not to be lured by the siren song of stuff that promises to be "smart" for no better reason than that you can be so lured. If "smart" gear scratches an itch that you knew you had before you became aware of a "smart" "solution" having become available in the marketplace, fair enough; embrace the risk with your eyes wide open. But if in your heart of hearts you actually know that the main reason you want it is because you know it exists, resist. You'll end up better off than your neighbours who don't.

the IoT devices aren't safe, and we know this

And now you know this too; so if you make a deliberate choice to install some shitty Philips-knockoff light bulb anyway, and you come to grief as a result, then all the I Told You So you'll inevitably be experiencing isn't victim blaming so much as rube immunization. If somebody tells you a "smart" device can improve your life, nine times out of ten they are lying to you.

You wouldn't fall for a 419 advance-fee fraud. Don't fall for "smart" gadget marketing either. The impulse behind both is the same.
posted by flabdablet at 8:42 AM on June 27, 2018 [1 favorite]


By the way: I do not offer shouting condemnation of "smart" devices as a class from the rooftops as an alternative to robust consumer protection laws. Obviously we should have those too.
posted by flabdablet at 8:44 AM on June 27, 2018 [2 favorites]




these creepy cameras should all get infected by a million malware viruses and brick themselves off the face of the earth

Unfortunately there's more money to be made off infecting this shit than off selling it, so the quality of the infecting software will be correspondingly higher than that of the badly implemented bullshit that's in these things when you buy them.
posted by flabdablet at 8:47 AM on June 27, 2018


In good news on this front, it appears that the safety & security of IoT devices is becoming an ever-larger priorty for consumer protection agencies:

https://www.cnet.com/news/us-consumer-product-safety-commission-iot-public-hearing-security/

You can add "starting a fire" to the list of things people can currently do remotely to IoT households with items as innocuous as smart plugs.
posted by grumpybear69 at 9:22 AM on June 27, 2018 [1 favorite]


I had to put a nest smoke alarm in the freezer once, the thing would not shut up and freezers have good acoustic insulation.

That is when I gave up on smart stuff for the home.

I keep some delicate stuff at home, that require controlled temperature, humidity, light, etc... Each species has different requirements.

My solution has been to use lots of arduinos and photons and all kinds of free development kits connected to relays that power good old fashioned devices. They are connected to my wifi and only talk to my sever. I can check my server from anywhere and control stuff via my own interface.

I know not everyone can do this, but I wonder if there is a market for artisanal smart home installation. The server is like $300, the little wifi boards to control relays are under $5 each from.the right sources, good quality safe relays start at under $20.
posted by Dr. Curare at 9:43 AM on June 27, 2018


"It's both of their faults and probably society's too! The abuser for being an aggressive possession breaker. The door manufacturer, frame manufacturer/installer, and the hinge manufacturers for making a thing that failed to do the thing it was supposed to do. Society for creating an environment in which door manufacturers have cause to make less effective doors, for accepting the capitalist faustian bargain, for creating a society in which doors are necessary, and fostering an environment that produces stalking behavior and does too little to address it. If you're ever laying blame soles at one entity, you're letting someone, something, or yourself off too easy."

The thing is, you can get a door that's super hard to bash in. You need a metal reinforced frame, a great door, a good lock... Businesses often have these. Homes that sell drugs sometimes have these (hence the ridiculous oversized battering type rams the police use). You can buy a good door, it's just not cheap.

Sadly, that's not exactly true with IoT, IoT does a shit job at securing itseslf against randos halfway around the world. Even (especially) IoT devices that sell themselves at 'security devices' are often times creating more insecurity than not.

I had a salesman come to my house trying to sell their security system, that they boasted could be used by your cellphone; you could stream the video at all times. I asked them a single question: "What third party auditor has looked at the security of this 'solution'" Their answer was to tell me how many millions of houses their system was installed in. That's not an answer.

Now, I'll absolutely agree that all the manufacturers of IoT systems should figure out how their system works when a once-trusted user is no longer trusted. That's a great use-case that needs to be thought of when building these things. Sadly, so many IoT devices don't even do a rudimentary job at keeping hackers at bay...

That being said, I think there is work that can be done to help DV victims in this area. Guides can be written and distributed (to shelters among others) that let woman know how to audit their devices (just figure out what smart devices are in their houses), how to reset them to factory, how to take back control of them. This is important work that can be accomplished. But waiting around for the legislator or the device manufacturers to fix this issue isn't the road to addressing this.
posted by el io at 11:06 AM on June 27, 2018 [2 favorites]


I enjoy following Matthew Garrett's often scathing reviews of internet of things devices, which frequently find terrible implementations--phone apps that "authenticate" themselves to devices using keys that are baked in to the apps, and other violations of how-to-write-secure-systems-101.

But from the article it sounds like crappy implementations weren't the issue. Abusers aren't hacking, they're just e.g. not handing over passwords when they should.

I don't know what lesson to take from that, it's just interesting to me.
posted by bfields at 11:06 AM on June 27, 2018


grumpybear69: You CNET link contains the following statement from the agency:
"We do not consider personal data security and privacy issues that may be related to IoT devices to be consumer product hazards that CPSC would address."
posted by el io at 11:07 AM on June 27, 2018


I don't know what lesson to take from that

Here's one: the "smarter" the devices, the more inscrutable their by-design behaviour and the more numerous their unanticipated failure modes. And the more ubiquitous "smart" devices become, the more consequential those failures become as well; and many of the failure modes involve network effects.

Resist adopting them to the best of your ability.
posted by flabdablet at 11:24 AM on June 27, 2018


"I'm trying to think of how a smart-home system might be designed in such a way as to help DV victims, or at least reduce the harm they cause. Fundamentally you have the issue that you don't want random guests that might visit your house to be able to take control of these systems"

Eh, I don't know, I think something that gives you a backdoor if you're physically present might be the right thing to do. So, make sure every device has instructions printed on it that say "to set up, press this button for 10 seconds and then start MyIOTApp and answer the questions".

It's not that that's perfect, it's that I think "physical access gives you control" is a model that people are familiar with and probably better at reasoning about.
posted by bfields at 11:30 AM on June 27, 2018 [5 favorites]


But does doing so then give you control of past records from the device, if the other half of the conundrum is that "smart" devices are the beachheads of a surveillance system?
posted by XMLicious at 11:40 AM on June 27, 2018


"But does doing so then give you control of past records from the device, if the other half of the conundrum is that "smart" devices are the beachheads of a surveillance system?"

My knee-jerk reaction is that the device should start over with a completely clean slate at that point, as if it was fresh from the factory. The reset device doesn't get you any access to the previous user's information. If you want to link the newly reset device to some preexisting account then you need credentials for that account.

I don't really know.

Does that do what you want? I'm not sure exactly what the threat is you're considering.
posted by bfields at 11:49 AM on June 27, 2018


So, make sure every device has instructions printed on it that say "to set up, press this button for 10 seconds and then start MyIOTApp and answer the questions".

Yup. And the setup that happens after that button gets pressed should not use or require Internet access. The phone app should be talking directly to the devices over wifi.

And nothing that does make use of the "cloud" in any way should be on by default; if you want that stuff you should have to turn it on explicitly.

Also, if you press the device's setup button and then do not connect the control app to in within say 30 seconds, the device should disable all its "smart" features completely.

Also also: keeping the setup button pressed continuously for at least 30 seconds should destroy a key that the device must provide in order to decrypt any records held by the device or in its associated apps and online accounts. It's better to give a physically present attacker an easy Denial Of Service attack than to deprive a surveillance target of reliable means to erase their own surveillance.
posted by flabdablet at 11:51 AM on June 27, 2018


> But does doing so then give you control of past records from the device, if the other half of the conundrum is that "smart" devices are the beachheads of a surveillance system?"

My knee-jerk reaction is that the device should start over with a completely clean slate at that point, as if it was fresh from the factory. The reset device doesn't get you any access to the previous user's information. If you want to link the newly reset device to some preexisting account then you need credentials for that account... Does that do what you want? I'm not sure exactly what the threat is you're considering.

I'm just evaluating your proposed approach. If a DV victim need access to records for their own benefit, to prove the abusers behavior via surveillance records or prove the abuser has been gaslighting via alteration of the device, then this seems like a means for an abuser to cut them off from those records.

Not having explored the subject deeply myself either, it seems to loop back around to users needing to have some fore-knowledge of the functionality and some way to anticipate the behavior of the devices. Oversimplifying one aspect in an attempt to aid unfamiliar users, like providing the ability to take control of the device via physical access to it, may cause problems in other scenarios.
posted by XMLicious at 12:24 PM on June 27, 2018 [1 favorite]


it seems to loop back around to users needing to have some fore-knowledge of the functionality and some way to anticipate the behavior of the devices.

I think that this is exactly the point. And the more complex that this behaviour can be - that is, the "smarter" the device - the smaller will be the proportion of the user base that actually achieves such foreknowledge or anticipation.

Since the release of the iPhone, the IT industry has done phenomenal amounts of work on trying to convince people that the tech in their lives works essentially by magic and that any need to care about how it works is obsolete. This work has been largely successful, in that most of the tech currently available does now do a reasonably good job of sweeping its own internal complexity under the rug most of the time.

But we're getting the point where the rug is not actually touching the floor any more. Nobody really knows for sure what's under there now. I'm pretty sure that at least some of it is mutant alligators.
posted by flabdablet at 8:10 PM on June 27, 2018 [3 favorites]


Tangentially related, great new FPP about a publication concerning deception in ux/user interfaces.
posted by XMLicious at 9:47 PM on June 27, 2018 [1 favorite]


There's widespread lack of outrage or effective action about failures of privacy. Equifax? Well, that's bad, but what are you gonna do? Yahoo accounts compromised for years? Well, you know, it's Yahoo. Etc. Vendors should be held liable for their appallingly lax security. Buyers should be suspicious and demand secure products. If someone is hammered by misuse of lax security, they should sue and get a serious settlement.

As a result of the ask.me, I contacted the local family violence program to volunteer with technology. If I can pull it together, I'm thinking about a web page resource for dealing with the technology issues.
posted by theora55 at 8:38 AM on June 29, 2018 [8 favorites]


Follow-up:
Gender and IoT (G-IoT) Resource List "This resource list is intended as supplementary material to better inform and guide victims of technology-facilitated abuse as well as those working with them."
posted by adamrice at 4:26 PM on July 6, 2018 [1 favorite]


« Older Rethinking the legacy of Laura Ingalls Wilder   |   Getting men off ledges Newer »


This thread has been archived and is closed to new comments