Status: 16.12.2022 11:39 a.m
Hidden cameras and microphones in vacuum robots, toys or smartwatches are actually forbidden. They will be sold anyway. What to look out for when buying connected devices.
By Antonia Mannweiler, tagesschau.de
You don’t even let uninvited guests into the house – but what about the ones you don’t even know are there? More than 40 percent of all Germans already use smart home applications at home that make their daily lives easier. In almost every fourth household, a vacuum robot now takes over the tiresome cleaning of the floor. Even without supervision, the round helpers can move from the kitchen to the living room, from the bedroom to the bathroom. In rare cases, they also take on other activities: for example, when they listen in at home without anyone knowing.
Just in time for Christmas, the Federal Network Agency warns of networked objects. The rule of caution is: of smart toys and everyday objects with a hidden camera or microphone that create audio or video recordings unnoticed – and can transmit them to other receiving devices via WLAN or Bluetooth. The head of the Federal Network Agency, Klaus Müller, focused primarily on the protection of children: “Networked devices that are suitable for spying and endanger our privacy are prohibited. Such devices have no place in children’s rooms in particular.”
More than 1000 investigations against sellers and manufacturers
In 2017, the case of the toy doll “My Friend Cayla” caused a stir, which could interact with children, for example answering their questions. However, equipped with an unclear microphone and radio link, the doll was eventually banned. In addition, the Bluetooth connection was not sufficiently protected, so strangers could have followed, saved and forwarded conversations in the children’s room.
Even five years later, numerous such illegal recording devices are still in circulation. In the first half of this year alone, the Federal Network Agency shut down 2,552 online offers for banned spy devices. However, the number of individual items is much higher: Because behind the individual offers there can sometimes be several thousand products. For comparison: Just two years ago, just 138 offers were deleted from the Internet in the same period.
What is allowed – what is forbidden?
But while cameras and recording apps in smartphones can capture every moment of life, microphones and cameras built into pens are banned. So which products are allowed – and which are not?
Basically, devices are prohibited if they have a camera or a microphone with which image and sound files can be transmitted wirelessly – for example via WLAN or Bluetooth. At least that still applies to smartphones. It only becomes problematic when this applies to an everyday object or when the microphone and camera are built into a dummy. This is the case, for example, when they are stuck in a dummy smoke detector, a lamp, a power bank – or in a flower pot.
Of course, smartphones can also be used to unknowingly record third parties. However, the Federal Network Agency describes it as follows: “The function for telephoning can be used for unnoticed eavesdropping if the cell phone owner illegally behaves. It is not the cell phone itself that is prohibited, but the behavior of the user.” In simpler terms, items that are known to the general public to have a camera – such as smartphones, drones, or laptops – are allowed. Everyday objects where this cannot be assumed – such as a lamp or a pen – are prohibited.
Marta Mituta from the Federal Network Agency says in an interview with tagesschau.dethat the popular smartwatches also cause a lot of uncertainty. “We keep getting inquiries from school administrations who don’t know how to deal with it,” says Mituta. Smartwatches with a telephony function are generally permitted. However, if the watch can also take pictures or record recordings, which can be activated by third parties – without being noticed – then the smartwatch is banned. Cameras and microphones are allowed in objects if they are clearly indicated – for example by a visible symbol on the object – or they are clearly recognizable.
How to discover spy gadgets?
It is not always clear whether the devices can secretly eavesdrop or whether the data is being forwarded. Ahmad-Reza Sadeghi is a professor of computer science at the TU in Darmstadt and conducts research in the field of system security. A research team from the university has also tested smart vacuum cleaners and language assistants for security gaps – and uncovered some.
There are two classes of smart devices, Sadeghi said tagesschau.de. Devices that come onto the market very quickly fall into the first category, where security – also for cost reasons – does not play a major role. On the other hand, devices with less security are more likely to be hacked. It is not uncommon to be able to control vacuum robots from a distance – for example, to order it to vacuum the apartment. That works via the cloud, says Sadeghi. However, this connection must be secured. With some of the vacuum robots tested, however, attackers from outside were able to take control or read the camera.
Tips for Consumers
In the second class, Sadeghi includes manufacturers and companies that can afford well-trained security experts. “But that doesn’t mean they can’t be hacked,” he notes. And not all hacks are known. There are discussions about a kind of TÜV for the devices. However, since there are so many different manufacturers, it is difficult to agree on standards. Also because many devices came from Asia and especially China.
However, Sadeghi also has tips for consumers that can be followed: First of all, you cannot avoid doing your own research and finding out about the device. With some devices, however, you should also ask yourself whether you really need a microphone or a camera: for example, if a kettle tells you at what temperature the water is currently boiling. The question of whether you can simply switch off the function or whether the device can be connected to other devices is also important. And does the device also ask for permission? According to Sadeghi, more technical questions can be asked afterwards: Is there communication with other servers? Where is the server? Is my data going through a secure channel like SSL?
When to get suspicious
All customers are entitled to know what data is being collected, agrees Rebekka Weiß, head of trust and security at the digital association Bitkom. She also advises reading product descriptions carefully. “Every consumer should be suspicious if there is no information about the setting options,” she emphasizes. Smart products don’t just fall out of the sky, the device has to adapt to the customer. There has to be a setting for this somewhere. However, the transfer of data is not always questionable, states Weiss. So it is completely normal for manufacturers to work together with contractual partners.
The consumer center of Rhineland-Palatinate recommends that you make sure when purchasing that you do not select any devices from dubious providers without sufficient IT security. Attention should also be paid to local data processing. The age suitability of the products also plays a role – cameras or microphones for small children should therefore be ruled out.
According to Rebekka Weiß from Bitkom, a good legal framework of trust has actually been created to really let the products work. “The simplifications that they bring to us in everyday life is enormous.” It would be a great shame if you had to give it up because of unfounded fear. Admittedly, there must be information for the consumer, but there is also one’s own actions. You have to read the product description and be able to turn a function on or off. “We have to behave actively in this digital world.”
What to do if spy device is detected
Employees of the Federal Network Agency scour the network for banned spy devices or follow up on leads. If, after an inspection, the product is illegal, the manufacturers or producers will be contacted, and their offers will then have to be removed.
But even the possession of such devices is prohibited. If you have unwittingly bought or discovered such a spy device, this must be reported to the Federal Network Agency. The data protection authorities of the individual federal states are also the contact point for concerns about data protection issues.
Destroy device – and document
It is not enough to simply throw the prohibited device in the garbage. “If we identify prohibited products, not only does the seller have to destroy the products, but also the buyer,” says Marta Mituta from the Federal Network Agency. Depending on the product, the Federal Network Agency also provides information on how an object must be destroyed. Important: The process must be documented: photos, videos or a confirmation from the waste management station must then be sent to the agency. Anyone who does not want to destroy the devices voluntarily can also be obliged by the Federal Network Agency – with a fine of up to one million euros.
However, there is no list of products that are banned and could definitely help consumers – according to Mituta, this is not legally possible. “We would have liked to have published a list of the brand names of the products, but we’re not allowed to.”