Air fryer app caught asking for voice data (re-air)

Today's episode is brought to you by Mauerbytes Premium Security. Protect your computers and devices from cyber attacks, 24-7, with Mauerbytes Premium Security. And go to mauerbytes.com slash lock and code for an exclusive offer. That's mauerbytes.com.

Hey everyone! It is Thanksgiving weekend here in the United States, which for many people means a welcome reprieve, and for others who are saddled with an insane cooking schedule and who have every in-law crowding their home, it is instead... a time to grieve. Importantly, countless Black Friday and Cyber Monday sales are happening right now, so we are re-airing an episode from last year about some popular devices that might enter your home only to take your data out. Enjoy.

is Lock and Code, a Mauerbytes podcast. I'm your host, David Rees. our main story today is about data collection that happens in the most private of spaces directly in your home through devices you bought on november 5th A UK consumer rights group published eyebrow-raising research that claimed that our air fryers may be spying on us? The group called Witch, and that's witch as in...

which podcast is your favorite and not double, double toil and trouble. But the group analyzed many smart devices and found that all of them We're requesting or collecting or sending sensitive information outside of the home. The smart TVs required that customers enter a postal code to sometimes even function.

The smart speakers came packaged with trackers that connected to Facebook and Google's advertising networks. The smart watches, somewhat expectedly, requested access to precise location, stored files, and visibility into all installed apps. But the air fryers, which, need we remind ourselves, are kitchen utilities. The air fryers wanted to know quite a lot about what happens outside.

kitchen. According to the analysts from which, quote, in the air fryer category, as well as knowing customers precise location, all three products wanted permission to record audio on the user's phone. for no specified reason. End quote. One air fryer, quote, wanted to know gender and date of birth when setting up an owner account, again for no clear reason, but this was optional, end quote. Two of the air fryers, quote, both sent people's personal data to servers in China.

although this was flagged in the privacy notice, end quote. I will admit here that air fryer turned spire is a captivating headline from this story, but it's not accurate. Your air fryer at this moment does not care how unhealthy your weeknight meals are. Instead, your air fryer is more likely to be built on top of a data collection regime.

that powers countless companies today. It is why cars collect information about your driving speed, your location, and your sexual activity. And I'm not joking. That was in Nissan's privacy policy as of last year. It's why we once saw a flashlight app asking for location access and it's why your mortgage information gets scooped up as soon as it's registered online. In America, the prevailing model of online economic success

is data collection. Companies will collect the data they can because that data itself might generate revenue elsewhere, even if their primary product has nothing to do with data collection. This approach is so ingrained in commerce that many companies struggle to not collect information when utilizing some of the largest business platforms. You think you can...

Use Salesforce without tracking customers? You think you can buy Facebook ads without relying on Facebook's extensive ad profiles? This is how things run. And it can be... very difficult to see why it matters. Today on the Locking Code podcast, we're telling you three stories about what it looks like.

when this invisible home data collection goes askew. These stories aren't about mass government surveillance, and they're not about spying or the targeting of political dissidents. Their intrigue is elsewhere. And how common it is for what we say, where we go, and how we feel to be collected and analyzed in ways we never anticipated.

There is no guest for today's episode. It is only me and the data collection. All right, let's start. In 2010, the first consumer air fryer... was unveiled to the public at a major electronics fair called IFA Berlin. Air fryers are just... small convection ovens, which means that they use fans to push heat evenly throughout an enclosed space. Without those fans, any heat within any space, be that an oven or a room or my old...

boiling top floor apartment, that heat naturally rises to the top. For cooking, that's an obvious downside. The bottom rack of an oven will not be the same temperature as the top rack. All convection ovens try to solve this problem by circulating hot air evenly. It's a technological advancement that... especially for air fryers, promises to make crispier mozzarella sticks or crunchier chicken wings or flakier reheated pastries. It's...

Also an invention that has proved wildly popular. Though it was first launched by the company Philips, which makes my toothbrush? Air fryers today are now made and sold by Cuisinart, Ninja... Breville, and more. And as is the case for most modern home devices, a lot of these air fryers can connect to the internet. and can be controlled through a separate app that you download on your phone. It is these types of apps that the researchers at which...

analyzed, specifically for Android devices. And when testing the three separate air fryers made by the company's Xiaomi, Cosori, and EgoStar, researchers learned about a host of potential... privacy invasions. The connected mobile apps for the Xiaomi Mi Smart Air Fryer, the Kosori CAFLI401S, and the self-named EgoStar, all, quote, wanted permission to record audio on the user's phone for no specified reason, end quote. The Xiaomi app also, quote, connected to trackers from Facebook.

pangle the ad network of tiktok for business and chinese tech giant tencent depending on the location of the user end quote There's more. When creating an account for the Egostar air fryer, the connected app asks users to divulge their gender and date of birth without stating why that was necessary? The request, however, could be declined, and the EgoStar app also, like the Xiaomi app, sent personal data to servers in China.

This data-sharing practice was at least clarified in the company's privacy policies, which many people admittedly do not read. And as for the Kosori app… It, along with the Xiaomi and EgoStar apps, so all three, requested access to a user's precise location. When Witch published these findings, the companies at times rebuffed the characterizations.

EgoStar did not comment, but Kosori upheld that it prioritizes user privacy while complying with the EU's broad data protection law, GDPR. Kosori also expressed some frustration. with the researchers, alleging that the consumer rights organization did not offer them, quote, specific test reports, end quote. And so they couldn't really comment further on the findings. And a representative for Xiaomi said, quote,

we do not sell any personal information to third parties, end quote. And they denied that the air fryer in question could even utilize voice recordings. Quote, the permission to record audio on Xiaomi Home app. is not applicable to Xiaomi Smart Air Fryer, which does not operate directly through voice commands and video chat." Without owning a Xiaomi Smart Air Fryer or using the Xiaomi Home app,

It is impossible for me to investigate this further. But I do think this could be the case of a single app being created for multiple devices. And then finding out that... What that app needs for one device doesn't necessarily match the needs of another device. And yet, the app will still make the same requests.

probably to just streamline every onboarding process. It would be like buying an electronic keyboard from the company Yamaha, and in registering the device online with an account, being asked about... real-time location for a motorcycle. The company makes both, but the data associated with both does not overlap. There is...

Unfortunately, no satisfying takeaway here. Either don't buy these products or don't use their apps, but that advice falls flat when most home devices today function the same way. You can't easily buy a non-smart TV, and it's getting harder to even buy a washer and dryer that don't connect to Wi-Fi. The lesson then might just be awareness. As Harry Rose.

Magazine editor for Witch said when the organization published its findings, quote, Our research shows how smart tech manufacturers and the firms they work with are currently able to collect data from consumers, seemingly with reckless abandon. And this is often done with little or no transparency. End quote. That's true. So before you take this upcoming Black Friday and Cyber Monday to make a big appliance or home device purchase, just...

Know what these products and companies want from you. And be ready to say no if you're not comfortable with that.

There's an observation in computing called Moore's Law that states that the number of transistors in an integrated circuit doubles every two years. That means that a chip of a certain size developed in... 1965, when Gordon Moore made this observation, would be able to contain twice its original processing power just two years later in 1967. And in 1969, that chip could hold twice the processing power of the 1967 chip.

Faster computing, same size, on and on and on and on and on. And almost 60 years later, we've shrank computers from the size of an entire room to fitting into a tower, to a laptop, to a phone, to a watch. And now... to rings smart rings are an evolution in computing and in fitness tracking in particular like a smart watch or a smart band they can monitor your sleep log your workouts they can send notifications that you should

step away from a screen. They can also provide 24-7 monitoring of your heart rate, your steps, and more. Those statistics are the bread and butter of today's fitness trackers and they're valuable for many... customers who want insight and guidance into their health. But this month, those statistics became interesting for the public at large.

On November 6th, the smart ring company Aura revealed that its devices recorded an increase in stress, a decrease in rest, and elevated heart rates on the day of the U.S. presidential election. According to Aura, quote, on November 5th from 11am to 7pm Eastern Time, Aura members' daytime stress levels seemed to be higher than usual. We saw a 2.3%

increase in stressed minutes, and notably, a 19.5% decrease in restorative time. At night, as the states started to be called for one candidate or another, we saw an increase in heart rate among Aura members. On average, heart rate was 2.8 beats per minute or 3.7% higher on election night than a comparable night.

In its blog, Aura clearly states that this aggregate data was de-identified. So no single person's stress levels or elevated heart rate is going to be exposed by analyzing and publishing the data. And that's... good if a company is going to take user data and publish it as research. This should be the standard. And yet, if I were an Aura user, I'd still feel a little...

strange about it all. I do see some types of data, especially health data, as private enough to safeguard entirely from corporate collection and analysis.

matter if that analysis is interesting. All of this reminds me of the impressive data science blog from, of all places, OkCupid. Beginning in 2009, the online dating platform began publishing legitimately interesting analyses about modern dating habits by pulling information from its growing user base. That resulted in robust articles with... these actual headlines some 15 years ago. The big lies people tell in online dating, optimum message length, and exactly what to say in a first message.

Again, I have to stress that these pieces of writing are... Interesting. The rules that OkCupid came up with for exactly what to say in a first message are based on an analysis of how often users would ignore or reply to certain words and word strings contained in opening messages on the platform. What OkCupid found, by the way, for starters, is

Be literate. That means no misspelling of words in your opening messages, even if you think it's cute and you have to understand. 2009 was a... very difficult time for millennials we would type love as l u v and we would type your as you are and we'd even spell what but without the h as in What? You should also, OkCupid says, avoid physical compliments in your opening messages. No sexy, no beautiful, no hot, no cutie. Yes, cool. Yes, fascinating. Yes.

awesome. And you should also use an unusual greeting, such as, and I am doubting the data as I look at it right now, howdy. I suppose Toy Story 3 did come out in 2010. So there may be some validity to what I can only assume was Woody roleplay. And look, okay, you can hear it right now. I am having fun with this. I like this. I do find this information and this data to be fascinating. But the things I like are not...

necessarily the things that are right. Going through people's messages, as OkCupid's analysis did in 2009, is not okay. To me, it doesn't matter how many controls were placed, and there were many controls. As OkCupid wrote at the time, quote, though this post talks in detail about the content of people's messages on OkCupid,

All messages have been anonymized, with sender and recipient data and all IP and timestamp information stripped out. In addition, our analysis program looked at messages only two or three words at a time. to track the success of certain words or phrases like what's up versus what's up without the h the program then aggregated results by phrase before presenting the data no one at okcupid read any actual user messages to compile this post. End quote. OkCupid has since stopped.

this type of data analysis from what I can see. Instead, the company leans more heavily on surveys that users voluntarily fill out About a hodgepodge of topics. It's how we learned in 2022 that 74% of OkCupid daters said they were not excited about the metaverse and will stay in reality. And also that... 83% of more than 45,000 OkCupid users, quote, believe they have the power to manifest love, end quote. That's nice. This type of data science is fine.

It captures sentiments that people have in clear interactions with the company or app itself. What bothers me about the earliest OkCupid data science is that Even if humans did not read complete messages, the project still analyzed what humans said to one another. We talk a lot. on this show about the value of something called end-to-end encryption. It's the technology that ensures that your messages can only be read by you and the people you're talking to.

End-to-end encryption means WhatsApp and Signal and Apple through its Messages app cannot read what you type. It isn't an honor system, which is impossible to trust. It is a technological impossibility. Aura, the smart ring company, did not expose conversations. That's not possible. But in the same way that I am private about what I say, I am also private about what I feel.

My stress levels, my heart rate, my bad night of sleep, that's for me. That data isn't a conversation I have with another person. It is a conversation that my... body is having with itself. And yes, I can opt out of data collection through Aura's web portal, and I respect that. Again, the right controls are available for consumers here. I think my bigger issue is that we're forced to need these controls because the environment at large is set up so much against us. I wish that...

The bargain I made with most companies today was that I gave them money and they gave me a product. But instead, I have to manage every relationship I have. so that I can stop some manufacturer from not only getting my money, but also getting my life's data for free.

Our last story takes place four years ago. In 2020, a photo of a woman sitting on a toilet, her shorts pulled halfway down her thighs, was shared on Facebook. And it was shared by someone whose job it was to look at those photos and by labeling the objects in the photos, help train an artificial intelligence system. for a vacuum. The events in that sentence don't sound plausible, and yet, as investigative journalist Eileen Guo would find out, this wasn't the only time that it happened.

In 2022, in writing for the MIT Technology Review, Guo uncovered... 15 shared images that had all been captured by test versions of Roombas, the self-automated robot vacuums that can be scheduled to clean and hoover up around a home without the assistance of a human. Roombas have... They have to be able to see obstacles in their path so that they can function. But as Guo told us when we spoke to her in 2023, the cameras don't hold any magic to them. The cameras are trained.

by people who look at images from the camera feeds and label those images, tagging a couch as a couch or a table as a table, a bed as a bed. This human work. is required for these AI systems to become operational, Guo said. I don't know, let's just say 500 couches that we've already seen before. It's basing that on something. And so we're basically talking about that baseline.

These data labelers are helping to create the baseline that then allows the algorithms to recognize the patterns. But Guo found that how that data labeling work, that human work, was done... had some security gaps. The people doing the labeling and tagging of Roomba images were not employees of the company that makes Roombas, iRobot. Instead, they were a collection of pretty much gig workers from around the world.

And one group of gig workers, who were based in Venezuela, had used Facebook and Discord to upload and share images with one another so that they could get help with any tagging inconsistencies. That might sound silly, but knowing what a piece of furniture looks like in another country through a small camera isn't always simple. did violate the gig workers' non-disclosure agreements as part of their contracts. They weren't...

doing this nefariously. They were doing it because in some cases it was really unclear what it was that they were looking at. So in the images that we have, and I think we cut out a lot of these details in the published images.

You know, it was a screenshot of the Facebook post itself. And I remember one where someone was saying, what is this object? And other people were commenting, that's a bed or no, that's not a bed because it looks more like a living room. So it's probably a couch. So, you know, it's... The exact type of things that the robot vacuums, not that they're sentient or anything, of course, but their algorithms are trying to figure this out as well.

They're hard tasks. It's really unclear, especially when you are someone in Venezuela where furniture might look a certain way and you have to figure out what this is from a home in Japan or Germany or the United States. It's important to note here that... iRobot asserts that no Roomba customers were affected in this event. And that's because the Roombas that recorded the footage were specifically test models that had only been sent to beta testers or to employees.

If you bought a Roomba, you were not impacted, iRobot said. And that is good. But this story reveals the expansive and global reach that our own data has today. AI training machinery, it worked as intended for the most part. Test Roombas would be sent out. They would collect.

footage and that footage would be shared to third-party contractors in countries that didn't need to have any relation to where the test Roombas themselves were located. Those contractors would review and label images as a way to improve the Roombas and While they messed up, and yes, they did, they didn't do so with any malicious intent. This wasn't a hack. This wasn't an insider threat. This wasn't...

A whistleblower. This was the path that our data can and does take every day, put into human hands and left to human failures. Or, as Guo summarized, What this story is ultimately about is that conversations about privacy protection and what that actually means are so lopsided because we just don't know what it is that we're consenting to. And so these images...

They really reveal this whole data supply chain or data lifecycle and these new points where personal information can leak out that consumers aren't even aware of. That's our show. We'll talk to you again in two weeks. Until then, stay tuned and stay safe. And remember, you can read all our cybersecurity coverage on Mauerbytes Labs at mauerbytes.com slash blog.

Finally, our intro music is by Kevin MacLeod from incompetech.com and our outro music is by Wowa from unminus.com. Today's show has been edited by our podcast consultant, Eric Johnson at lightningpod.fm. Thank you folks.