Is your refrigerator spying on you?
If you have a TV that allows you to stream shows from online sites such as Netflix or Hulu; if you have a thermostat you can control with your phone; if you have a refrigerator that notifies you when it's time to buy milk; if you have a voice-activated digital assistant such as Alexa or Siri or Cortana, then you have a device that's connected to the internet, also known as a smart device.
The ecosystem of these smart devices is being called the "internet of things." And it's supposed to make life easier. If you can set your thermostat to kick on an hour before you come home, you'll save money on heat and be cozy as soon as you walk in.
But very little is known about which data these devices are collecting, and whether they stop when you're not using them.
So, are smart devices collecting data on us while they're supposed to be off? That's what Northeastern assistant professor David Choffnes and his colleagues are studying. And the answer, so far, appears to be yes.
There is an apartment on the sixth floor of the Interdisciplinary Science and Engineering Complex. Not just any old apartment, but a totally 21st-century apartment, packed with more than 80 smart devices. The list includes a smart microwave, rice-cooker, security system, lightbulbs, TV, and refrigerator, among other devices. The room is designed to mimic a regular home, albeit an extremely well-connected version of one.
Choffnes and his colleagues invite students to use the room however they'd like—to watch TV, heat up lunch, listen to music—and they collect the internet traffic streaming out of it.
"It's not enough to set up a bunch of devices on a table; we needed to create a place where people could interact with these devices the way they would in the real world," Choffnes said. "By looking at the internet traffic, we can answer: Are these devices doing what you would expect? Which servers are they contacting when they connect to the internet?"
Choffnes is working with Jingjing Ren, a doctoral candidate; and Daniel Dubois, a postdoctoral research associate, to collect the data. They started by collecting everything, in order to get a baseline understanding of "what's normal and what's not," Choffnes said.
The data being beamed across the internet by these devices is, for the most part, strictly encrypted. This means Choffnes and his team can't see exactly which information is being communicated, just where it goes and when it's sent.
"That's a good thing because it means your data is protected from would-be eavesdroppers," Choffnes said. "It's bad because it means we can't see what it is, either."
But what they can see has potentially alarming implications.
"What we've found so far is that most devices are doing some kind of activity when they're not being used," Choffnes said.
With the proliferation of smart devices, including in offices and other public spaces, Ren said, the findings could have consequences even for people who don't have them at home.
"You could be in an environment you don't control, with these devices, and you should know what you're getting into," she said.
It will take more testing and more collection until the researchers can tell where that information is being sent, and why it's being collected in the first place, but their focus is on privacy.
"We, as the users of these devices, ought to be more aware of what they're doing and when," Choffnes said. "You should know up-front the risks of these devices as you enter your home, and our goal is to find ways to protect users who don't want their information shared across devices."
As for the researchers themselves? Almost everything in Dubois' apartment is connected to the internet. Choffnes and Ren are a little more old school.
"These devices certainly have their usefulness," Choffnes said, regarding smart devices. "I'm just not sure they're for me."