Google Home Mini Complaint

  • Consumer Groups Ask Safety Commission to Recall Google Home: EPIC and a coalition of leading consumer groups have asked the Consumer Product Safety Commission to recall the Google Home Mini "smart speaker." The touchpad on the Google device is permanently set to "on" so that it records all conversations without a consumer's knowledge or consent. The consumer groups said that "as new risks to consumers arise in consumer products, it is the responsibility of the Consumer Product Safety Commission to respond." The groups also urged the Safety Commission to enforce the Duty to Report to CPSC against manufacturers of "IoT" devices. Last year, a coalition of consumer groups pursued a complaint about My Friend Cayla, an Internet connected toy that recorded the private conversations of young children. The Cayla complaint spurred a Congressional investigation and toy stores across Europe removed the doll from their shelves. (Oct. 13, 2017)
  • More top news »
  • EPIC Urges Safety Commission to Regulate Privacy and Security of IoT Device » (Jun. 15, 2018)
    EPIC submitted comments to the Consumer Product Safety Commission, urging the agency to regulate the privacy and security of Internet of Things devices. EPIC advised the Commission to require IoT manufacturers to (1) minimize data collection, (2) conduct privacy impact assessments, and (3) implement Privacy Enhancing Techniques (“PETs”). EPIC recently told Congress that “CPSC should establish mandatory privacy and security standards, and require certification to these standards before IoT devices are allowed into the market stream.” EPIC has also called out the CPSC for its reluctance to address the privacy and security challenges of IoT. In the statement to Congress, EPIC described the increasing risks to American consumers.
  • EPIC to Senate Commerce: Work with NTIA to Update U.S. Privacy Laws » (Jun. 12, 2018)
    EPIC sent a statement to the Senate Commerce Committee in advance of a hearing on the NTIA, a key technology policy agency. EPIC warned that "American consumers face unprecedented privacy and security threats," citing both data breaches and "always on" devices that record users' private conversations. EPIC said that Congress and the NTIA should establish protections that minimize the collection of personal data and promote security for Internet-connected devices. EPIC urged Congress and the NTIA to work together to update U.S. privacy laws and establish a data protection agency. EPIC has testified before Congress, litigated cases, and filed complaints with the FTC regarding connected cars, "smart homes," consumer products, and "always on" devices.
  • Amazon Echo Secretly Recorded And Disclosed User's Private Conversation » (May. 24, 2018)
    "Alexa" secretly recorded the private conversation of a Portland woman and sent it to one of her contacts, according to a news report. The Federal Wiretap Act makes it a crime to intentionally intercept a private communication. In 2015, EPIC urged the Federal Trade Commission and the Department of Justice to investigate whether "always on" smart home devices violated federal wiretap law. EPIC recently warned the Consumer Product Safety Commission that the Google Home Mini continuously record users' private conversations because of a product defect. And EPIC recently testified before the CPSC on the need to regulate privacy and security hazards posed by Internet of Things devices.
  • EPIC Urges Congress to Regulate the Internet of Things » (May. 22, 2018)
    In advance of a hearing on the Internet of Things (IoT), EPIC wrote to Congress on the need for privacy and security regulations for IoT consumer products. EPIC explained that regulation is necessary "because neither the manufacturers nor the owners of those devices have incentive to fix weak security." EPIC has called upon the Consumer Product Safety Commission to regulate IoT products, saying that the privacy and security of IoT devices, such as Internet-connected door locks and thermostats, are critical concerns for American consumers. Last week, EPIC testified before the Safety Commission on IoT hazards and promoted baseline standards to protect consumer safety. EPIC previously testified before Congress on the "Internet of Cars."
  • EPIC Testifies Before Safety Commission on IoT Privacy Hazards » (May. 17, 2018)
    EPIC testified before the Consumer Product Safety Commission at the hearing on "The Internet of Things and Consumer Product Hazards." EPIC International Law Counsel Sunny Kang urged the Commission to focus on privacy and security. EPIC's Kang told the Commission that "IoT is the weakest link to privacy and security vulnerabilities in consumer products." EPIC recommended baseline rules for IoT device manufacturers adopted by the UK government in a recent report on privacy and security for IoT devices. EPIC and a coalition of consumer groups previously urged the Commission to recall the Google Home Mini device which was designed to always record conversations.
  • Safety Groups Urge Congress to Regulate "Autonomous Vehicles" » (May. 6, 2018)
    A coalition of consumer safety groups wrote to senators asking them to delay passing the AV START Act (S. 1885) until the National Transportation Safety Board finished its investigation of two recent crashes involving autonomous vehicles. The groups said: "we are very concerned that provisions in the bill put others sharing the road with AVs at unnecessary and unacceptable risk." EPIC has called for national safety standards for connected cars in comments to NHTSA. In a recent amicus brief to the Supreme Court, EPIC also underscored the privacy risks of rental cars, which collect vast troves of personal data.
  • EPIC Advises Safety Commission on Dangers of IoT » (May. 2, 2018)
    EPIC submitted comments to the Consumer Product Safety Commission for an upcoming hearing on "The Internet of Things and Consumer Product Hazards." EPIC urged the Commission to focus on privacy and security issues, which the Commission claims are outside its scope. EPIC told the Consumer Product Safety Commission that "Holding a hearing in the year 2018 to discuss IoT without addressing privacy and security is akin to holding a hearing in the last century about kitchen appliances without addressing the risk that a toaster might catch fire because of bad wiring." EPIC recommended that the Commission implement thirteen rules for manufacturers of IoT devices that were laid out by the UK government in a recent report on privacy and security for IoT devices. EPIC and a coalition of consumer groups preciously urged the Commission to order the recall of the Google Home Mini "smart speaker" and received a response saying that it does not pursue privacy or data security issues.
  • Safety Commission Responds to EPIC's Google Home Mini Complaint » (Apr. 2, 2018)
    The Consumer Product Safety Commission responded to a complaint from EPIC and a coalition of consumer groups, urging the Commission to order the recall of the Google Home Mini "smart speaker." The touchpad on the device was permanently set to "on" so that Google recorded all conversations without a consumer's knowledge or consent. The groups wrote "this is a classic manufacturing defect that places consumers at risk. The defect in Google Home Mini is well within the purview of the Consumer Product Safety Commission." In the response, the Commission claimed that it monitors the hazards of IoT but said that it does not pursue privacy or data security issues. IoT devices are frequently the target of botnet attacks. According to Hacker News, "the DDoS threat landscape is skyrocketing" and the UK National Cyber Security Centre's report has called for comprehensive safeguards for IoT devices. EPIC Senior Counsel Alan Butler has written about products liability for IoT manufacturers.
  • EPIC to Congress: Examine "Connected Devices," Safeguard Consumer Privacy » (Mar. 6, 2018)
    EPIC sent a statement to a House Committee on Energy and Commerce in advance of a hearing on the NTIA, a key technology policy agency. EPIC warned that "American consumers face unprecedented privacy and security threats," citing both data breaches and "always on" devices that record users' private conversations. EPIC said that Congress and the NTIA should establish protections that minimize the collection of personal data and promote security for Internet-connected devices. EPIC warned of growing risks to consumer safety and public safety. EPIC has testified before Congress, litigated cases, and filed complaints with the FTC regarding connected cars, "smart homes," consumer products, and "always on" devices.
  • EPIC Warns Congress of Risks of "Internet of Things" » (Jan. 18, 2018)
    In advance of a hearing on Internet of Things, EPIC urged Congress to consider the privacy and safety risks of internet-connected devices. EPIC told Congress that the Internet of Things "poses risks to physical security and personal property" because data "flows over networks that are not always secure, leaving consumers vulnerable to malicious hackers." EPIC said that Congress should protect consumers. EPIC is a leader in the field of the Internet of Things and consumer protection. EPIC has advocated for strong standards to safeguard American consumers and testified before Congress on the "Internet of Cars."
  • EPIC, Coalition Urge Action on Toys that Spy » (Dec. 19, 2017)
    EPIC and a coalition of consumer privacy groups have asked the Federal Trade Commission to crack down on companies that sell internet-connected toys and smartwatches. The statement highlights an FTC complaint concerning My Friend Cayla and I-Que Intelligent Robot, toys that recorded and analyzed children's conversations filed more than a year ago. Many retailers worldwide have pulled these toys from their shelves, but the FTC has yet to take action on the complaint. "Connected toys raise serious privacy concerns," said EPIC President Marc Rotenberg. "Kids should play with their toys and their friends, and not with surveillance devices dressed as dolls." EPIC has backed many efforts to limit the risks of internet-connected toys. Recently, EPIC joined consumer groups in asking Mattel to cancel plans to sell Aristotle, an "always on" device that records the private conversations of young children. EPIC also supported a coalition letter asking the FTC to investigate smartwatches that track the location of children. The Norwegian Consumer Council has uncovered similar problems with Cayla and i-Que, and recently released a report on toys that track children.
  • Consumer Groups Ask Safety Commission to Recall Google Home » (Oct. 13, 2017)
    EPIC and a coalition of leading consumer groups have asked the Consumer Product Safety Commission to recall the Google Home Mini "smart speaker." The touchpad on the Google device is permanently set to "on" so that it records all conversations without a consumer's knowledge or consent. The consumer groups said that "as new risks to consumers arise in consumer products, it is the responsibility of the Consumer Product Safety Commission to respond." The groups also urged the Safety Commission to enforce the Duty to Report to CPSC against manufacturers of "IoT" devices. Last year, a coalition of consumer groups pursued a complaint about My Friend Cayla, an Internet connected toy that recorded the private conversations of young children. The Cayla complaint spurred a Congressional investigation and toy stores across Europe removed the doll from their shelves.
  • Mattel Cancels "Aristotle," an Internet Device that Targeted Children » (Oct. 5, 2017)
    Mattel will scrap its plans to sell Aristotle, an Amazon Echo-type device that collects and stores data from young children. The Campaign for a Commercial-Free Childhood sent a letter and 15,000 petition signatures to the toymaker, warning of privacy and childhood development concerns. CFCC said that "young children shouldn't be encouraged to form bonds and friendships with data-collecting devices." Senator Markey (D-MA) and Representative Barton (R-TX) also chimed in, demanding to know how Mattel would protect families' privacy. EPIC backed the CFCC campaign and urged the FTC in 2015 to regulate "always-on" Internet devices. A pending EPIC complaint at the FTC concerns the secret scoring of young athletes.
  • Pew Survey Explores the Future of Online Trust » (Aug. 14, 2017)
    The Pew Research Center has released a report of its survey of experts on "The Fate of Online Trust in the Next Decade." Although nearly half (48%) of the over 1,000 respondents said that they expected trust to increase, 24% predicted that trust would decrease. "Technology is far outpacing security, privacy and reliability," said EPIC President Marc Rotenberg in the survey. "The problem will intensify with the Internet of Things, as the internet connects more machines in the physical world." EPIC has been at the forefront of policy work on the Internet of Things, recommending safeguards for connected cars, "smart homes," consumer products, and "always on" devices.
  • Senators Introduce Legislation to Strengthen Cybersecurity for Internet of Things » (Aug. 1, 2017)
    A bipartisan group of Senators, including Senators Mark R. Warner (D-VA), Cory Gardner (R-CO), Ron Wyden (D-WA) and Steve Daines (R-MT), have introduced legislation to improve security of Internet-connected devices. The Internet of Things (IoT) Cybersecurity Improvement Act of 2017 would require "Internet of Things" devices purchased by the U.S. government to meet minimum security standards. IoT device manufacturers who sell products to the federal government must commit that their IoT devices: (1) are patchable; (2) do not contain known vulnerabilities; (3) rely on standard protocols; and (4) do not contain hard-coded passwords. "The proliferation of insecure Internet-connected devices presents an enormous security challenge," said EPIC Advisory Board member Bruce Schneier, "The risks are no longer solely about data; they affect flesh and steel." EPIC has been at the forefront of policy efforts to establish safeguards for IoT devices, connected cars, "smart homes," consumer products, and "always on" devices. A 2015 report from the Aspen Institute also explores "Policies for the Internet of Things."
  • EPIC Recommends National Safety Standard for "Self-Driving" Vehicles » (Jun. 28, 2017)
    In remarks today to a joint workshop of the FTC and NHTSA, EPIC President Marc Rotenberg called for the establishment of national safety standards prior to the deployment of "self-driving" vehicles on the nation's highways. "Given the current vulnerabilities of networked communications, self-driving vehicles are simply unsafe at any speed," said Mr. Rotenberg. EPIC has participate in numerous NHTSA rule makings on auto safety, proposed stronger data protection standards for connected vehicles, and sided with consumers in a case concerning the risks of autonomous vehicles. In extensive comments for the FTC/NHTSA workshop, EPIC pointed to known vulnerabilities with bluetooth communications, auto hacking, "level 3" control, malware and ransomware, auto repossession remote deactivation, and safety defects. EPIC urged the FTC and NHTSA to focus on "data protection, vehicle safety, consumer protection, and privacy." EPIC also said that the ability of states to develop safety standards must be maintained. EPIC warned that the failure to establish robust safety standards could be "catastrophic."
  • FTC Updates Guidance on Children's Privacy Law, Includes Connected Toys » (Jun. 27, 2017)
    The Federal Trade Commission has updated its guidance for businesses on complying with the Children's Online Privacy Protection Act. The new guidance clarifies that connected toys, Internet of Things devices, and other products intended for children must comply with the Act. "When companies surreptitiously collect and share children's information, the risk of harm is very real," FTC acting Chair Maureen Ohlhausen recently wrote. An EPIC-led coalition filed a complaint with the FTC in 2016 alleging that Intenet-connected dolls violate U.S. privacy law. EPIC's complaint spurred a congressional investigation and toy stores across Europe have removed Cayla from their shelves. The FTC acknowledged EPIC's complaint but has yet to act on it.
  • EPIC Recommendations for Tech Week Meeting: Protect U.S. Consumers » (Jun. 20, 2017)
    In advance of a White House / OSTP meeting on "emerging technologies," EPIC has sent a statement to the Office of Science and Technology Policy. EPIC urged the Administration to focus on consumer protection and address the numerous privacy and security risks related to the "Internet of Broken Things." EPIC recommended recommended Privacy Enhancing Technologies, data minimization, and security measures for Internet-connected devices. EPIC also urged the Administration to issue regulations on drone privacy as mandated by Congress and to establish minimum safety standards for connected cars. EPIC warned that "The unregulated collection of personal data and the growth of the Internet of Things has led to staggering increases in identity theft, security breaches, and financial fraud in the United States."
  • EPIC Urges House Committee to Back Consumer Safeguards for Internet of Things » (Jun. 13, 2017)
    EPIC has sent a statement to the House Energy and Commerce Committee in advance of a hearing on "IOT Opportunities and Challenges." EPIC raised the "significant privacy and security risks" of the Internet of Things. A recent report from the Pew Research Center on the Internet of Things underscores the need to develop new safeguards for what some call "The Internet of Broken Things." EPIC has been at the forefront of policy efforts to establish safeguards for connected cars, "smart homes," consumer products, and "always on" devices.
  • EPIC to Congress: Data Protection Needed for Financial Technologies » (Jun. 9, 2017)
    EPIC submitted a statement to a House Committee hearing on financial technologies on the risks with new financial services. Companies now use social media data and secret algorithms to make determinations about consumers. They are also reaching out, through the "Internet of Things," to control consumers. EPIC's recently filed a complaint with the CFPB about "starter interrupt devices," deployed by auto lenders to remotely disable cars when individuals are late on their payments.
  • Pew Survey Explores Internet of Things » (Jun. 6, 2017)
    The Pew Research Center has released a report surveying experts about the security implications of the Internet of Things. The survey found a broad consensus that growth in the IoT will bring with it an increased risk of real-world physical harm. "The essential problem is that it will be impractical for people to disconnect," said EPIC President Marc Rotenberg in the survey. "Cars and homes will become increasingly dependent on internet connectivity. The likely consequence will be more catastrophic events." The ACM recently released a Statement of IoT Privacy and Security, which lists principles for protecting privacy and security in IoT devices. EPIC has been at the forefront of policy work on the Internet of Things, recommending safeguards for connected cars, "smart homes," consumer products, and "always on" devices.
  • EPIC Recommends Privacy Safeguards for Vehicle Networks » (Apr. 14, 2017)
    In comments to the National Highway Traffic Safety Administration, EPIC recommended stronger privacy protections for vehicle-to-vehicle communications. EPIC urged the agency to allow consumers to turn off pre-installed V2V communications and to required automobile manufacturers to be transparent about the collection of personal data. EPIC also urged that agency to establish basic cybersecurity safeguards and require encryption for all vehicle networks and ensure data minimization techniques. EPIC has previously submitted comments to NHTSA on connected cars and has submitted several statements to Congress.
  • EPIC Seeks Information on Sessions-Jourova Encryption Discussion » (Apr. 3, 2017)
    EPIC has filed an urgent Freedom of Information Act request for documents concerning a recent meeting between Attorney General Jeff Sessions and EU Commissioner Věra Jourová. The two reportedly discussed "a proposal [on] how to 'solve this problem'" of encryption. EPIC said in the FOIA request that "strong encryption is the cornerstone of the modern internet economy" and that encryption "is critical to preserving human rights and information security around the world." A proposal on encryption policy may be taken up at a June 2017 meeting between the United States and the European Union. EPIC has advocated for strong encryption since its founding and published the first comprehensive survey of encryption use around the world. In the FOIA request, EPIC also noted the growing risk to users of Internet-connected devices.
  • EPIC Urges Senate Commerce Committee to Back Algorithmic Transparency, Safeguards for Internet of Things » (Mar. 22, 2017)
    EPIC has sent a letter to the Senate Commerce Committee concerning "The Promises and Perils of Emerging Technologies for Cybersecurity." EPIC urged the Committee to support "Algorithmic Transparency," an essential strategy to make accountable automated decisions. EPIC also pointed out the "significant privacy and security risks" of the Internet of Things. EPIC has been at the forefront of policy work on the Internet of Things and Artificial Intelligence, opposing government use of "risk-based" profiling, and recommending safeguards for connected cars, "smart homes," consumer products, and "always on" devices.
  • EPIC Urges Congress to Examine "Connected Devices," Safeguard Consumer Privacy and Protect Public Safety » (Feb. 2, 2017)
    EPIC sent a letter to a House Subcommittee on Communications and Technology in advance of a hearing on the NTIA, a key technology policy agency. EPIC warned that "American consumers face unprecedented privacy and security threats," citing recent examples of hacks of devices, including home locks and cars, connected to the internet. EPIC said that Congress and the NTIA should establish protections that minimize the collection of personal data and promote security for Internet-connected devices. EPIC warned of growing risks to consumer safety and public safety. EPIC has testified before Congress, litigated cases, and filed complaints with the FTC regarding connected cars, "smart homes," consumer products, and "always on" devices.
  • Trump Order Threatens Consumer Protection, Public Safety » (Jan. 31, 2017)
    The President has issued an executive order requiring every new regulation to be offset by the repeal of at least two existing regulations. The Order could directly impact rules that safeguard consumers against data breach, financial fraud, and identity theft. EPIC has also recommended new public safety regulations concerning aerial drones, connected vehicles, and the Internet of Things. In EPIC v. FAA, EPIC is challenging the failure of the agency to protect the public from aerial surveillance.
  • Aspen Institute Report Explores Artificial Intelligence » (Jan. 30, 2017)
    The Aspen institute released a report on the Artificial Intelligence workshop on connected cars, healthcare, and journalism. "Artificial Intelligence Comes of Age" explored issues at "the intersection of AI technologies, society, economy, ethics and regulation." The Aspen report notes that "malicious hacks are likely to be an ongoing risk of self-driving cars" and that "because self-driving cars will generate and store vast quantities of data about driving behavior, control over this data will become a major issue." The Aspen report discusses the tension between privacy and diagnostic benefits in healthcare AI and describes "some of the alarming possible uses of AI in news media." EPIC has promoted Algorithmic Transparency and has been at the forefront of vehicle privacy through testimony before Congress, amicus briefs, and comments to the NHTSA.
  • EPIC Urges Senate Committee to Safeguard Consumer Privacy in Internet of Things and Telemarketing Bills » (Jan. 24, 2017)
    EPIC sent a letter to the Senate Commerce Committee on Monday about privacy and security concerns in two pending bills. The DIGIT Act would "encourage the growth" of the Internet of Things and "help identify barriers to its advancement." The Spoofing Prevention Act would extend the laws prohibiting Caller ID spoofing to text messages, international calls, and Voice-over-IP calls. EPIC pointed out the "significant privacy and security risks" to American consumers of the Internet of Things. EPIC also argued for "a requirement that any automated calls reveal (1) the actual identity of the caller and (2) the purpose of the call." EPIC has been at the forefront of policy work on the Internet of Things, recommending safeguards for connected cars, "smart homes," consumer products, and "always on" devices. EPIC also supports robust telephone privacy protections and recently advised Congress on modernizing telemarketing rules.
  • EPIC Urges Senate Committee to Press Transportation Nominee on Drones, Connected Cars » (Jan. 12, 2017)
    EPIC has sent a statement to the Senate Commerce Committee, highlighting two significant privacy issues: drones and autonomous vehicles. The Senate Committee met this week to consider the nomination of Elaine Chao for Secretary of Transportation. EPIC sued the FAA, an agency subject to the Committee's oversight, for its failure to establish drone privacy rules, as required by Congress. EPIC also testified last year before the Committee on the risks of connected cars, EPIC has recently submitted comments on federal automated vehicles policy and filed an amicus brief in federal appeals court on the risks to consumers of connected vehicles.
  • FTC Sues D-Link Over Poor Security in Internet Routers and Cameras » (Jan. 12, 2017)
    The Federal Trade Commission has filed a lawsuit against Internet of Things device maker D-Link. The complaint alleges that D-Link failed to use adequate security in its internet cameras and routers despite promises that the devices were "easy to secure" and used "advanced network security." The poor security practices alleged by the FTC include using easily-guessed default passwords, mishandling code-signing keys, and storing usernames and passwords in plaintext. EPIC has worked extensively on the risks of the Internet of Things, recommending safeguards for connected cars, "smart homes," and "always on" devices. In 2013, EPIC submitted comments to the FTC addressing the security and privacy risks of IoT devices.
  • Senate Explores Security of Ground Transportation, Witnesses Express Privacy Concerns » (Dec. 9, 2016)
    The Senate Commerce Committee examined security issues in road and railroad transportation. Witnesses expressed concerns about the cybersecurity of commercial trucking networks, customer data, and hacking of a truck's braking systems. Witnesses also proposed a credentialing system for access port facilities. EPIC has submitted comments to NHTSA and testified before Congress on the safety and privacy risks of automated vehicles.
  • EPIC Recommends Privacy and Safety Standards for Autonomous Vehicles » (Nov. 23, 2016)
    In comments to the National Highway Traffic Safety Administration, EPIC has backed strong privacy and safety standards. Responding to the "Federal Automated Vehicles Policy," EPIC said self-regulation would not be enough to protect drivers in the United States. EPIC urged the safety agency to mandate the Consumer Privacy Bill of Rights, establish new oversight authority, and protect state privacy rules for autonomous vehicles. EPIC is on the front lines of vehicle privacy as well as efforts to regulate the "Internet of Things." EPIC also defends the right of states to develop strong privacy laws.
  • House Members Urge FTC to Examine Internet-of-Things » (Nov. 4, 2016)
    In the wake of October's massive distributed denial of service attack, two members of Congress have sent a letter to Federal Trade Commission Chairwoman Edith Ramirez urging the FTC to protect consumers from insecure Internet of Things devices. Rep. Frank Pallone, Jr. and Rep. Jan Schakowsky, senior members of the House Energy and Commerce Committee, wrote that the FTC should "immediately use all the tools at its disposal to ensure that manufacturers of IoT devices implement strong security measures." EPIC is at the forefront of policy work on the Internet of Things, recommending safeguards for connected cars, "smart homes," 'consumer products, and "always on" devices. EPIC recently urged the federal government to establish legal requirements to promote Privacy Enhancing Technologies, limit user tracking, minimize data collection, and "ensure security in both design and operation of Internet-connected devices."
  • EPIC Propose Privacy, Security Protections for "Internet of Things" » (Jun. 4, 2016)
    EPIC has recommended new safeguard for the “Internet of Things.” EPIC proposed laws requiring companies to adopt Privacy Enhancing Technologies, promote data minimization, and ensure security for IoT devices. EPIC also recommend a prohibition on tracking, profiling, and monitoring of consumers using IoT services. As EPIC explained, “Protecting consumer privacy will become increasingly difficult as the Internet of Things becomes increasingly prevalent.” EPIC has worked extensively on the risks of the Internet of Things, including connected cars and “smart homes.”  An EPIC complaint concerning “always on” devices, such as “smart TVs,” is pending at the Federal Trade Commission.
  • Senators Introduce Bill to Block Broad Remote Hacking Rules » (May. 19, 2016)
    Senators Wyden, Paul, Baldwin, Daines, and Tester have introduced the Stop Mass Hacking Act of 2016.  The law would block amendments to Rule 41 of the Federal Rules of Criminal Procedure that were recently issued by the Supreme Court. The amendments authorized judges to issue "remote access" warrants to search computers even when the targets are outside the jurisdiction of the court. EPIC criticized the Rule 41 change in a statement last year. Unless Congress takes action to block the Rule 41 amendments by December 1, the government’s surveillance authority will be expanded significantly.
  • FTC Issues Warning on Cross-Device Tracking and Surveillance Apps » (Mar. 22, 2016)
    The Federal Trade Commission has issued warnings to 12 Android app developers that use audio beacons to track consumers across their devices and monitor TV viewing habits. The smartphone apps contain Silverpush software that constantly listens for inaudible signals emitted by TV commercials and secretly collects and transmits viewing data. The announcement appears to be a response to two earlier complaints filed by EPIC with the Commission. EPIC previously urged the FTC to limit "cross-device tracking" technology that links consumers' smartphone activity with what they see on their laptop or television. EPIC also urged the FTC and the Department of Justice to investigate "always-on" consumer devices for possible violations of the Wiretap Act, state privacy laws, or the FTC Act.
  • EPIC to Testify on Car Privacy and Data Security » (Nov. 17, 2015)
    EPIC Associate Director Khaliah Barnes will testify at a hearing on "The Internet of Cars" before the House Oversight and Government Reform on Wednesday, November 18, 2015. The hearing will address the safety and privacy issues confronting drivers in vehicles connected to the Internet. EPIC's prepared statement urges Congress to pass legislation establishing privacy and cybersecurity rules to protect driver data and prohibit malicious hacking of connected cars. EPIC states, "New vehicle technologies raise serious safety and privacy concerns that Congress needs to address." EPIC has previously examined the privacy and data security implications of the Internet of Things and the "Internet of Cars", and recommended strong safeguards for consumers.
  • New OECD Report Finds Increased Privacy Concern, Lagging National Policies » (Jul. 28, 2015)
    The OECD Digital Economy Outlook 2015 explores recent developments in the digital economy. The OECD report finds that Internet "users are increasingly concerned, 64% of respondents are more concerned about privacy than they were a year ago" even as few countries include online privacy in national digital strategies.The OECD also warns that the "Internet of Things" will lead to the rise of autonomous machines. Civil society groups are planning to report to the OECD at the 2016 Ministerial Meeting on the Digital Economy.
  • Senators Markey and Blumenthal Introduce Bill to Protect Drivers from Remote Hacking » (Jul. 21, 2015)
    Senators Edward Markey (D-MA) and Richard Blumenthal (D-CT) have introduced the "Security and Privacy in Your Car Act of 2015." The SPY Car Act would establish cybersecurity and privacy requirements for new passenger vehicles, and inform consumers about the risks of remote hacking. The SPY Car Act follows a report from Senator Markey, which "detailed major gaps in how auto companies are securing connected features in cars against hackers." The bill would also prohibit manufacturers from using consumer driver data for marketing purposes without consumer consent. EPIC has urged the Transportation Department to protect driver privacy. EPIC has written extensively on interconnected devices, including cars, known as the "Internet of Things" and has also said that "cars should not spy on drivers."
  • EPIC Urges Investigation of "Always On" Consumer Devices » (Jul. 9, 2015)
    EPIC has asked the Federal Trade Commission and the Department of Justice to conduct a workshop on 'Always-On' Consumer Devices. EPIC described the increasing presence of internet-connected devices in consumer's homes, such as TVs, toys, and thermostats, that routinely record and store private communications. EPIC urged the agencies to conduct a comprehensive investigation to determine whether "always on" devices violate the Wiretap Act, state privacy laws, or the FTC Act. Earlier this year, EPIC filed a formal complaint with the FTC concerning Samsung TV, arguing that the recording of private communications in the home is an unfair and deceptive trade practice.
  • Campaign for a Commercial-Free Childhood Protests Eavesdropping Barbie » (Apr. 2, 2015)
    The Campaign for a Commercial-Free Childhood has launched a campaign and petition to protest Mattel's "Hello Barbie." The toy is a WiFi-connected doll with a built-in microphone. Hello Barbie records and transmits children's conversations to Mattel, where they are analyzed to determine "all the child's likes and dislikes." The advocacy group explained that Hello Barbie is "a significant violation of children's privacy...Kids using 'Hello Barbie' won't only be talking to a doll, they'll be talking directly to a toy conglomerate whose only interest in them is financial." EPIC has participated in numerous campaigns to safeguard childrens' privacy and recently filed a complaint with the FTC about Samsung's always on "SmartTV."
  • Senator Markey Report Warns of Risks with "Connected Cars" » (Feb. 10, 2015)
    A report from Senator Edward Markey (D-MA) finds lax privacy practices at leading auto manufacturers. The Senator said the safeguards in the auto industry for data collection are "inconsistent" and "haphazard." The investigation also revealed, "automobile manufacturers collect large amounts of data on driving history and vehicle performance." Senator Markey has called on the Department of Transportation and the Federal Trade Commission to issue rules to protect driver privacy and security. EPIC has urged the Department of Transportation to protect driver privacy. EPIC has written extensively on interconnected devices, including cars, known as the "Internet of Things" and said also that "cars should not spy on drivers."
  • FTC Chair Warns About Risks of Connected Devices » (Jan. 7, 2015)
    In a speech at the CES conference this week, FTC Chair Edith Ramirez warned of the privacy risks of connected home devices. "In the not-too-distant future, many, if not most, aspects of our everyday lives will be digitally observed and stored," Ramirez said. EPIC has written extensively on interconnected devices, known as the "Internet of Things." In comments to the FTC, EPIC described several risks, including the hidden collection of sensitive data. EPIC recommended that companies adopt Privacy Enhancing Techniques that minimize or eliminate the collection of personally identifiable information. For more information, see EPIC: FTC and EPIC: Big Data.
  • EPIC Urges Department of Transportation to Protect Driver Privacy » (Oct. 21, 2014)
    EPIC has submitted detailed comments to the National Highway Traffic Safety Administration, urging the agency to protect driver privacy for "vehicle-to-vehicle" (V2V) technology. The technology transmits data between vehicles to "facilitate warnings to drivers concerning impending crashes." NHTSA is in the initial stages of mandating vehicle-to-vehicle technology. EPIC's comments pointed to several privacy and security risks with V2V techniques. EPIC urged NHTSA to "complete a more detailed privacy and security assessment of V2V communications" and to: "(1) not collect PII without the express, written authorization of the vehicle owner; (2) ensure that no data will be stored either locally or remotely; (3) require end-to-end encryption of V2V communications; (4) require end-to-end anonymity; and (5) require auto manufacturers to adhere to the Consumer Privacy Bill of Rights." Last year EPIC, joined by a coalition of consumer privacy organizations and members of the public, urged NHTSA to protect driver privacy and establish privacy safeguards for car "black boxes." For more information, see EPIC: Event Data Recorders and EPIC: Internet of Things.
  • Data Protection Commissioners Urge Limits on "Big Data" » (Oct. 17, 2014)
    The International Data Protection Commissioners have adopted a resolution on Big Data. The resolution endorses several privacy safeguards, including purpose specification, data minimization, individual data access, anonymization, and meaningful consent when personal data is used for big data analysis. The data protection commissioners also passed a resolution supporting the UN High Commissioner's report on Privacy in the Digital Age and the Mauritius Declaration on the Internet of Things. Earlier this year, EPIC joined by 24 organizations petitioned the White House to accept public comments on its review of Big Data and the Future of Privacy. EPIC also submitted extensive comments detailing the privacy risks of big data and calling for the swift enactment of the Consumer Privacy Bill of Rights and the end of opaque algorithmic profiling. For more information, see EPIC: Big Data and EPIC: Internet of Things.
  • Department of Transportation Seeks Public Comment on Connected Cars » (Aug. 21, 2014)
    The National Highway Traffic Safety Administration, at the Department of Transportation, is soliciting public comments on the privacy and security implications of connected "vehicle-to-vehicle" technology. According to the agency, the technology transmits data between vehicles to "facilitate warnings to drivers concerning impending crashes." The agency plans to mandate vehicle-to-vehicle technology. NHTSA is also soliciting comments on a connected car research report. Comments on both are due October 20, 2014. Last year EPIC, joined by a coalition of privacy and consumer rights organizations and members of the public, urged NHTSA to protect driver privacy and establish privacy safeguards for car "black boxes." For more information, see EPIC: Event Data Recorders and EPIC: Comments on the Privacy and Security Implications of the Internet of Things.
  • Senator Schumer Calls On Regulators to Make Fitness Data Private » (Aug. 14, 2014)
    Senator Charles Schumer has denounced the data collection practices of "activity trackers" such as FitBit. "Activity trackers" are mobile devices that record highly personal information about the wearer and constantly analyze the wearer's activities, including their diet, exercise, sleep, and even sexual habits. However, it is not clear whether federal privacy law protects this personal data from disclosure to third parties. EPIC has commented extensively on the privacy protections that are necessary in the "internet of things." EPIC has frequently pointed out the potential for misuse when companies collect data about sensitive consumer behavior. EPIC has made several recommendations to improve the privacy protections on devices such as "activity trackers," including requiring companies to adopt Privacy Enhancing Techniques, respect a consumer’s choice not to tracked, profiled, or monitored, minimize data collection, and ensure transparency in both design and operation of Internet-connected devices. For more information, see EPIC: FTC and EPIC: Practical Privacy Tools.
  • EPIC Submits Comments on the "Internet of Things" » (Jun. 3, 2013)
    EPIC has submitted comments to the Federal Trade Commission in advance of a workshop on the Internet of Things. The "Internet of Things" refers to the growing capacity of devices to communicate via the Internet. EPIC’s comments listed several privacy and security risks posed by the Internet of Things, such as the collection of data about sensitive behavior patterns and an increase in the power imbalance between consumers and service providers. EPIC then made several recommendations, such as requiring companies to adopt Privacy Enhancing Techniques, respect a consumer’s choice not to tracked, profiled, or monitored, minimize data collection, and ensure transparency in both design and operation of Internet-connected devices. For more information see EPIC: Federal Trade Commission.

Background

Google Home Mini

Google Home Mini is a "smart speaker" that listens to you and responds to your every command. The device is supposed to be activated when you say the wake words "OK Google" or press the touchpad on top of the device. But a defect in the touchpad caused many of the Home Minis to be permanently set to "on," recording everything its users said, 24/7.

Google first introduced its Home Mini to reporters at an event in San Francisco two weeks before it planned to make the product available on the market. Tech blogger Artem Russakovskii of Android Police discovered a defect in the Home Mini that caused it to turn on automatically and record everything he said. After checking his Google Activity Portal, Russakovskii further discovered that Google was storing all of his conversations on its servers. Google blamed the defect on a faulty touchpad that activated the device without being touched. Google issued a software patch for Home Mini that permanently disabled the touchpad. A Google spokesperson said, "We learned of an issue impacting a small number of Google Home Mini devices that could cause the touch mechanism to behave incorrectly," adding, "we have made the decision to permanently remove all top touch functionality."

This is not the first time that Google has been caught engaging in electronic eavesdropping. It was widely reported that Google was scanning the contents of Gmail users' emails. In 2016, EPIC filed an amicus brief in the Massachusetts Supreme Court contending that this practice violated Federal Wiretap laws. Google finally announced that it would end this practice on June 23, 2017. Google was also scanning student emails on its Apps for Education system up until 2014, and EPIC sued the Department of Education in 2011 over its regulation that weakened student privacy protections. EPIC first warned the public about Google's e-mail scanning practices back in 2005, and filed a complaint with the FTC in 2009 over the privacy risks of Google's insecure cloud computing services, including Gmail.

In 2015, reports revealed that the Google Chrome browser contained code that enabled it to capture its users' conversations through their computer's microphone. The browser was designed to support a voice-to-text search function that would be activated when the user said the words "OK Google." But according to Rick Falkvinge, the founder of Sweden's Pirate party, the code automatically turned the microphone on and was "actively listening to your room." The OK Google search function was also installed on Android phones.

Google has also raised serious privacy concerns with its wearable computer, Google Glass. This device can surreptitiously record and identify anyone on the street. If someone is identified using Google Glass's facial recognition technology, the user can instantly see that person's social media profiles, pictures, and Google search results. The information Google Glass records is then sent to Google's servers and stored in the cloud, raising further privacy and security risks.

"Always On" Devices

Google Home Mini is just the latest "always on" device that raises serious privacy concerns. In 2015, EPIC asked the Federal Trade Commission and the Department of Justice to investigate "always on" devices that record and store users' private conversations, possibly in violation of federal wiretap laws. EPIC specifically warned the FTC and DOJ about devices similar to Google Home Mini, such as Amazon Echo, Siri, and Alexa. The Electronic Communications Privacy Act, also known as the "Wiretap Act" broadly prohibits electronic eavesdropping by private individuals or companies, but it has been rarely applied to home devices that record private conversations. EPIC also recommended that the FTC and DOJ conduct workshops to educate consumers about the risks of this new form of technology.

EPIC filed a complaint with the FTC in 2015 regarding Samsung's SmartTV that recorded consumers' private conversations and transmitted them to a third party. The TV was equipped with "always on" voice-recognition technology to enable voice commands. But as EPIC's complaint alleged, Samsung misrepresented to consumers that it encrypted voice recordings before sending them to a third party.

EPIC has devoted significant efforts to addressing the broad privacy and security risks posed by the "Internet of Things." In a 2014 Pew Research Report on the "IoT," EPIC President Marc Rotenberg explained that the underlying problem with the IoT is that "users are just another category of things," and, "[b]y 2025, the more interesting question will be how the Internet is interacting with people, not how people are interacting with the Internet." Frank Pasquale, law professor and EPIC advisory board member, warned that the expansion of the IoT will result in a world that is more "prison-like" with a "small class of 'watchers' and a much larger class of the experimented upon, the watched."

EPIC's Letter To The CPSC

On October 13, 2017, EPIC and a coalition of consumer privacy groups sent a letter to Chairwoman Ann Marie Buerkle of the Consumer Product Safety Commission, asking her to recall Google Home Mini. As the groups explained, "Google Home Mini … allowed Google to intercept and record private conversations in homes without the knowledge or consent of the consumer." The groups emphasized the need for the CPSC to act, stating, "[t]his is a classic manufacturing defect that places consumers at risk."

The groups stated in their letter that this product defect is well within the purview of the CPSC. They pointed out that CPSC is well aware of the risks from wireless devices because it had just recalled a wireless tank transmitter the previous week.

The groups also urged the CPSC to enforce its "Duty to Report" requirement against manufacturers of "IoT" devices. The CPSC has authority to require manufacturers to immediately report any "defective product that could create a substantial risk of injury to consumers." As the CPSC has itself stated, "Failure to fully and immediately report this information may lead to substantial civil or criminal penalties. CPSC staff's advice is 'when in doubt, report.'"

The coalition letter underscored the need for the CPSC to fill in the regulatory gaps, stating, "the Federal Trade Commission has simply failed to protect consumers against the risks of Internet-connected devices, routinely ignoring complaints brought by consumer organizations." In 2016, EPIC and a coalition of consumer groups submitted a complaint to the FTC urging it to investigate My Friend Cayla, a toy that spied on children. Although the toy was recalled in Europe, the FTC failed to act on the complaint. The FTC also declined to take action on EPIC's 2015 complaint regarding Samsung’s "SmartTV" that surreptitiously recorded its users.

The groups also called attention to the broader risks to consumers as home devices become increasingly connected to the internet. Cybersecurity experts have warned of an "Internet of Broken Things" that is vulnerable to cyber-attacks. "Poor insulation on the power cord of a toaster may lead to a fire in a particular home. But the exploitation of a vulnerability in a network of thermostats or door locks could be staggering." The groups' letter emphasized that "manufacturers-not consumers-must bear the responsibility to ensure the products that they offer for sale are safe for use by consumers." As EPIC Senior Counsel Alan Butler has written, "the proliferation of IoT devices could be the catalyst for a new field of 'connected devices' products liability law."

News Reports

Share this page:

Support EPIC

EPIC relies on support from individual donors to pursue our work.

Defend Privacy. Support EPIC.