Comment on this story
comment
LAS VEGAS – American buyers, regulators, and businesses face a problem: tech products often come to market with huge security and privacy flaws.
At the same time, CES, a huge annual consumer electronics show in Las Vegas, brings a flood of new gadgets. It could throw gas on the fire, privacy and security experts say.
“I think there’s a chronic problem with consumer electronics that it doesn’t give people the full picture they need to assess whether they want to use these tools,” said Cindy Cohn, executive director of privacy organization Electronic Frontier Foundation.
Last week, the CES exhibit floor was teeming with thousands of companies offering health wearables, smart TVs, autonomous vehicles, and other gadgets that rely on data from our bodies or homes. Many present themselves as the next big thing—but almost none directly address how they handle customer data once it’s collected, or how they handle security.
The best (and weirdest) tech we found at CES 2023
“CES seems to have no theme this year other than throwing everything at the wall and seeing what sticks,” Kyle Wiens said on a YouTube live stream. Wiens is the CEO of iFixit, which advocates for consumers’ right to have their devices repaired. “If that happens, there will be negative externalities for our society.”
Cohn and representatives from iFixit, Consumer Reports and other consumer groups summarized a CES “worst in show” calling out which products could have the greatest negative impacts on privacy, consumer choice and the environment. These included some of this year’s breakthrough favorites, like connected healthcare company Withings’ U-Scan urine sensor, which analyzes urine hormone levels and is gearing up for US launch. After the Supreme Court overturned abortion rights in June and some states banned abortion, hormonal changes could become criminal evidence. Withings said it retains this data indefinitely and, if subpoenaed by law enforcement, would “comply with all legal requirements in the territories in which it operates.” It said it doesn’t otherwise share data with third parties.
Media tends not to ask hard questions about security at CES, and companies tend not to volunteer the information, Cohn noted.
“Literally only one company was mentioned at all [privacy or safety], and ironically, it was a sexting app,” Leanna Miller said on the show floor. Miller said she works for a small company that makes reusable writing tablets and came to CES to see all the new products. The company she pointed to was Blyynd, an adult network that claims to use encryption to promote safe sexting.
With few exceptions, tech companies address security when problems arise, rather than taking more time to test products and build in secure features, said Jen Easterly, director of the Cybersecurity and Infrastructure Security Agency (CISA), in a side interview the CES.
These companies’ incentives are “really focused on cost, capability, performance, and speed to market rather than basic security,” she said.
Easterly’s CES address, along with CrowdStrike CEO George Kurtz, focused on the rapidly escalating costs and dangers of cybercrime, which often stems from hastily shipped products, they said. It was the first time a cybersecurity official of Easterly’s rank spoke at the show.
Buggy software in smart home devices from other brands is a playground for hackers
“If we think about the world we live in, we can’t accept that in ten years [cyber risks] will be the same or worse,” she said during the call.
That may depend on consumers demanding safer products or the government regulating software, although Easterly noted that it doesn’t support “onerous” regulation. Regulation could take the form of stricter data protection regulations or clearer communication to consumers about a product’s risks. The White House has backed the idea of a nutrition label-style “software bill of materials” that tells shoppers what software components a product contains.
Just last week, for example, the European Union fined Meta $414 million for burying information about its targeted advertising business in its Terms of Service instead of obtaining meaningful consent from its users and giving them the ability to opt-out. Meta has announced that it will appeal the verdict and the fines. Risky technologies such as facial recognition are also under scrutiny in the EU
Meanwhile, at CES, companies touting facial recognition technology are splashing the show floor. Miko, a Disney-backed robot that claims to keep kids busy, is equipped with facial recognition and uses its camera to analyze children’s moods and map elements of your home, according to its website. The CEO said all facial recognition data will be stored on the device and not in the cloud.
Then there are the camera-enabled smart home devices – like the autonomous Landroid Vision mower that navigates itself through your garden. The manufacturer, WORX, said that any images the mower captures are anonymized and any faces or house numbers are de-identified before the images are sent to the company’s cloud storage. The privacy policy leaves room to share data for advertising purposes.
Businesses might choose to make useful, private, repairable products, iFixit’s Wiens said during the Worst in Show announcement, but what’s the true purpose of a $200 travel mug with location-sharing capabilities and an irreplaceable battery?
“We already have thermos flasks,” he said. “They are phenomenally successful. They have been around for a very long time.”
Jamie Kaplan, vice president of communications at CES producer Consumer Technology Association (CTA), said the show encouraged innovation, entrepreneurship and economic growth. This year, CTA hosted 3,200 exhibitors.
“CES requires exhibits to comply with US laws that encourage innovation and focus on curbing bad behavior rather than banning new and innovative products,” she said in a statement.