
ET Don't Phone Home - jacquesm
https://jacquesmattheij.com/et-phone-home/
======
xt00
As much as I dislike using "standards" to solve problems -- I think if there
was something like the following it would do well:

1) create a standard that does all of the normal things you would want an IOT
device to do

2) turn it into a microservice that runs on standard platforms like
AWS/GCP/Azure

3) User buys the hardware, and then essentially pays monthly for the services
to the cloud services (potentially thru some kind of wrapper service that
makes it easier for them to interact with)

So in the future, you would be able to have something like a vanilla version
of what Nest cameras, wemo switches, and random leak sensors and whatever all
provide, but you are both the producer and consumer of the data with a cloud
service in the middle. Yes, of course the cloud people could spy on you. But
its different when you don't have to sign some agreement when you "login" to
setup your nest sensor that says you agree to them selling your data.

~~~
ryandrake
Why does there even need to be a cloud service? Why does my lightbulb need a
cloud service? My thermostat? My security camera? If these so-called smart
devices really need some service running another computer (rather than the
computer on the device itself), why can’t it be my own computer on my LAN,
behind my “no uploading” firewall rules?

I had a dropcam for a while. Infuriating device. It records video, uploads it
to its cloud service, then when I want to watch the video, the player
downloads it back from that service _through my same internet connection!_
what kind of bonehead decided that was a good use of my bandwidth? Why can’t I
just connect locally directly to the device and stream video from it? It’s as
if someone said “well we have lots of cloud engineers here, so we obviously
need to write a cloud service!” without regard to whether it was needed. Or
more cynically, they said “We could make it stream video locally but then we
couldn’t offer a monthly cloud service for sweet recurring revenue.”

~~~
hos234
Think of it this way - Megacorps once upon a time realized they had a lot of
lavatories not really being used. So they decided to start renting them out.
That became a profitable business. Thanks to how Corporate Robots are
programmed, the moment a profitable business is spotted, the next move is to
Scale up.

They got a bit carried away thanks to Moores law making lavatory building
cheap, especially if you buy a million at a time and so now we have town sized
constructs of just lavatories. And all those lavatories need infinite
quantities of piss and shit to justify their existence. Conduct hackathons.
Fund incubators. Hire the best and brightest and it's possible to get
populations to ramp up piss and shit generation. It then takes armies of sales
and marketing drones zigzagging the planet day and night incentivizing orgs
and people to ditch their own loos.

The stagnating transport industry (Big Telco) woke up when they noticed people
taking shuttles to Mega Loo Plaza and started competing with each other to
upgrade their own transport infra all over the world. A confluence of all
these factory take us right back to where we started. A lavatory excess. But
don't worry the Corporate Robot class is on the case. The goal is to get
people to piss and shit 24x7 to utilize that excess (you will notice people
who produce a lot piss and shit are encouraged). And things seem to be going
well.

And ofcourse you can use your own loo at home. They are very cheap these days.

------
walrus01
Over the past eight years as I've been following this whole category of "you
don't really control it" home electronics with cloud based services, the more
I agree with the twitter account Internet of Shit.

[https://twitter.com/internetofshit?lang=en](https://twitter.com/internetofshit?lang=en)

~~~
acqq
A site is there too::

[https://internetofshit.net/home](https://internetofshit.net/home)

------
kevsim
I had very high hopes for Silk Labs (founded by former Mozilla CTO Andreas
Gal) to produce a device to compete with Google Home and Alexa in a privacy
conscious way. Their claim to fame, I believe, was running all ML magic on
device instead of shipping audio off to the cloud. They were snatched up by
Apple a while back.

------
joveian
This is a great list. I would add six more:

* Requires a computer with <OS list> to function

* Requires that software be installed from <list of app stores>

* Device data format is documented

* Deivce software can be replaced with independently developed software, but might require NDA or other agreement with the company

* Device software can be replaced independent of the company, but might might require NDA or other agreement with a third party (chip maker, etc.)

* Hardware is fully documented

~~~
jacquesm
Wow, that's a great addition, I will update the post. Never even thought about
these. Ok done. I merged two of your points and added yet another one.

~~~
rubidium
I think a couple of these stretch the credulity of being criteria of a “safe”
device, compared to your original list.

The hardware/software must be fully documented reads as “must be open source”.
There needs to be some incentive for quality vendors to get in the game, and
most (all?) of them want to take some measures to ensure no one steals their
design.

~~~
jacquesm
Open means auditable which should be safer, and also will help to keep the
device running if the service on the other side disappears.

After all there are trade-offs here, for instance one device might be open
source on the device but talking to a service vs a closed source device using
an open protocol.

My own main gripe with the idea is that people in general just don't seem to
care at all, it's just a few hardcore tech people that see where this is all
headed.

------
angry_octet
How about: Escrow: device software (firmware, operating system, application
and back end source code and binaries) are kept in escrow, and will be
released as public domain should the company cease to provide the service for
more than 3 months, or fail to release security patches for any remote
compromise in less than 6 months.

------
wethebestcoder
At the point when Google has heard your conversations, knows your
demographics, likes and dislikes, and can control your actions and thoughts
through search and news feed manipulation you cease to be an autonamous person
and become nothing but a neuron for Google.

~~~
a_imho
That's what google like to think they are capable of, but the 2016 election
says otherwise.

~~~
angry_octet
Why do you think Google didn't know the outcome?

~~~
Spivak
If Google could, or thought they could, predict the outcome of elections
better than the current batch of analysts there would be no reason to keep it
to themselves.

~~~
angry_octet
They would have every reason, not the least of which is a fear of further
regulation of their operations.

------
praptak
Manufacturers like to boast about true but trivial things like "no sugar
added". Maybe someone could pick up the idea of "privacy safe" logo to put on
packaging of toasters, microwave ovens and (a subset of) TV sets.

~~~
viraptor
This is true, but also makes me think of the slightly-misleading ones. I've
got a jar of malt rice syrup which is 80% sugar, with a large "no sugar added"
label. I wonder how the proposed labels could be abused.

~~~
Spivak
But that’s actually useful information. I don’t think I know anyone who
assumes that “no sugar added” means no sugar. I would consider apple sauce and
apple sauce with white sugar to be very different even if you cooked them so
they had the same total sugar content.

------
tyingq
Mozilla IoT seems to have the right idea.
[https://iot.mozilla.org/gateway/](https://iot.mozilla.org/gateway/)

------
itronitron
subset of _device will stop working if the company goes out of business_
includes _device will be rendered useless if company is acquired_ ... shortly
after Google and Nest acquired Dropcam the service became so shitty that I
could no longer use it, it would be nice if annual subscriptions included
requirements that certain performance thresholds must be met.

~~~
jacquesm
Ah good one, totally missed that. I will update the post. Thank you.

------
on_and_off
>device sends statistical information (aggregate) to the company

Is there any device/service that does that ? In my (limited) experience
working on consumer product, the device sends detailed info that is then
aggregated.

~~~
tlb
I don't know of any, but you might hope that some devices would change from
the "sends detailed info" category to "sends aggregate info" as a result of
having to declare which they do.

~~~
jacquesm
That was exactly the goal, to coerce companies to select the lesser offensive
category if their internal needs can be satisfied that way so they will end up
moving more product than a party that takes whatever it can get.

------
awinter-py
I live in fear of OTA bricking of devices.

Automatic updates have huge pros, but also huge cons that are not being
properly addressed by most vendors.

IMO the biggest difference in software now vs 1995 is the ability to
incrementally upgrade pieces of it w/ limited user interaction (this is true
for consumers and for programmers who are using a library / docker base
layer).

Automatic updates are probably responsible for a non-trivial portion of our
economic growth. It's worth creating better tools to make them safe &
transparent.

~~~
TeMPOraL
> _Automatic updates are probably responsible for a non-trivial portion of our
> economic growth. It 's worth creating better tools to make them safe &
> transparent._

How can they be, if by definition they don't involve paying extra for them, so
they have no impact on economic growth metrics themselves?

As for proper addressing, I'd love if either an industry custom or a legal
requirement would exist that would make vendors unbundle security updates from
feature updates. There were plenty of situations in my life where I
purposefully disabled automatic updates of software precisely so that it
doesn't accrue bloat or the modern art projects that pass as UIs these days.

~~~
michaelt
Perhaps awinter-py thinks automatic updates have prevented economic losses
that would otherwise have happened.

~~~
awinter-py
Automatic updates increase the value of software by:

1\. allowing companies to charge monthly for 'always fresh' software /
services

2\. adding free baseline features to OSes and open libraries, and fixing bugs.
These improvements are bundled into paid products or used directly to increase
productivity or standard of living.

------
lern_too_spel
The author conflates phoning home with recording. The reason that guests
should be informed of the devices is _not_ because they are phoning home but
because they are recording. Even if the recording never leaves the building,
guests should be informed that they are being recorded.

~~~
o-__-o
I have an amazon fire integrated tv that is constantly attempting internet
access at times I’m not even using the device. How do I know amazon is not
uploading snapshots from my HDMI inputs? I would like clear phone home labels
describing what it’s doing so I CAN leave internet always connected

~~~
lern_too_spel
This is a separate problem from informing guests that they are being recorded,
which is what this article claims to be about.

------
dfabulich
> _if a device_ could* function without such a backend it _should_ be able to
> function without such a backend*

How would the device receive security updates? Or is the hope/expectation that
the device would have no security vulnerabilities? (That seems hopelessly
naive.)

~~~
jacquesm
If it is disconnected it does not require security updates. It only requires
security updates when it is online (or is allowed to go online).

Keep in mind that having a remote update process _is a security risk in and of
itself_. So some people might want to opt out from such updates and firewall
the device off entirely, if its functionality does not require a live internet
connection this should be possible.

~~~
tzs
> If it is disconnected it does not require security updates. It only requires
> security updates when it is online (or is allowed to go online).

What about security bugs in a device's offline functionality? For example,
imagine a keypad door lock. It can be configured online to add and remove
unlock codes and to set schedules for automatic locking/unlocking, and then
goes offline for normal operation.

Suppose someone discovers that certain invalid input sequences will unlock it
regardless of what codes are set. I'd say that's a security bug that requires
a security update, even though what it is fixing is functionality that does
not require or use an internet connection.

~~~
jacquesm
Whatever mechanism was used to upload the firmware in the first place could be
exposed. Having a doorlock that can be configured online is asking for it.
That's the kind of thing that will lead to headlines in regular news
publications.

~~~
sml156
A quick Google search seems to suggest that smart doorlocks have ended up in
the headlines since the late 2000's

[https://www.google.com/search?q=smart+door+lock+vulnerabilit...](https://www.google.com/search?q=smart+door+lock+vulnerability&newwindow=1&client=firefox-
b-d&biw=1728&bih=874&sxsrf=ACYBGNQUjXe-2pPpcpqQDxdlhzaH8zRy7g%3A1571563882462&source=lnt&tbs=cdr%3A1%2Ccd_min%3A1%2F1%2F1990%2Ccd_max%3A12%2F31%2F2019&tbm=nws)

~~~
jacquesm
Not at all unexpected.

------
ajb
So, anyone tried Radbot? I really like their approach: "There’s no need for an
app or another online password. Do you really want to see more of your
radiator? "

------
carapace
Great idea, IMO, but how do you get traction? It's a political/social issue in
the end.

~~~
oezi
As engineers the way could be like this:

\- Write down the rules precisely.

\- Get input from as many consumer rights organizations as possible.

\- Submit the final rule set as a RFC or standard.

\- Create a certification process with logo.

\- Start lobbying for this certification become mandatory whenever there is a
big cybersecurity scandal.

------
droithomme
This is an important issue.

I record all my guests in my home. But using my own system. I don't upload it
anywhere insecurely or share it with any outsiders because that would be
crazy.

Smart folks understand about these various platforms and know to not discuss
sensitive issues anywhere within a quarter mile of technology, or with anyone
carrying a phone or other device. It's just common sense.

~~~
jacquesm
You may want to check the law, there is a good chance that you are in
violation of it, many places are 'two party consent'.

~~~
droithomme
No I am not. My system, in my own private home, is entirely legal.

~~~
cgriswald
No laws I’m aware of in the US carve out any exceptions for private homes.
Even if you’re in a one-party consent state, if you leave the room and no one
else in the room has consented you could be looking at a felony.

~~~
droithomme
It's just as I said.

Based on your claim, baby monitors are illegal. Maybe a class action suit
against baby monitor companies is a good idea!

~~~
cgriswald
So far your only defenses seem to be that it’s in your home, which isn’t a
valid defense ; and “I said so.”

Baby monitors don’t record and have indicators that they are active. And it’s
still possible to use them in such a way that you run foul of the law.

~~~
droithomme
You're in here in post after post accusing me of being a criminal committing
serious crimes.

I'm telling you I've committed no crime.

You say I have. You then say I have no proof I am not a criminal.

That's not how it works in this country. I'm presumed innocent. You want to
prove I am a criminal, bring it on Griswald. Bring it on. Call the FBI. Call
the state officials. Try to get me arrested for the crimes you insist I have
committed. Make a big public case of it, as public as possible. Since slander
and libel are also problematic aren't they.

~~~
cgriswald
> You're in here in post after post accusing me of being a criminal committing
> serious crimes.

I made two posts suggesting you might be in violation of the law for your own
consideration. I made a third post to someone else about a tangent.

> I'm telling you I've committed no crime.

Yes.

> You say I have.

Nope. I said you might be in violation and I gave reasons. Your responses
since then have actually lead me to believe you have no idea whether your
system is legal. If you did, I think you'd be able to articulate why your
system is legal.

I don't have anything at stake here. If you're in violation, you're the one
risking felony charges, not me. If you think it's legal, great. If you don't
think it's legal, then get in compliance or don't.

> That's not how it works in this country. I'm presumed innocent. You want to
> prove I am a criminal, bring it on Griswald. Bring it on. Call the FBI. Call
> the state officials. Try to get me arrested for the crimes you insist I have
> committed. Make a big public case of it, as public as possible. Since
> slander and libel are also problematic aren't they.

I don't know how to help you. This response makes no sense at all.

