Fry Another Day: The Hidden Surveillance Powers of Smart Appliances

A new investigation by the consumer advocacy group Which? reveals a worrying trend: everyday smart devices, from air fryers to televisions, are collecting excessive amounts of user data, often with no clear explanation or transparency on how it will be used.

The study found that some of these gadgets, including popular air fryer and smartwatch models, are asking for permissions that go beyond what is necessary for their primary functions—raising significant privacy concerns.

Excessive Permissions and Data Sharing

Among the more surprising revelations, Which? researchers found that certain air fryer models, including those from Xiaomi and Aigostar, request access to a user’s precise location and even permission to record audio. These permissions are not clearly justified by the functionality of the device, sparking concerns over potential misuse.

The Xiaomi air fryer app was found to connect to third-party trackers associated with TikTok’s ad network, Facebook, and Tencent, potentially sharing user data with servers in China, as noted in the app’s privacy policy.

Smartwatches, another popular category, also showed high levels of data collection. The Huawei Ultimate smartwatch, for example, requires nine “risky” permissions, including access to precise location, audio recording, and stored files, leading to concerns over user privacy. While Huawei claims that these permissions are necessary for device functionality, the company maintains that user data is not used for marketing or advertising.

Television and Smart Speaker Privacy Concerns

Televisions are no exception, as both Hisense and Samsung models tested by Which? demanded location data. Samsung’s smart TV app further requested eight high-level phone permissions, making it second only to the Huawei smartwatch in data requests. Although Samsung and Hisense stated that location data is used to enhance user experience by localizing content, the group reported that in its tests, providing a postcode appeared mandatory for device setup on Samsung models.

Smart speakers were similarly scrutinized. While the Bose Home Portable speaker requires relatively few upfront permissions, it is linked to multiple trackers, including Facebook, Google, and Urbanairship, a digital marketing firm. In contrast, Amazon’s Echo Pop and Google’s Nest Mini allow users some control over data-sharing requests, though Which? rated their privacy features as limited, as users are unable to opt out of certain data requests entirely.

Industry Calls for Stricter Regulations

In response to these findings, the group is urging companies to prioritize consumer privacy over profit, highlighting that many data requests lack sufficient transparency. The organization notes that some permissions requested by smart devices—such as the ability to record audio or track precise location—are invasive and not necessary for their core functions.

The UK’s Information Commissioner’s Office (ICO) is set to release new guidelines for smart product manufacturers in Spring 2025. Which? has called for robust enforcement measures, especially given the challenge of holding companies outside of the UK accountable.

Industry Responses

In response to the findings, Samsung assured users that it employs strong security safeguards and provides options for users to control data sharing through Samsung accounts. Hisense echoed this commitment to privacy, stating that its collection of postcodes helps enhance user experience through localized content.

Amazon, Google, Huawei, and Xiaomi also responded, emphasizing compliance with privacy regulations and measures to provide users with control over their data. Xiaomi clarified that its audio recording permission is not applicable to its Smart Air Fryer, which does not rely on voice commands.

Adam Brown, managing security consultant at Black Duck, said, “The Cyber Resilience Act, which came into play this year, enforces stricter cybersecurity standards for all products with digital features sold in the EU and aims to safeguard from security vulnerabilities by requiring manufacturers to implement mandatory cybersecurity measures throughout a connected product’s lifecycle.”

However, Brown says “excessive smart device surveillance” might not fall within the requirements of the CRA. “Bringing connected devices into your home network opens doors for potential surveillance activity. And while an individual may not be a target for control or surveillance, as a part of a larger group, they may be.”

Which? Urges Consumers to Be Cautious

The group advises consumers to take active steps to protect their privacy. This includes carefully reviewing app permissions before downloading, limiting data sharing where possible, and deleting voice recordings on devices like Alexa and Google Assistant. It also advocates for consumers to familiarize themselves with privacy policies, as many contain important details about data collection and processing.