Physical Address

304 North Cardinal St.
Dorchester Center, MA 02124

Your air fryer could be listening to you in the kitchen and sending the data to China

Be careful what you say when you’re cooking. It turns out your air fryer might be listening in, and sending your collected data to China.
As ridiculously dystopian as that may seem, UK consumer protection organisation Which? took a close look at several smart products and their associated apps (because what is an air fryer without an affiliated app these days?) and found they gather personal data that has little or no relevance to the functioning of the product. This included possible audio surveillance by two air fryers, an egregious example of a “well, because we can” mindset.
The research by Which? “highlights how manufacturers are currently able to collect excessive data from consumers, often with little transparency about what it will be used for”.
Three air fryer brands popular on Amazon – Cosori (Amazon’s own-brand), Xiaomi and Aigostar – all scored below 50 per cent on Which?’s privacy scorecard for the appliances. The report found that “as well as knowing customers’ precise location, all three products wanted permission to record audio on the user’s phone, for no specified reason”.
The Xiaomi air fryer’s app linked to trackers from Facebook, Pangle (the advertising network of TikTok for Business) and Chinese tech giant Tencent (though this depended on the location of the user). Aigostar asked for the gender and date of birth of the person setting up an ownership account – irrelevant to making fries or chicken goujons – although this was optional.
Both the Xiaomi and Aigostar fryers sent users’ personal data to China. This was flagged in the privacy notice for the fryers. But how many people read privacy notices? Or the terms and conditions notice for an appliance, where details on data usage are also frequently squirrelled away among the legal jargon?
The report also looked at some smartwatch brands. All required that users consent to the device and app’s privacy permissions to work as smartwatches, as opposed to functioning just as a time-telling watch. The Huawei Ultimate smartwatch asked users to consent to nine of what Which? considers “risky permissions” seen as giving “invasive access to parts of someone’s phone”. With the Huawei watch, these included “precise location, the ability to record audio, access to stored files or an ability to see all other apps installed”. In response, Huawei said all of these had a justified purpose and that data was not used for marketing or advertising.
Kuzil and WeurGhy smartwatches turned out to be the same product marketed under different brand names (Amazon is flooded with such identical products from little-known brands). Both required privacy consents to work and neither supplied legally-required information on how long the devices would support security updates.
Hisense, Samsung and LG smart televisions (and it is almost impossible now to find TVs that aren’t smart) all wanted user locations, though they said it was for content localisation features. The Samsung model’s app required eight “risky permissions” which included being able to see all other applications on a phone. Both the Samsung and Hisense TV apps linked to a number of trackers, including Facebook and Google.
Of a trio of popular smart speakers manufactured by Google, Amazon and Bose, Which? found that Bose’s Home Portable speaker required the fewest upfront permissions but was “stuffed with trackers”, including from Facebook, Google and a digital marketing firm Urbanairship. The Amazon Echo Pop and Google Nest Mini devices had their own (expected) trackers but users can’t opt out of them. All wanted users’ exact locations too.
The degree to which the device apps gathered data was often dependent on whether users had an iPhone or an Android device. Far more information was taken from those with Android phones, as Apple now disallows some types of data gathering and offers additional privacy protections.
These findings add to years of similar issues exposed by Which? and others, problems that have been around ever since home smart devices and their associated apps began to proliferate. Unfortunately, EU privacy and data collection protections are currently inadequate to combat this, yet the way in which manufacturers and apps continue to lay claim to data, and demand risky and unnecessary access to location, camera and audio data is unacceptable.
User “consent” to such practices falls into a grey area, generally either unseen or overlooked by consumers because the terms lie buried in unread privacy and T&C notices, or people feel resigned to such personal encroachment because their device won’t operate fully without granting it, even though there’s no actual functional need.
In a week when the Government has released its first National Cyber Security Annual Update, this Which? privacy study is a reminder that many risks seen as “soft’, such as excessive data gathering from consumers, creates tranches of vulnerable, often highly sensitive data, largely placed in the hands of multinationals and increasingly, little known manufacturers based in countries like China where there’s scant ability to assess or confirm how data is being used or secured. Ireland and the EU should be doing much more to protect consumers. As the horrific 2021 hospital hacks here showed, we and our personal data are all part of the larger national and EU cyber security picture.

en_USEnglish