19 Aug 2021

Walk down a residential street and odds are you’ll see a smart doorbell with a built-in camera. Ever wondered whether that doorbell is capturing footage of you whilst you walk past it? You’re not alone.

For a while, I’ve been curious about the privacy issues associated with these doorbells. So, I bought one.

Setup

I started by scanning a QR code on the back of the device. A few seconds later, and I’ve downloaded the app. That was easy.

The app immediately presented me with a choice: log in or create an account. I was hoping to just set up the device, but I pressed on. It required I hand over my name, email address, approximate location and create a password. From a privacy perspective, we’d fallen at the first hurdle: I couldn’t see a reason why I should have to create yet another online account, just so I could start using this product.

With the account created, I re-opened the app and was ready to go. Or was I? Straight away, I was asked to link the doorbell account (which I didn’t want anyway) with another account I had with the manufacturer.

There was a clear description explaining the benefits: a good start. But it wasn’t obvious what this meant for my data shared between the two accounts. The option to link accounts was pre-selected. I instead chose to “opt-out” with the app asking if I was sure.

Next, the app wanted to access my precise location. I declined but was asked to add the exact address where the device was being installed. I tried to give a fake address, but they saw me coming – I got an address verification error. A large red warning triangle appeared with some scary red text informing me that without an address, “several” of the device’s features would be disabled. Again, the design made me feel like I was doing something wrong, rather than being given a free choice about whether to reveal my precise location to a technology manufacturer.

I pressed on without giving away my address.

Who knows what features I’m now missing out on – I certainly don’t.

Privacy review of the setup process – a missed opportunity

I was annoyed by the setup process. It was clear that significant design expertise went into making the setup experience as slick as possible. But that same expertise was also used to create dark patterns designed to get me to provide unnecessary data, and agree to a series of data sharing options which weren’t fully explained.

I would have loved to see:

  • A way to use the doorbell without creating an account, perhaps using a hard drive connected to my home WiFi rather than the manufacturer’s cloud
  • A way to create an account without providing my email address, perhaps using Apple’s ‘hide my email’ feature
  • An explanation of why my doorbell needs to know my full name
  • An explanation of why I need to provide my full address, and a clear explanation of what I’m missing out on if I don’t provide it
  • An explanation of how my data will be used if I link my accounts

But surely, you might be thinking, all of this information is in the privacy policy? I had that thought too. But I read the privacy policy, and I still don’t know the answers to these questions. If your privacy policy doesn’t effectively answer your users’ questions about privacy, you’re doing something wrong.

The cynic in me says that these explanations are missing precisely because there isn’t a justifiable reason for collecting this data in the first place.

I wanted a doorbell, not to discover a compliance nightmare

The doorbell worked, as you’d expect. But we weren’t out of the woods yet.

I live in a mid-terrace house with a shared driveway opposite a public car park. There was simply no way I could position the doorbell in a way that captured only the boundary of my home. Because of that, my use of the doorbell probably had to comply with data protection law.  If your smart doorbell is positioned in a way that only captures the boundaries of your home, you can likely escape the legal quagmire that’s about to unfold.

Data protection laws often don’t apply to individuals. They don’t apply to you storing your friends’ numbers on your phone, or sending birthday cards to their homes. But start using a CCTV system, a car dashcam or (in my case) a smart doorbell, which captures footage outside of your home, and the data protection laws do apply – you become a ‘data controller’.

What does that mean? From a practical perspective, to use the doorbell lawfully I’d need to put up a sign telling people there’s CCTV in operation. I’d need to provide a privacy notice that complies with the requirements in the data protection legislation. I’d need to facilitate people asking me for access to and to erase their data. And I’d need to make sure the contracts with my data processors are compliant with the law. So, I decided to investigate whether the contract I was required to agree to when I created my account covered all of that off. And here’s where things got really messy.

We need to talk about those contractual terms…

The footage from my doorbell would be stored on the manufacturer’s cloud servers. That made it likely that the manufacturer would act as data processor for me. And as a controller, I would need to make sure they were up to scratch on their data protection compliance.

I read the manufacturer’s contract, called their terms of use (evenings really do fly by in my house) and it wasn’t good news:

  • There’s no reference to the mandatory data processing clauses that need to be included if the manufacturer is a data processor
  • There’s no reference to international transfers of data, which is a problem since the manufacturer is US-based, and I’m in the UK
  • The manufacturer reserves the right to share footage from the doorbell that I’ve chosen to share. This makes things a whole lot more complicated. If the manufacturer has the right to do this, I think it’s likely they’re a “joint controller” with me, which is a complex relationship to manage and facilitate. There’s no hint of that possibility in the contract, or on their website. Yikes.

Whose responsibility is it?

I think this doorbell is worse than the Smart TV we looked at a while ago.

The design is far from privacy friendly. In my view, the manufacturer’s contractual terms make it impossible for consumers’ use of the doorbell to comply with data protection laws if they are capturing any footage outside the boundary of their homes. And I very much doubt I would get anywhere by asking their customer service team to sign a data processing agreement.

An interesting question is who should be responsible for compliance here? The data protection legislation largely relies on self-policing using regulatory guidance and some enforcement. That’s an understandable approach when controllers are businesses with legal budgets, but can we realistically expect consumers to understand just how important it is from a legal perspective to avoid capturing footage outside the boundary of their home? I’m not sure we can.

I’m left thinking that the location data the manufacturer insists on collecting could be put to a good use after all: to inform users of the laws applying to their use of the doorbell where they live.