Our lives are becoming increasingly tech-focused by the day. We're expanding beyond laptops and smartphones – on which you can easily install protective tech like the best VPNs – to a plethora of new smart technologies. From air fryers to audio systems, doorbells to dishwashers, almost everything in your home can be a "smart device." However, research from consumer group Which? has found evidence that even devices with no apparent need to collect data are nosier than you expect.
This surveillance ranges from air fryers demanding permission to listen in on conversations and sharing data with TikTok to TVs wanting to know your exact location at all times. Which? rated products across four categories and gave them overall privacy scores for factors including consent and what data access they want. Perhaps unsurprisingly, researchers found data collection often went well beyond what was necessary for the functionality of the product.
All smart devices were tested using Android apps, and "risky" permissions are defined as those giving invasive access to parts of someone's smartphone, such as the ability to record audio, see someone's precise location when using the phone, access to stored files, and seeing what other apps they have installed. All the products tested required consent to work properly and not consenting meant smart features were unable to be utilised. As well as this, all devices wanted to know the user's precise location.
The guilty parties
Three of the best air fryers were tested from Aigostar, Xiaomi, and Cosori. All three wanted permission to record audio on the user's phone – for no specified reason. The Xiaomi app connected to trackers from Facebook, Pangle (the ad network of TikTok for Business), and Chinese tech giant Tencent.
The Aigostar air fryer wanted to know gender and date of birth when setting up an account, again for no clear reason, although this was optional. The Aigostar and Xiaomi both sent people's personal data to servers in China, although this was disclosed in the privacy notice.
Some of the best smartwatches were analyzed too, with the Huawei Ultimate watch requesting nine "risky" phone permissions – the most of all devices tested. Huawei claims these all had a justified need and that no user data is used for marketing or advertising purposes. Which? found some trackers active on the watch, but Huawei said they are only active in certain regions.
The Kuzil and WeurGhy smart watches were also tested because they are bestsellers on Amazon. Both require consent and if declined, will only operate as a regular watch. Neither watch appeared to use trackers, but there was none of the legally required information on how long the watches would be supported with security updates.
Top smart TVs from Samsung, LG, and Hisense were tested, and their menus were littered with ads and thirsty for user data. The Hisense and Samsung TVs tested required a postcode at set up, which, in testing, appeared mandatory. The LG asked for a postcode but providing it was not mandatory. Samsung's TV app requested eight "risky" phone permissions and linked to trackers, including Facebook and Google. The LG also linked to trackers, but the Hisense did not.
Smart speakers are a common feature of many homes, and leading products the Amazon Echo Pop and Google Nest Mini, alongside the Bose Portable Home Speaker were tested. The Bose took the fewest upfront phone permissions but was stuffed with trackers, including Facebook, Google, and digital marketing firm Urbanairship. It also fared poorly on how it secured customer consent for data tracking.
In contrast, the Amazon Echo gives useful options to skip various requests to share data. For the Echo and Nest, users needed an Amazon or Google account and used trackers linking back to Google and Amazon respectively, and you can't selectively opt out.
Which?'s research highlights how manufacturers and their products are able to collect excessive data from consumers, often with little transparency about what it's being used for. The Information Commissioner's Office (ICO) is due to publish new guidance for smart device manufacturers in Spring 2025 and Which? has called for clear advice on how consumer data can be used and the transparency required of businesses.
"Our research shows how smart tech manufacturers and the firms they work with are currently able to collect data from consumers, seemingly with reckless abandon, and this is often done with little or no transparency" said Harry Rose, Which? magazine editor. "Which? has been calling for proper guidelines outlining what is expected of smart product manufacturers and the ICO has confirmed a code is being introduced in Spring 2025 – this must be backed by effective enforcement, including against companies that operate abroad."
What do cybersecurity experts say?
Which? are not the only organisation researching the privacy threat posed by smart devices. Surfshark, a leading VPN, and the fastest VPN in our testing, has researched what data is collected by smart device apps through its Smart Home Privacy Checker. According to Surfshark, Amazon's Alexa collects 28 out of a possible 32 data points, over three times more than the average device. The data is linked to individual user profiles and includes precise location, contact information, and health data.
Google gathers a little less than Amazon, collecting 22 out of 32 possible data points, but is still nearly triple the typical amount collected. Like Amazon, Google links all collected data to the user. These include address, precise location, photos or videos, audio data, browsing, and search history.
Outdoor security cameras were found to collect the most user data among smart home devices. The Deep Sentinel and Lorex apps were the most invasive in this category.
"It is important to understand that this issue extends beyond just data collection," says Goda Sukackaitė, Privacy Counsel at Surfshark. "It encroaches upon the intimate aspects of users’ lives, which, if mismanaged, could lead to data theft, security breaches, and the unsanctioned, uncontrolled dissemination of personal information to third parties. Users must be made aware and given the means to reclaim their digital privacy."
"After gathering data, apps may track you to show targeted ads or share your information with third parties and data broker companies," added Sukackaitė. "Thus, you might end up paying twice for using these apps – once for the device and again with your data."
How can you protect yourself?
Clearly it is more important than ever to take steps to protect your data and privacy, especially if you have smart devices in your home. It isn't all doom and gloom, though – there are ways you can protect yourself and your smart devices.
The first step is to make sure you're always aware of what you're sharing and consenting. Granted you have to consent to certain data collections to make smart devices work, but you certainly don't have to consent to all. Always opt-out of any optional or non-essential data collection – only share what you're comfortable with.
Read the app's privacy notice and identify what data they're collecting and where it's going and check the app's permissions. This can be done before downloading on iOS and Android and in your settings, you can usually review what each app has access to. It is also possible to deny or limit access to data in phone settings, such as location and contacts, although, in some cases, it may limit the smart device's features.
Where possible, and as long as it doesn't affect functionality, you can disable unnecessary microphones and cameras on smart devices and evaluate if the app asking to use your microphone or camera really needs it to perform its function.
You can actually delete recordings stored on a smart device. Using the Alexa and Google Assistant settings, you can set your voice recordings to be deleted automatically rather than stored after a period of time – think, deny, disable, delete.
If you are worried about where your data is and who has it, then you can use a data removal service like DeleteMe or Incogni. These monitor the web for your data, identify which data brokers and third-parties have access to it, and send removal requests for its deletion on your behalf. Some VPN companies, such as Surfshark and ExpressVPN, also include data removal services in premium plans.
"Everyone can take simple but powerful steps like disabling microphones and cameras when they’re not in use, deleting voice data regularly, and always using strong, unique passwords. These measures, while basic, help you stay one step ahead of having your personal information fall into the wrong hands," said Lauren Hendry Parsons, Director of Communications & Advocacy at ExpressVPN.
"If you suspect someone is spying on you via your devices, don’t wait – take action. Reset your phone to factory settings, secure your home Wi-Fi, and encrypt your communications. Regaining control over your devices and network can restore your privacy and peace of mind."
Can VPNs protect smart devices?
VPNs are an excellent tool for protecting your privacy and data online, when using your phone or computer. They can't directly protect your smart devices, but there is another option – setting up a router VPN. These are very useful for protecting devices you can't directly download a VPN on to but use Wi-Fi, such as smart devices.
Essentially, a router VPN is a VPN that is installed on a router, allowing you to secure your Wi-Fi connection at its source. Most VPNs can be installed on a compatible router, and they work exactly like a standard VPN for your device, except all your protection, such as IP address spoofing and online traffic encryption, is done at the source. This means all devices connected to the router are protected, rather than just the singular devices your regular VPN is installed on.
Installing a VPN on a router can be tricky, but the best router VPN, ExpressVPN, offers its own custom router firmware, which is compatible with a number of compatible routers. ExpressVPN also offers its own Aircove router. It's preloaded with ExpressVPN software and ready to use in five minutes.
Of course, VPNs can't stop devices collecting data, but they can help secure your connection and avoid additional surveillance undertaken by your internet provider. Most importantly, you have to stay vigilant when it comes to personal data. Be mindful of the smart devices you buy and what you share with them. Purchase smart devices that collect small amounts of data (if any at all) and use VPN tools where possible to give you the best protection possible.