News Stream Books Videos Web Conferences Subscriptions Advertise About IAPP Publications
Daily Dashboard Daily Dashboard

The day’s top stories from around the world

 AI Governance Dashboard – New AI Governance Dashboard – New

Stay on top of the latest AI governance news and developments of the profession.

 The Privacy Advisor The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

 Privacy Perspectives Privacy Perspectives

Where the real conversations in privacy happen

 Privacy Tech Privacy Tech

Exploring the technology of privacy

 Canada Dashboard Digest Canada Dashboard Digest

A roundup of the top Canadian privacy news

 Europe Data Protection Digest Europe Data Protection Digest

A roundup of the top European data protection news

 Asia-Pacific Dashboard Digest Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

 Latin America Dashboard Digest Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

 U.S. Privacy Digest U.S. Privacy Digest

A roundup of US privacy news
Overview KnowledgeNet Chapters Sections Affinity Groups Volunteer Annual Awards Career Central
Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

 IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

 IAPP Calendar

Review a filterable list of conferences, KnowledgeNets, LinkedIn Live broadcasts, networking events, web conferences and more.
Overview Online Training Live Online Training In-Person Training Books Practice Exams Train Your Staff Official Training Partners Web Conferences
Artificial Intelligence Governance Professional Artificial Intelligence Governance Professional

Learn how to surround AI with policies and procedures that make the most of its potential by reducing its risks.

 European Data Protection (CIPP/E)

Understand Europe’s framework of laws, regulations and policies, most significantly the GDPR.

 U.S. Private-Sector Privacy (CIPP/US)

Steer a course through the interconnected web of federal and state laws governing U.S. data privacy.

 Canadian Privacy (CIPP/C)

Learn the intricacies of Canada’s distinctive federal/provincial/territorial data privacy governance systems.

 Privacy Program Management (CIPM)

Develop the skills to design, build and operate a comprehensive data protection program.

Privacy in Technology (CIPT)

Add to your tech knowledge with deep training in privacy-enhancing technologies and how to deploy them.

 Foundations of Privacy and Data Protection

Introductory training that builds organizations of professionals with working privacy knowledge.

 Privacy Law Specialist Training (PLS)

Meet the stringent requirements to earn this American Bar Association-certified designation.
Overview Certification Programs Get Certified How to Prepare Continuing Privacy Education (CPE) Fees Certify Your Staff Verify a Certification
CIPP Certification CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

 CIPM Certification CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

 CIPT Certification CIPT Certification

As technology professionals take on greater privacy responsibilities, our updated certification is keeping pace with 50% new content covering the latest developments.

 FIP Designation FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

 Privacy Law Specialist Privacy Law Specialist

The first title to verify you meet stringent requirements for knowledge, skill, proficiency and ethics in privacy law, and one of the ABA’s newest accredited specialties.

 AIGP Certification AIGP Certification

Ensures individuals responsible for AI systems can reduce the risks associated with this technology.

 Certificação CDPO/BR Certificação CDPO/BR

Mostre seus conhecimentos na gestão do programa de privacidade e na legislação brasileira sobre privacidade.

 Certification CDPO/FR Certification CDPO/FR

Certification des compétences du DPO fondée sur la législation et règlementation française et européenne, agréée par la CNIL.
Tools and Trackers Research Glossary Global Privacy Directory Enforcement Database Westin Research Center Web Conferences Jobs Privacy Vendor Marketplace
Global Privacy Directory

This tool identifies global data protection authorities and privacy legislation.
US State Privacy Legislation Tracker

The IAPP’s US State Privacy Legislation Tracker consists of proposed and enacted comprehensive state privacy bills from across the U.S.
Reports and Surveys

Access all reports and surveys published by the IAPP.
Privacy Governance Report

This report shines a light on the location, performance and significance of privacy governance within organizations.
Privacy Risk Study

This year’s Privacy Risk Study represents the most comprehensive study of privacy risk undertaken by the IAPP in collaboration with KPMG.
Artificial Intelligence

On this topic page, you can find the IAPP’s collection of coverage, analysis and resources covering AI connections to the privacy space.
CCPA and CPRA

IAPP members can get up-to-date information here on the California Consumer Privacy Act and the California Privacy Rights Act.
EU General Data Protection Regulation

The IAPP's EU General Data Protection Regulation page collects the guidance, analysis, tools and resources you need to make sure you're meeting your obligations.
Data Protection Intensive: UK Data Protection Intensive: UK

Explore the full range of U.K. data protection issues, from global policy to daily operational details.

Global Privacy Summit Global Privacy Summit

Expand your network and expertise at the world’s top privacy event featuring A-list keynotes and high-profile experts.

AI Governance Global AI Governance Global

A new event in Brussels for business leaders, tech and privacy pros who work with AI to learn about practical AI governance, accountability, the EU AI Act and more.

 Canada Privacy Symposium Canada Privacy Symposium

Leaders from across the Canadian privacy field deliver insights, discuss trends, offer predictions and share best practices.

Asia Privacy Forum Asia Privacy Forum

Hear top experts discuss global privacy issues and regulations affecting business across Asia.

 Privacy. Security. Risk. (P.S.R.) Privacy. Security. Risk. (P.S.R.)

P.S.R. focuses on the intersection of privacy and technology. The call for proposals to speak at the 2024 event is open. Submit your ideas today.

 Europe Data Protection Congress Europe Data Protection Congress

Europe’s top experts offer pragmatic insights into the evolving landscape and share knowledge on best practices for your data protection operation.

 ANZ Summit ANZ Summit

Gain exclusive insights about how privacy affects business in Australia and Aotearoa New Zealand.

 Speak at an IAPP Event

View our open calls and submission instructions.

 Sponsor an Event

Increase visibility for your organization — check out sponsorship opportunities today.

Individual Membership Corporate Membership Group Membership Student Membership
Become a Member

Start taking advantage of the many IAPP member benefits today

 Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

 Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits
{[product.name]} {[ product.name ]}
clear
mode_editEdit
remove_circle_outline {[ getCartItemQuantity(product.id) ]} add_circle_outline
{[ product.price | currencyFilter ]}
TOTAL: {[ getCartTotalCost() | currencyFilter ]} Update cart for total shopping_basket Checkout

Privacy Tech | Why real estate agents should think about the privacy implications of the smart home Related reading: Switzerland's DPA finds online retailer violated data processing standards

rss_feed

""

""

With Roomba's new data mapping feature flooding the news, it's worth discussing the implications of the growing smart home ecosystem and its effect on real estate and new homeownership. When a consumer purchases a previously owned home, they are not thinking about the potential security vulnerabilities, privacy implications and consequences of having a third party or hacker take control of the IoT devices that are quickly becoming standard in the modern household. 

Putting the slew of potential data security threats of IoT devices aside, prospective homebuyers are not always thinking about putting in place written contracts containing warranties and indemnities in the event a previous owner retains control of the IoT device in the home. Plus, IoT devices are not regularly patched or updated against malware, if such patches are available at all. Even if they were available, the new homeowner may not know to make those updates. To pile on, typically, the original owner of the IoT device is still registered as the owner after a sale, complicating an already potentially dicey situation.

A 2016 survey from the National Association of Realtors indicates that only 15 percent of clients asked about whether homes contained smart appliances and IoT devices, and more than half the potential homebuyers were unfamiliar with the concept of IoT and how they work. Many realtors are also unfamiliar with IoT technology and privacy and security by design concepts. 

Consumers tend to demand maximum features and functionality from product manufacturers, while also wanting to pay the cheapest price for the devices. Such devices are often built by offshore companies, which may not have the expertise to make their devices secure. Given this, it is unlikely that the manufacturer will pay much attention to the need for issuing regular malware updates and patches for IoT devices, and it will be even less likely to develop effective ways to deliver such updates and patches to the device. Luckily, the Federal Trade Commission has recognized one potentially helpful tool in locating IoT security vulnerabilities. 

Selling houses that contain connected devices and smart appliances can also create unique security and privacy issues. Security cameras, landscape lighting, thermostats and lights can all retain the original owner’s data. Manufacturers are focused on getting their connected devices onto store shelves and into users’ homes without thinking through the need for privacy and security. There is very little awareness about what happens when the connected device is sold.

It’s worth noting, too, that planned product obsolescence is a potential vulnerability. The practice is nothing new and has existed in manufacturing for at least 70 years. The reason some companies embrace the concept is either as a marketing effort to try to migrate the customers to a newer product, or a deliberate design strategy that ensures the product will break and need replacing on a regular basis, ensuring product turnaround and regular profit streams. Anyone who is old enough to have bought home appliances 40 years ago can easily relate to this; modern appliances currently have approximately one-third of the useful life than they used to. Device manufacturers can also “brick” a device, a move that has potentially dire consequences for homeowners, especially after they have been trained to enjoy the convenience and added features of it.

IoT devices are marketed as enabling new solutions and features that did not exist previously and expand consumer freedom and convenience, but unfortunately, they often seem to limit consumer freedom instead. For example, many smart devices are Wi-Fi connected and enabled, which means that if there is an extended power outage or loss of internet connectivity — unless you have kept your non-smart appliances as a backup — you may not be able to enjoy your morning coffee, be able to lock your door manually, or set your thermostat in the “old-fashioned way.”

In short, some manufacturers advertise the features, benefits, ease of use and convenience of the ever-increasing “smart” features on new IoT devices, while rarely acknowledging the problems and downside arising from owning or reselling such products.

Perhaps there’s a void here that can be filled by privacy professionals, who can evangelize the importance of privacy by design, the ethical design and marketing of IoT devices, and the communications necessary to help ensure homeowners don’t become victims of an IoT hack. The end result could be a large swath of happy new homeowners. 

photo credit: ♡✌ Kᵉⁿ Lᵃⁿᵉ ✌♡ Real Estate Photography (109 Santee Street, Asheville NC) via photopin (license)

Realtor and new homeowner checklist for the smart home
  • Make sure to include any smart devices that will remain with the home after it is sold in a disclosure document as an addendum to the sales contract, such as modems, washers, dryers, dishwashers, garage door openers, gate entry systems, smoke and carbon monoxide detectors, sprinkler systems, door locks, lightbulbs, security cameras, thermostats, HVAC, energy systems, etc., along with any user manuals, vendor and manufacturer contact information, and demand to know who has access to the data on each such device using the “data management” settings on the device. If such devices are password protected, always ask for the password to be included in the disclosure document, along with the original manufacturer’s name, as you may need the manufacturer to reset the owner information on an app. 
  • Review the privacy policies and settings for all connected devices, applications, and services, the connected devices’ warranties and support and maintenance policies. If features or a connected device are no longer supported by a vendor, disable or remove the device.
  • Submit change of ownership and your contact information to manufacturers and service providers to ensure you receive security updates and privacy notices changes
  • Many connected devices require WiFi to work, but this is often one of the first things the seller removes when a house is shown and sold. This may prevent you from accessing the devices until you move in and install your own Home WiFi network. If this is the case, have the seller migrate the accounts of all those devices to a new email account, with the passwords used in all the accounts, to facilitate your task of updating and changing passwords, user names and account information as soon as possible upon taking possession of the home. 
  • Check manufacturers’ web sites to confirm that all connected IoT devices are patched with the latest software and firmware. Patching and updating is just as important on your connected devices as it is on your computer. 
  • Reset access and guest codes for home alarm systems, gates and garage door openers.
  • Review routers and devices to ensure they support the latest security protocols and standards, and disable or replace routers with older insecure protocols (for example, use WPA2 instead of WEP or WPA). You should create administrator accounts and user accounts if possible, each with its own distinct complex passwords. 
  • If possible, insert an indemnity provision in the sales contract allowing you to recover damages if you must replace the device and pay for an installer because the seller does not provide the correct information or refuses to cooperate.
  • Although it has been standard for many years for sellers to purchase an “appliance insurance policy” for the benefit of buyers in case any appliance stops working shortly after the home’s transfer of ownership, if possible, expand such an insurance policy to cover all connected devices in the home, and damages and installation costs stemming from the need to replace obsolete or unprotected IoT devices.
  • As part of a home inspection, you should hire an inspector who is knowledgeable about smart devices and security settings to check out each connected device in the home. Some “smart” devices are easy to spot, such as security cameras, refrigerators, washers and dryers, etc. – others such as “smart” lightbulbs, switches, and hot water dispensers are not, but they all collect and send your information and data to their respective manufacturers, and all pose security risks. 
  • If your Wi-Fi router allows creation of a separate “guest” network to keep visitors out of the secure home network, you should create a special guest network for the connected devices in the new home and keep them there, or if it doesn’t, you should purchase a new router, connect it to a separate computer, create a new email account and run the connected devices in the new home from this new system separate from your secure home network, as many devices will try to establish a “handshake” with the router to open up a connection so they can accept outside connections, which will expose your all your smart devices.
  • Turn off “Universal Plug and Play” on the router and IoT devices if possible to reduce exposure. Be careful when hooking up any connected device the first time – make sure that the computer is already set up with anti-malware, firewall and antivirus.
  • Make a habit of purchasing devices that will work without the cloud, if possible. Although admittedly convenient, IoT devices that run on a cloud are often less secure than those that can be controlled entirely within the home. Read the package to determine if internet access is necessary to make the device work, and if the only option is cloud.
  • Do not connect all your devices to the network unless it is necessary to do so. 
Authors
Headshot Daniel Christensen, CIPP/E, CIPP/US, CIPM, CIPT, FIP IAPP Member Contributor
Headshot Diana Jimenez, CIPP/E, CIPP/US IAPP Member Contributor
Tags
U.S.
Big Data
Infosecurity
Internet of Things
Personal Privacy
Privacy Opinion
2 Comments

If you want to comment on this post, you need to login.

  • comment David Clark • Sep 14, 2017 
    Good article and good information. One other issue that real estate agents, as well as home buyers and sellers, need to be more aware of is the practice of posting pictures of the inside of the home. These pics are put online and then scraped by numerous sites that show homes for sale. After the sale the pics remain. In my personal experience it took several months and staying on the listing agent to have all of the pictures of the inside of our home removed from the internet.
  • comment Roman Koreiko • Dec 29, 2017 
    Mobile advertising is a stable trend to the market development in the next several years. Traditional marketing activities continue to focus on design or standard print materials.
In terms of the number of opportunities, mobile advertising is an unparalleled marketing tool.
Related Stories
Notes from the Asia-Pacific region, 26 April 2024
As I return from the IAPP Global Privacy Summit 2024 in Washington, D.C., I do so with a whole new perspective and appreciation for the community that is this association we all enter into and derive so much from on a daily basis. Having only joined the IAPP a little over a year ago I found it truly...
Read More queue Save This
India expands AI regulatory efforts
India's Ministry of Electronics and Information Technology is increasing its efforts to regulate artificial intelligence with a "balanced approach toward ensuring user safety with innovation," Legal Counsel at the Software Freedom Law Center Arjun Adrian D'Souza said. He details the advisories relea...
Read More queue Save This
A regulatory roadmap to AI and privacy
To address the data privacy issues artificial intelligence development causes, the rapid deployment of the technology is "making it glaringly clear that a privacy law rethink is long overdue," TeachPrivacy President and CEO Daniel Solove writes. Solove warned against carving out policies that furthe...
Read More queue Save This
Realtor and new homeowner checklist for the smart home
  • Make sure to include any smart devices that will remain with the home after it is sold in a disclosure document as an addendum to the sales contract, such as modems, washers, dryers, dishwashers, garage door openers, gate entry systems, smoke and carbon monoxide detectors, sprinkler systems, door locks, lightbulbs, security cameras, thermostats, HVAC, energy systems, etc., along with any user manuals, vendor and manufacturer contact information, and demand to know who has access to the data on each such device using the “data management” settings on the device. If such devices are password protected, always ask for the password to be included in the disclosure document, along with the original manufacturer’s name, as you may need the manufacturer to reset the owner information on an app. 
  • Review the privacy policies and settings for all connected devices, applications, and services, the connected devices’ warranties and support and maintenance policies. If features or a connected device are no longer supported by a vendor, disable or remove the device.
  • Submit change of ownership and your contact information to manufacturers and service providers to ensure you receive security updates and privacy notices changes
  • Many connected devices require WiFi to work, but this is often one of the first things the seller removes when a house is shown and sold. This may prevent you from accessing the devices until you move in and install your own Home WiFi network. If this is the case, have the seller migrate the accounts of all those devices to a new email account, with the passwords used in all the accounts, to facilitate your task of updating and changing passwords, user names and account information as soon as possible upon taking possession of the home. 
  • Check manufacturers’ web sites to confirm that all connected IoT devices are patched with the latest software and firmware. Patching and updating is just as important on your connected devices as it is on your computer. 
  • Reset access and guest codes for home alarm systems, gates and garage door openers.
  • Review routers and devices to ensure they support the latest security protocols and standards, and disable or replace routers with older insecure protocols (for example, use WPA2 instead of WEP or WPA). You should create administrator accounts and user accounts if possible, each with its own distinct complex passwords. 
  • If possible, insert an indemnity provision in the sales contract allowing you to recover damages if you must replace the device and pay for an installer because the seller does not provide the correct information or refuses to cooperate.
  • Although it has been standard for many years for sellers to purchase an “appliance insurance policy” for the benefit of buyers in case any appliance stops working shortly after the home’s transfer of ownership, if possible, expand such an insurance policy to cover all connected devices in the home, and damages and installation costs stemming from the need to replace obsolete or unprotected IoT devices.
  • As part of a home inspection, you should hire an inspector who is knowledgeable about smart devices and security settings to check out each connected device in the home. Some “smart” devices are easy to spot, such as security cameras, refrigerators, washers and dryers, etc. – others such as “smart” lightbulbs, switches, and hot water dispensers are not, but they all collect and send your information and data to their respective manufacturers, and all pose security risks. 
  • If your Wi-Fi router allows creation of a separate “guest” network to keep visitors out of the secure home network, you should create a special guest network for the connected devices in the new home and keep them there, or if it doesn’t, you should purchase a new router, connect it to a separate computer, create a new email account and run the connected devices in the new home from this new system separate from your secure home network, as many devices will try to establish a “handshake” with the router to open up a connection so they can accept outside connections, which will expose your all your smart devices.
  • Turn off “Universal Plug and Play” on the router and IoT devices if possible to reduce exposure. Be careful when hooking up any connected device the first time – make sure that the computer is already set up with anti-malware, firewall and antivirus.
  • Make a habit of purchasing devices that will work without the cloud, if possible. Although admittedly convenient, IoT devices that run on a cloud are often less secure than those that can be controlled entirely within the home. Read the package to determine if internet access is necessary to make the device work, and if the only option is cloud.
  • Do not connect all your devices to the network unless it is necessary to do so. 
Related Stories
Tags
U.S.
Big Data
Infosecurity
Internet of Things
Personal Privacy
Privacy Opinion
Recent Comments