SWITCHED ON
The daily technology series nobody asked for but everyone needed
Home Insecure: Smart Homes and the IoT Surveillance Architecture
The home used to be the one place where surveillance capitalism had limited reach. Then we invited it in and called it a smart speaker.
Privacy law has historically given the home special status — the place where the state's reach is most restricted, where the individual is most sovereign. The Internet of Things has comprehensively undermined that status, not through government intrusion but through consumer choice, and the legal frameworks have barely begun to catch up with what that means.
Yesterday we went inside the mind — or at least inside the technology claiming to help with what's inside it. Mental health apps, AI chatbots, the treatment gap they're trying to address, the evidence problem that most of them ignore, BetterHelp's FTC settlement for selling therapy data to Facebook advertisers, and what good technology can actually contribute to mental health versus what it is being marketed as doing. Today we are bringing the surveillance economy home. Literally. Smart speakers, connected cameras, doorbell surveillance networks, smart TVs that watch you watch them, appliances reporting on their use patterns, and the security vulnerabilities in all of it that researchers keep finding and manufacturers keep not taking seriously enough. The home is now a data collection endpoint. Most of the people living in it did not fully understand what they were agreeing to when they plugged in the first smart device.
01 — What the Connected Home Has Become
The typical connected home in 2026 contains somewhere between ten and fifty internet-connected devices, depending on the household. Smart speakers — Amazon Echo, Google Nest, Apple HomePod — listen continuously for wake words and transmit audio clips to cloud servers for processing. Smart TVs collect viewing data in real time, a practice known as automated content recognition, and transmit it to manufacturers and third-party data brokers who use it for advertising targeting. Smart doorbells and security cameras, led by Amazon's Ring, record continuously and in many cases share footage with law enforcement on request. Smart thermostats, locks, refrigerators, washing machines, and baby monitors all collect behavioural data that their manufacturers use to varying degrees for product improvement, service provision, and in some cases commercial data sharing.
The aggregate picture is of a home that is continuously monitored — not by a government agency or a human surveillant, but by a distributed network of corporate data collection systems operating under terms of service that were technically consented to and practically unread. The data collected encompasses when people wake up, what they eat, when they leave the house, what they watch, who visits, what they say to each other in ambient conversation near smart speakers, what their sleep patterns look like, and what their energy consumption implies about their daily routines. This is an extraordinarily detailed behavioural profile of private domestic life, assembled without active participation by the people being profiled, and governed by privacy policies that permit its use in ways most consumers would be uncomfortable with if they read them.
The home was the one space that surveillance capitalism had not fully colonised. We colonised it ourselves, one convenience at a time, because the individual value proposition of each connected device was real and the aggregate privacy cost was invisible until it was too late to easily reverse.
02 — The Security Catastrophe Nobody Fixed
The Internet of Things security problem has been documented, warned about, studied, and ignored by manufacturers on a scale that is genuinely remarkable given what is known. The basic problem is structural: IoT devices are manufactured at low cost with thin margins, security engineering is expensive, the update infrastructure required to patch vulnerabilities after deployment adds ongoing cost, and consumers rarely choose products on the basis of security quality because security quality is invisible until it fails. The result is a market that systematically underinvests in security.
The Mirai botnet attack of 2016 is the landmark demonstration of what this underinvestment produces at scale. Mirai malware compromised hundreds of thousands of IoT devices — primarily security cameras and digital video recorders with default passwords that had never been changed — and used them to conduct a distributed denial-of-service attack that brought down large portions of the US internet infrastructure including Twitter, Netflix, GitHub, and CNN, by overwhelming the Dyn DNS service. The attack was conducted by three college students using publicly available tools against devices that were trivially compromised because their manufacturers had shipped them with known default credentials and no mechanism to force password changes.
A decade later, the structural problem has been partially but inadequately addressed. Several jurisdictions have introduced minimum security requirements for IoT devices — the UK's Product Security and Telecommunications Infrastructure Act, California's IoT security law, and the EU's Cyber Resilience Act impose requirements including unique default passwords, vulnerability disclosure policies, and update support periods. These are improvements. They do not retroactively address the hundreds of millions of devices already in the field that were manufactured without these requirements, and the enforcement of new requirements has been inconsistent. Security researchers continue to find significant vulnerabilities in popular smart home devices — in cameras, in smart locks, in EV chargers — at a rate that suggests the underlying development culture has not fundamentally changed despite the regulatory pressure.
03 — Amazon Ring and the Law Enforcement Partnership
Amazon's Ring doorbell camera network represents the most extensively documented case of smart home technology being integrated into surveillance infrastructure in ways that go substantially beyond what consumers typically understand they are participating in when they install a doorbell camera.
Ring operates a programme called Neighbors, a social platform for sharing footage from Ring cameras with other local users. It also operated, until 2024, a law enforcement portal that allowed police departments across the US to request footage from Ring cameras in their jurisdiction, initially without requiring a warrant and without notifying the camera owners whose footage was being accessed. At its peak, Ring had partnerships with over two thousand law enforcement agencies. The programme created, through the voluntary purchases of millions of individual consumers, a privately operated surveillance network of extraordinary geographic coverage available to law enforcement without the constitutional constraints that would apply to direct government surveillance.
Amazon curtailed the law enforcement portal in 2024 following significant public and congressional pressure, requiring law enforcement to go through standard legal processes to obtain footage. The cameras remain installed. The footage continues to be collected. The data practices governing what Amazon does with the aggregate data from millions of doorbell cameras — patterns of movement, visitor records, behavioural routines — are governed by Amazon's privacy policy and terms of service rather than by any dedicated legal framework for private surveillance infrastructure of this scale and societal consequence.
04 — Smart Home Technology and Domestic Abuse
The convergence of smart home technology and domestic abuse represents one of the most concrete and least discussed harms from the consumer IoT ecosystem. Research and advocacy organisations working with domestic abuse survivors have documented a significant and growing pattern of connected home devices being used as tools of coercive control: smart locks that prevent victims from leaving or entering, smart speakers used to monitor conversations, GPS-enabled family tracking apps used for location surveillance, thermostats and lighting controls manipulated remotely to create psychological distress, and smart plugs controlling appliances used as instruments of harassment.
The problem is facilitated by a design feature of most smart home systems: they are designed around a primary account holder who controls all devices, with secondary users having limited ability to independently access or override the system. In a household where one partner controls the smart home account, the technology creates a surveillance and control architecture that was not designed for this purpose but is well-suited to it. Domestic abuse support organisations report that removing this technology from victims' lives is a significant practical challenge: the abuser may own the devices, changing Wi-Fi passwords or removing devices may alert the abuser, and the support infrastructure that advocates have for helping victims leave abusive situations has had to adapt to an environment where the home itself may be a monitoring and control tool.
05 — What Regulation and Consumer Choice Can Do
The smart home data and security problem has structural solutions, and some of them are beginning to be implemented, with the inevitable caveats about pace and adequacy that have characterised every governance conversation in this series.
Minimum security standards — requiring unique default passwords, mandatory security update support periods, vulnerability disclosure programs — are being implemented through the UK's PSTI Act, the EU's Cyber Resilience Act, and US efforts through NIST and FTC enforcement. These raise the floor for new devices without addressing the existing installed base. Data minimisation requirements — requiring that devices collect only the data necessary for their stated function — would address the most egregious data harvesting practices, but implementation and enforcement require technical sophistication that most regulators are still developing. The right to repair legislation, which several jurisdictions have begun passing, has implications for IoT security by requiring manufacturers to provide security updates and spare parts for reasonable product lifetimes rather than making products intentionally unrepairable to drive replacement cycles.
Consumer choice in this category is real but limited. Smart home devices from manufacturers with stronger privacy commitments — Apple's HomeKit ecosystem, which processes more data on-device rather than in the cloud — provide meaningfully better privacy than less privacy-focused alternatives. Researching manufacturers' data practices and update histories before purchase is possible and worthwhile. Segmenting IoT devices onto a separate network from primary computing devices limits the damage from compromised smart devices. These are genuine recommendations that make a difference at the margin.
What they do not do is address the fundamental structural tension: the business models of the companies providing the most affordable and feature-rich smart home products depend on the data those products generate. A genuinely private smart home is currently achievable only through either significant technical sophistication, premium pricing that most consumers cannot sustain across an entire household of devices, or the acceptance of substantially reduced functionality. Until the regulation changes the economics of data collection for the manufacturers, the consumer making privacy-preserving choices is paying a premium — in money, in convenience, or in functionality — for the protection from a cost that is externalized onto everyone.
Tomorrow we are stepping out of the home and into the city — smart cities, urban technology, the sensors and cameras and data infrastructure being woven into urban environments, and the question of whether the data-driven city serves its residents or turns them into data points for the benefit of the platforms managing the infrastructure. See you then.
Switched On is a daily technology series covering the ideas, systems, and arguments shaping the digital world. Opinionated. Witty. Occasionally wrong. Always worth the argument.
