FutureFive New Zealand - Consumer technology news & reviews from the future
Story image
Security fears raised about home devices and apps
Fri, 28th Oct 2022
FYI, this story is more than a year old

Imagine if you had to pledge loyalty to the Chinese state just to use a bathroom mirror or a lightbulb.

There is a chance you already have but did not know it.

Hidden in the terms and conditions of a range of smart devices - everyday devices that can be controlled remotely via the internet - are a number of odd conditions.

Led among them is that you promise not to use the device in any act that includes "opposing the basic principles determined in the Constitution".

In another, earlier version this term reads, "the PRC [People's Republic of China] Constitution".

Another condition you unwittingly agree to when you install the online app that runs the smart device, is that you won't use it to engage in "destroying religious policy of the state and advocating heresy and feudalistic superstition".

A total of nine (occasionally 10) conditions - virtual word-for-word copies of each other - are written into the User Agreement or Information Content Standard of companies selling "Internet of Things" (IoT) devices.

This is a huge growth market, with 12 billion IoT connections worldwide and counting as of 2020.

It's a market China dominates.

However, a 10-minute online search by RNZ turned up a dozen non-Chinese companies with these same type of conditions, including a UK one selling a mirror that can talk to you - some such mirrors have, strangely, built-in high-resolution cameras - and a German firm that sells lights.

RNZ first found the conditions amid the fine print for an app from an Australian company, Mirabella, after a local consumer came across them.

Mirabella was the only firm to respond to RNZ's queries - to say it had changed the conditions.

"The Terms of Use for the Genio App have been recently updated," its development manager John Hoang said by email.

"Some terms that were included by the App developers have been removed as they are inappropriate for Australia and New Zealand," he said.

Genio controls doorbells, cameras, smart appliances and the like from a smartphone.

Its previous service agreement for a 'Mi-Light Smart Platform' had, at point two, a condition of not "endangering state safety, disclosing state secret, subverting state power and sabotaging state unity".

And at point three, it was not "damaging state honor and benefit".

Hoang said the app and its appliances and devices were only meant to be used in accordance with laws in the country where they were being used.

The local consumer who raised the alarm, said: "There's some weird stuff in there", adding they were worried if it meant China was penetrating people's routers or phones.

It is not unheard of for End User License Agreements (EULAs) such as these, to be a playground for companies.

Apple, for instance, had terms prohibiting its iTunes service being used to make nuclear or biological weapons, while Amazon was quite OK with its cloud computing service being used to combat a zombie apocalypse.

But the terms have legal power.

Twitter used them to ban Donald Trump and get rid of screes of QAnon pages

Years ago, privacy campaigners tried to get Americans to care, with the Electronic Frontier Foundation warning the agreements "are efforts to bind consumers legally to a number of strict terms - and yet you never sign your name".

The new pledges of fealty, in order to run a smart lightbulb or heatpump, appear to have serious origins.

The "PRC" wording occurs in a US Securities and Exchange Commission (SEC) notice about China regulating in 2004 to prohibit registration of any Internet domain names that infringed on any of the nine conditions, that appear in the same order and with mostly the same language as in the smart devices pledges.

The SEC filing refers to not disseminating "rumours, disrupt social order or sabotage social stability".

Abetting a murder or terror, slander and "coarseness" were also not on, then or now.

There is one noticeable change between 2004 and 2022: The old conditions say it is not on to "incite ethnic hatred or discrimination or damage ethnical unity", while the 2022 terms rephrase that as "inciting national hatred and discrimination and sabotaging national unity".

New regulations in 2013 spread this stand against prohibited content through into Chinese manufactured smart devices.

Consumer New Zealand did not know anything about the terms, but its counterpart in Australia, Choice, said it would be looking into it.

China's unrivalled hold on the IoT market is the subject of serious research, and speculation, about how it is also uniquely placed to disrupt it - and not just your kitchen mixer, but the hefty side of IoT which encompasses water, transport, waste, CCTV, traffic lights and emergency services.

A 2018 report for the US-China Economic and Security Review Commission said Beijing was funding a lot of research into IoT security vulnerabilities - to protect itself, but also for exploitation.

"It should be considered 'dual-use', in that such knowledge can directly feed into unauthorised efforts to access, surveil, or penetrate IoT devices," it said.

Just a few days ago, the head of the UK's National Cyber Security Centre warned the tech was becoming "an attractive target for a range of threat actors ... The threat posed by nation states is particularly acute".

Lobbyists and others have been using these fears as a rallying cry for the US and other Western countries to do much more to lead the way in setting international tech standards, where China has been leaving them for dead.