Smart doorbells: data protection concerns

As more and more everyday products are produced with internet connectivity – whether it actually improves functionality or is more of a gimmick – there are increased concerns regarding cybersecurity and data protection.

The Internet of Things (IoT) refers to both these WiFi-enabled goods and the wider concept of having everything connected to the internet – smart homes and smart cities etc. The promotion of IoT often relies on its perceived advantages in terms of convenience. But the flipside is that having fridges and toasters online creates new vulnerabilities which allow malevolent hackers to exploit loopholes in cyber defences. Many household goods which integrate WiFi chips often have paltry security capabilities and are often the first point of attack for cybercriminals who are trying to infiltrate home networks.

But even if internet-connected products have decent security protocols, there is another problem: collection of data by IoT devices and the ensuing data protection concerns. Usually data is uploaded directly to the manufacturer, which can cause legal issues in itself, but it can also lead to privacy concerns due to the nature of the product – and a case in point is the Amazon Ring doorbell.

Amazon Ring: a neighbour dispute

Amazon has been selling “smart” doorbells – originally named Ring – which are fitted with WiFi-connected webcams and microphones for several years. Owners can view live or recorded footage from their Ring device on their laptop or smartphone, allowing them to monitor the perimeter of their property for any security problems. These have proved so popular that hundreds of police forces have partnered with the former bookseller as a way to solve crime in the absence of more conventional CCTV. Although Amazon claims it does not automatically grant access to footage, owners may receive requests from police officers who are looking for evidence of crimes in the neighbourhood.

One satisfied Ring customer, Jon Woodard from Oxfordshire, was so pleased with his devices that he invited his neighbour, Mary Fairhurst, over to his home to view his security measures. But rather than being impressed, Dr Fairhurst was “alarmed and appalled” to discover that one smart doorbell had been mounted on Mr Woodward’s shed and pointed at her garden and parking space, whilst another one also captured her house. A series of disputes ensued which culminated in Dr Fairhurst moving out of her home and eventually lodging claims against her former neighbour for alleged harassment, nuisance and breach of data protection law.

The Oxford County Court, hearing the dispute, upheld her claims on grounds of breaches of the Protection from Harassment Act 1997 and Data Protection Act 2018, dismissing the claim for nuisance. Perhaps of most interest to the general field of IoT was the finding in relation to data protection; namely that any data collection should meet the data minimisation principle of the UK GDPR that personal data should be “adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed”. In this case, the audio collected by Ring devices was particularly problematic, with Judge Melissa Clarke ruling that:

“I am satisfied that the extent of range to which these devices can capture audio is well beyond the range of video that they capture, and in my view cannot be said to be reasonable for the purpose for which the devices are used by the Defendant, since the legitimate aim for which they are said to be used, namely crime prevention, could surely be achieved by something less.”

The video captured by one of the cameras was also judged to fall outside the legitimate interests of the defendant.

Effect of the judgment

It’s a bit early to say whether the outcome of this case, albeit a potentially interesting bellwether, will hold much sway in the long run. Commenting on the judgment, Will Richmond-Coggan, a data protection and privacy specialist at Freeths LLP, said:

 “This case reinforces that while homeowners are entitled to use surveillance in order to protect themselves and their property, they do still need to be reminded that this is regarded as highly intrusive technology. Best practice would be to advise them to keep surveillance within the perimeter of their property, and to use signage to draw people’s attention to any particularly unusual or intrusive monitoring.

“Where surveillance extends to the public highway (to monitor a car parked on the road, for example) the homeowner should be considering more prominent signage. They should also be thinking about questions of the technical and organisational safeguards they use to protect any images collected, retention periods and the like, particularly where those images are transmitted or stored on internet-connected devices.”

In terms of the broader context of IoT, this judgment provides food for thought about the potential complexities of everyday household products being endowed with “smart” abilities, a consequence of which is often the automatic collection of personal data. Not only do owners need to worry about their own privacy, but also their responsibilities to third parties, including friends and family as well as neighbours, in relation to any personal data collected by their devices.

Advice for clients

In relation to smart doorbells in particular, lawyers should advise commercial clients to take the regular steps that they would with any other type of CCTV equipment, in addition to paying heed to any relevant privacy agreements with Amazon. The situation with private clients is a little less clear, although it seems the safest option is to ensure sound recording is disabled and the camera only trained on the owner’s property.

More broadly, manufacturers of any smart products need to consider both data protection and cybersecurity aspects in the design process. In particular, they should be made aware of the “data protection by design and by default” principle of the UK GDPR, which means they should “put in place appropriate technical and organisational measures to implement the data protection principles effectively and safeguard individual rights”. Lawyers might also ask their clients to consider whether making their products “smart” is actually necessary; avoiding WiFi capabilities which do little to enhance a product may sometimes be the smarter choice.

Further reading

Is your doorbell illegal? – Farrer & Co
Is Your Video Doorbell Invading Your Neighbour’s Privacy? – Becket Chambers
A privacy lawyer tried a smart doorbell. Here’s what happened. – Taylor Vinters

Alex Heshmaty is technology editor for the Newsletter. He runs Legal Words, a legal copywriting agency based in the Silicon Gorge. Email alex@legalwords.co.uk. LinkedIn alexheshmaty.

Image cc by-sa Ring press photo via Wikimedia.