Category Archives: Iris

IoT Privacy Policy: Grading Lowe’s IRIS

As larger companies embrace the Internet of Things (IoT), they are starting to publish formal privacy policies that describe what data they collect and what they do with that data. Unfortunately, these policies are filled with legalese and are usually as indecipherable as the End User License Agreements (EULAs) that come with packaged software.

That’s where IoT Security Labs comes in: deciphering the policy.  Today we’ll be looking at the privacy policy of the Iris home automation system published by  Lowe’s Home Centers .

Lowes_Iris_Privacy_Policy_Evaluation

Overview

Lowe’s IRIS is a system of interconnected sensors, controls, and cameras that allow people to check on and sometimes modify conditions in their homes.

IRIS allows people to monitor temperature, door and window openings, limited video streams and other conditions remotely, and it can sent alerts when certain environmental events occur.  IRIS also allows people to set thermostat, lighting and similar controls  remotely.

Lowe’s IRIS Privacy Summary

The Good:

  • Lowe’s Publishes a Privacy Policy
  • IRIS System Alerts are “Separate from Other Marketing Services”
  • Potentially Insecure Communication Channels  are Listed
  • Reminder to Keep Passwords, PINs and FOBs Secure

The Bad:

  •  Wide Range of “Collected Information”
  • Unclear Restrictions on Partners’ Use of Information
  • Credit Card Is Always Required (And Stored)
  • Automatic Consent to Full Credit Check
  • No Time Limit on Retention of Personal Information
  • Opt-Out of Marketing Messages
  • “Do Not Track” is Ignored

The Ugly:

  • Marketing Says IRIS Could Be a Home Security System, But Legal Disagrees
  • IRIS Can Update Its Own Equipment, but Consumer Is Still Responsible for Security
  • Privacy Policy Confuses Device Communications and Web Surfing

The Good

Lowe’s Publishes a Privacy Policy

Lowe’s deserves credit for getting their privacy policy out in front of their consumers.  In fact, I found the policy just by following the standard “terms of service” link on an air filter notification.

IrisSmartHomeNotification_PrivacyPolicyLink

IRIS System Alerts are “Separate from Other Marketing Services”

Section 13.3 of Lowe’s terms of service provides a perfect example of the message consumers should look for in their IoT systems (emphasis mine): “Your Iris service includes important email and text messages relating to alerts, system status and important account updates. These are a core part of the Iris service and separate from the other marketing services Lowe’s offer.”

Potentially Insecure Communication Channels  are Listed

The IRIS policy does a good job telling consumers that the convenient communication channels they will probably use for their alerts are also potentially insecure.  These include “phone call, text message, and emails.”  For example, in section 13.1, Lowe’s states, “please be aware that emails in particular are not secure.”

Reminder to Keep Passwords, PINs and FOBs Secure

Lowe’s policy contains a reminder we would hope to see from any IoT vendor: “you are responsible for keeping any passwords and PIN numbers…confidential, and for keeping keyfobs…secure. You should log out… You are responsible for notifying us immediately if you believe that the security of your account may have been compromised…”  (Section 13.5)

IRIS_Key_Fob

The Bad

Wide Range of “Collected Information”

Lowe’s policy allows the company to collect a wide variety of personal information, including physical address, email address, phone numbers, photographs and “details about your various devices in your home.”   (Section 20)

Unclear Restrictions on Partners’ Use of Information

The information Lowe’s collects may be used to “communicate with you,” “manage our customer information database” and “customize your experience.”   Lowe’s may use this information or “may share personal information we collect on the Site with our service providers who perform services on our behalf.”  Lowe’s may also, “share your information among our affiliates and joint marketing partners, who may send you marketing information.” (Section 20)

While it may be unlikely that Lowe’s intends to ship your personal video streams off to  Mechanical Turk to mine them for hints, similarly invasive uses do not seem to be prohibited by its privacy policy.

Credit Card Is Always Required (And Stored)

Even the Basic/Free tier requires consumers to enter valid credit card information.  (Section 2.2)  This information is then stored so the service can automatically bill you if you accidentally exceed the Basic Tier limits (Section 4.3 and 8.2), or if you decide to upgrade to a higher service tier.

Automatic Consent to Full Credit Check

“You authorize Lowe’s to obtain a non-investigative consumer report, commonly referred to as a credit check or credit report, about you from a consumer reporting agency at any time that you are signed up to receive the Iris service.”  (Section 6.4)

A credit report can reveal extensive information about you, including your date of birth, your social security number, most of your employment information, all your credit cards, bank accounts and loans, and legal actions such as bankruptcies, liens and wage garnishment.

No Time Limit on Retention of Personal Information

There is a brief and vague section about how Lowe’s will protect personal information, but there is no mention of how long the data will be retained.

Opt-Out of Marketing Messages

Lowe’s terms of services make it clear that you will need to “opt out” of its email and similar promotions.  “By accepting this agreement, you agree to receive Lowe’s marketing communications both Iris specific and non-Iris specific.” (Section 20)

“Do Not Track” is Ignored

Lowe’s is similarly clear about ignoring “Do Not Track” flags.  “We do not process or respond to “Do Not Track” signals from your browser or other mechanisms that enable consumer choice regarding the collection of personal information about one’s online activities over time and across third-party Websites or online services.”  (Section 20)

The Ugly

Marketing Says IRIS Could Be a Home Security System, But Legal Disagrees

The video description of the IRIS system says that it could be used to detect prowlers, and there is an IRIS page dedicated to positioning the product against “Competitors: Cable/Telcos/Alarm Co’s.”

IRIS_As_A_Security_System

However, Lowe’s Terms of Service make it clear that IRIS should not be used as a traditional home security system.  Specifically:

  • It cannot be used for emergency service. (Section 12.1)
  • It cannot be connected directly to police or other public services.(Section 15.2)
  • It provides no insurance protection; in fact, you agree to hold Lowe’s harmless if anything does happen. (Section 18.1)
  • It was not designed to meet building or fire codes. (Section 12.1)
  • The system can send you home security alerts, but these may be “lost” and Lowe’s is not responsible for delivering these alerts. (Section 13.1)

The contradiction is a problem for people (like us) evaluating the privacy of the system because we cannot be sure if we should look at it as a security system or not.  (Ultimately, we decided it was not.)

RECOMMENDATIONS:

  • For Consumers: Don’t buy IRIS to use as a home security system.
  • For Vendors: Square your marketing with your T&S.

IRIS Can Update Its Own Equipment, but Consumer Is Still Responsible for Security

Lowe’s Terms of Service state that that “Once your system is registered and working, we may need to access your hub or devices to upgrade the firmware.”  (Section 2.3)    That’s fine until you get to the part which states, “you alone are responsible for protecting…Iris products…from unauthorized access, viruses, spyware and all other types of malicious code.”  (Section 13.4).

As a consumer, I’m now confused: is Lowe’s going to fix everything EXCEPT security problems with my devices?

RECOMMENDATIONS:

  • For Consumers: To prevent malware at home, consider deploying ALL your in-house automation on a separate network from your home computers, tablets and other systems.  (An easy way to do this with a home router is to put all your wireless automation on your “GUEST” network.  Commercial routers can also be used to “segment your network.”) 
  • For Vendors: If you claim responsibility for updating and maintaining your deployed components, you also need to claim responsibility for keeping them secure and virus-free.

Privacy Policy Confuses Device Communications and Web Surfing

Lowe’s privacy policy starts strong, with explicit commitments to avoid co-mingling IRIS alerts and regular Lowe’s marketing.   However the “Privacy Notice” section (Section 20) appears to blur the lines.

The problem could be that the IRIS privacy notice appears to be a modification of a standard retailer’s web site privacy policy, which essentially says that the retailer can use any means necessary to figure out who you are, track you, and present you with targeted offers based on your likely purchasing patterns.

Some of that baggage remains in phrases like “web beacons” that don’t apply to device communications.  At the same time, Lowe’s also tries to carve out special protection for device communications in “Service Delivery” clauses and the like.   Unfortunately, the result is a mismash of web and device privacy rules that seem to leave IRIS data open to many uses – several of which could surprise privacy-seeking consumers.

RECOMMENDATIONS:

  • For Consumers: Seek out vendors that treat device information with special care, as outlined in their privacy policies.
  • For Vendors:  Be careful not to let overzealous web site privacy policies (which aim to identify “anonymous” visitors and address particular demographics accessing your site with specific offers) bleed into your device privacy policies (where the identity of your consumers is already known).

Lowe’s IRIS Privacy Policy

Current PolicyEvaluated Policy (PDF Nov 18, 2014)

Next Steps

Take the IoT Privacy Survey

Suggest Another Privacy Policy to Review