"Smart" doorlocks have policies that let landlords and third parties spy on you

Latch is a leading vendor of internet-of-things "smart" doorlocks that are in increasing use in rental housing (the company claims 10% of all new multiunit construction incorporates their product); they allow entry by keycode, keycard, and Bluetooth.

Latch's privacy policy is the usual IoT dumpster fire, allowing the company to harvest a vast amount of information from you and also share that information with a wide array of third parties, including (sometimes) your landlord. Almost every method of unlocking your Latch requires an app in the loop (even PINs that you use with a numeric keyboard are delivered by app) and the app gathers huge amounts of information on you. Moreover, landlords can choose to configure Latch locks to require the app.

Latch says it doesn't actually use any of the information it gathers, and isn't actually sharing the data that it reserves the right to share, and has promised to revise the policy, but companies come and companies go, and leadership changes, and firms pivot (recall that for Facebook's first ten years, the company billed itself as pro-privacy and promised never to spy on its users).

Centrally controlled, building-wide smart locks are also a powerful tool for landlord harassment. A tenants' rights group in Hell's Kitchen claims their landlord is using the telemetry from smart locks on common areas to monitor which tenants are participating in meetings to address their grievances with the building's management, and is targeting those tenants for harassment in an attempt to force them out of their homes.

Additionally, IoT door-locks represent juicy targets for hackers, and are vulnerable to things like botched over-the-air firmware updates, like the one that bricked the front doors of 500 Airbnbs in 2017.

As Sage Lazzaro writes in Onezero, it's bad enough when you have to "agree" to a privacy policy (that takes away your privacy) when you do normal things on the internet -- but now you have to "agree" just to go through your own front door.

Additionally, if a building is sold, the new owner “may” automatically receive the data collected. The privacy policy doesn’t explain why this data would be transferred, but goes on to say the new owner “may continue to use your user information (including PII).”

Amie Stepanovich, the U.S. policy manager for digital rights organization Access Now, says the system is “invasive” and that “Latch’s privacy policy fundamentally rejects basic tenets of privacy.”

“The entire system is coercive and carries huge risks for abuse, discrimination, and serious harm, which of course will hurt the most vulnerable populations the most,” she says.

But this is not obvious to tenants. The worrying information about data usage is buried in the company’s 3,000-word privacy policy, which, like many similar tech terms of service, is long, vague, and difficult to read.

“[The privacy policy] gives the impression that it’s there to protect privacy, when it really provides broad leeway about what information can be collected and how it can be used,” Stepanovich says. The policy also explains that while third-party companies are involved, Latch assumes no responsibility for their practices and encourages users to read those third parties’ similarly long, jargon-filled privacy policies. Other than the financial transaction provider, the policy gives no insight into the types of third-party companies that may be involved.

America’s Favorite Door-Locking App Has a Data Privacy Problem [Sage Lazzaro/Onezero]

(via /.)