In case you’re wondering, microwaves can’t take pictures of you. For starters, they don’t have cameras. But—and I can’t believe I’m writing this—Kellyanne Conway earlier this week was right to raise concerns about the security of “smart” devices connected to the Internet, even if it was an attempt to distract from President Trump’s unsubstantiated claim that President Obama had “wiretapped” Trump Tower.
Had Conway said she was worried about her dishwasher instead of her microwave, she might’ve been on to something. Back in 2012, a Wired headline read, “CIA Chief: We’ll Spy On You Through Your Dishwasher,” describing the clandestine agency’s very real plans to hack the “Internet of Things.” And as we now know, the CIA did find a way to turn Samsung “smart” TVs into covert listening devices.
In fact, the proliferation of Internet-connected devices with poor security is a major problem for at least a few reasons. First, they are indeed capable of exposing personal information—which is precisely why the CIA did it. The words we say in front of the TV are, to put it mildly, quite different from the words we would use on TV. And other “smart” home devices, from thermostats to baby monitors to Wi-Fi-enabled light bulbs, are also vulnerable to hacking.
Of course, the kind of personal information that might be gleaned from a smart light bulb (e.g., the time I get home from work) is probably of little interest to anyone except my boss. Likewise, I’m not sure what anyone would get out of hacking my microwave, except for the startling realization that I’ve never bothered to figure out how to use the preset buttons and would appear to have eaten nothing but breakfast burritos and Belgian waffles for the last six years.
The more immediate problem with the proliferation of hackable smart devices is that they are an Internet blackout waiting to happen. Hackers can infect and command virtual armies of devices to cause havoc online—to flood websites with so much traffic that they stop working. This is exactly what happened back in October, when major websites like Twitter (TWTR), Netflix (NFLX), Spotify, and The New York Times became inaccessible to large swaths of people across the United States. And as cybersecurity expert Bruce Schneier explains, the problem is tough to fix because smart devices don’t have a way to be patched and secured, meaning that the “only way for you to update the firmware in your hackable DVR is to throw it away and buy a new one.”
Finally, there’s the problem of what happens to the mountains of data generated by smart devices. For one thing, it may be collected and sold to data brokers or advertising networks without meaningful notice or consumer consent, as the Federal Trade Commission recently warned. And once it is in the hands of private companies, it may also be accessible to the government without a warrant, thanks to an outdated legal rule from the 1970s known as the “third-party doctrine.” As the law stands today, there is no right to privacy in many types of personal data conveyed to “third parties” like Google (GOOG) or Apple (AAPL). And with the rise of “always-on” devices like Amazon’s Echo, it raises the specter of your devices testifying against you.
You don’t have to side with Conway or Trump to recognize the real problems posed by insecure smart devices. So, if everyone would like to take off their tinfoil hats for a minute, there is a serious conversation worth having here. If not, then we will keep on getting hacked and—for some of us—keep on living in fear of our kitchen appliances.
Michael Price serves as counsel for the Brennan Center’s Liberty and National Security Program at New York University School of Law.