Robot vacuums map homes, privacy risk

Robot vacuums do not just clean floors. Many of them build detailed maps of homes, and some of those maps leave the device for cloud processing. (irobot.com) (mozilla.org) That mapping is how a vacuum learns where the kitchen ends, where the rug begins, and which rooms to skip. On iRobot models with mapping enabled, map report data is sent to the company’s cloud, and turning that off disables room cleaning, keep-out zones, and schedules tied to the map. (irobot.com) iRobot says its robots capture mapping and navigation information on the device, that navigation images are not sent to the cloud, and that customer data is not sold. The company also says a user can choose whether a map appears in the mobile app, which requires sending that map to the cloud for processing. (irobot.com) The privacy risk is not only who stores the map. It is also what a map reveals: room layout, furniture placement, traffic patterns, and the fact that a device with a camera or microphone may be moving through private spaces. (mozilla.org) (nist.gov) Smart televisions collect a different kind of household data. Many use automatic content recognition, or ACR, a Shazam-like system that samples what is on screen and matches it to a content library. (ucl.ac.uk) Researchers from University College London and the University of California, Davis reported in 2024 that ACR on Samsung and LG sets worked even when the television was used as a “dumb” external display through HDMI. They also found that opting out stopped network traffic to ACR servers in their tests. (ucl.ac.uk) The Federal Trade Commission has already punished one television maker for similar behavior. In 2017, Vizio agreed to pay $2.2 million after regulators said its smart TVs collected second-by-second viewing data from 11 million televisions without users’ informed consent. (ftc.gov) The complaint said Vizio’s software captured video viewed through cable boxes, streaming devices, DVD players, and over-the-air broadcasts, then appended demographic data such as age, income, and household size for ad targeting. The settlement required clear disclosure, express consent, deletion of older data, and privacy assessments. (ftc.gov) Security failures add another layer. In October 2024, ABC reported that hacked Ecovacs Deebot X2 vacuums in multiple U.S. cities were remotely controlled and used to shout abuse through onboard speakers. Ecovacs said it found no evidence that usernames or passwords were taken from a breach of its systems. (abc.net.au 1) (abc.net.au 2) The practical tradeoff is simple: the features people pay for often depend on data leaving the room. Cloud maps enable room-specific cleaning, and ACR powers recommendations and ad targeting, but both systems turn the layout of a home or the contents of a screen into data that can be stored, shared, or exposed. (irobot.com) (ucl.ac.uk) (ftc.gov) Federal regulators and standards bodies have been pushing manufacturers toward baseline safeguards for connected devices, including secure design, access controls, and clearer disclosures. The Federal Communications Commission is also building a voluntary U.S. Cyber Trust Mark label for consumer wireless internet-of-things products. (ftc.gov) (fcc.gov) For buyers, the privacy questions are now basic product questions: does the device map the home, does it use a camera, does data go to the cloud, and can those features be turned off without breaking the product. The answers vary by brand, and the settings are often buried in apps and menus. (irobot.com) (consumerreports.org)