Parts of the article might not be correcly converted. For best experience, go to the Tor site.
http://ttauyzmy4kbm5yxpujpnahy7uxwnb32hh3dja7uda64vefpkomf3s4yd.onion
SimpliSafe Is Far From Safe
Once in a while, while watching a video on Invidious ( a proxy site allowing to watch YouTube videos in freedom ) I come across a very interesting advertising. SimpliSafe. A collection of home appliances that make security of the home supposedly simpler. And therefor makes your home safer.
Just by thinking about a high tech company making security devices I cringe. So I had to look into it to see whether my gut feeling about this whole thing is right. Or perhaps I was wrong and SimpliSafe actually can be trusted. Spoiler Alert: I wasn't wrong!
The Bogus Concept
Before we go through their dirty laundry let's talk about things I assumed that they do being a high tech company selling basically cameras that are connected 24 / 7 to their servers.
At the very least with tethered devices like these the company might just shut the whole service down one day and everything you purchased will stop working. This happened multiple times already with various tethered devices.
But then there is the elephant in the room. The insane level of total surveillance this kind of technology has to have in order for it's intended functionality to work. For example the advertised feature of seeing what's going on at your house from your phone.
For this to work a video stream should be recorded by the cameras of those devices, this video stream should be sent to the company, in this case SimpliSafe, and then this video stream should be sent to your phone from the company. In an ideal way if such a system would actually be needed, it would be done with end-to-end encryption. But why would a security company think of security? I never had any faith in them actually implementing something like this, because I never thought that this company was anything but another attempt at selling surveillance to people. Oh boy, what I found by just looking a their privacy policy.
Also a thing that I was afraid SimpliSafe was not about to even try to solve was the fact that police around the world find surveillance technology very handy to ignore basic investigation rules. In most countries a police officer should have a written, justified warrant to even enter your house without your consent. So something like looking at your security camera footage, should also include such a warrant. But if you consent to this footage being used by a company for, say the purpose of sharing it with law enforcement, this whole idea of a warrant goes right out of the window. Even if you did read what you consented to.
This reminds me of a situation with a similarly bad taste that happened to the users of Amazon Kindle. One day a lot of people found that the device deleted one book simultaneously to a lot of people. People who paid for the book the way Amazon wanted them to pay for it. The irony of the situation was that the book itself was non-other but George Orwell's classic 1984. But the joke didn't end there. They apologized for the incident and promised that they will not do it ever again unless the government will ask them to. Exactly... If you read the book, you know how bad this sounds.
A lot of countries today violate basic human rights, especially the right to privacy. China, Russia and North Korea are at the top of that list. And so imagine how great of a gift would something like SimpliSafe be to the tyrannical leader of such a country, if, say, the camera footage will be promised to be given only to the government if they ask to.
See, end-to-end encryption is a very valuable tool especially for people in countries like these. But even in better countries, when there is a sign that something about the government is a bit phony, a non-legal protection of human rights against the government should also exist. Services like Tor, Matrix or Signal provide it. But SimpliSafe seems like something designed to do the opposite.
Let's Read The Terms
So right out of the gate, the website simplisafe.com didn't work at all under LibreJS. Everything is done using proprietary JavaScript. Through the Wayback Machine I saw able to load a working version of the website, good enough to access their legal stuff.
When you scroll down to the bottom of the page you see a link to Privacy Promise which already sounds a little bit ridiculous. And that I thought was their Privacy Policy. If you look even closer, even lower on the page, with a very small print they have a link to the actual Privacy Policy.
Clearly one was intended for the curious customers to click on. And the other was there to cover their asses if somebody will have a complaint of some sort. So let's go and compare the two to see if they differ in any way.
You can immediately see the difference in presentation. One has pretty pictures and inviting look overall. The other looks like a tedious legal document, because technically it is one.
Both start on a familiar empty statement that the company "takes your privacy seriously", probably in a hope that people will calm down immediately and not read any further than that. Then come differences.
The privacy promise goes over technical things like that there is a light on the camera indicating that it records. And that there is a sound you can hear when it turns on and stuff like that. Which is an empty statement because the intended use, the use a person will buy those cameras for, is to record the video. So of course the camera will be working. This is what it is intended to do.
Then it claims that the user has full control over the recordings. And under that they say something stupid like this:
We will not share your information with law enforcement unless we are required to do so by law.
This already undermines everything related to your safety if you live in China or North Korea. The camera could simply not send any of the recordings over the network unless the person wants to see them. But no, they clearly have access to the recordings. And they can provide them to law enforcement. The law enforcement statement might suggest that they will wait for a proper warrant. But that is also kind of unclear.
Then they claim that you can delete the video if you want to. And then they also tell you that you are free to turn the cameras off if you want to.
In the privacy policy though they claim slightly different things. For example there is this hilarious statement:
Your sensitive personal information will not be used for any additional purposes that are incompatible with the purposes listed above, unless we provide you with notice of those additional purposes or gather your consent as required by law.
Look how they are not saying that they will not use your data unless you both know about it and you have consented to it, but rather they user the word "or" to separate the two. So technically speaking they just have to provide a small print notification to you if they use the data in anyway that is not listed in the Privacy Policy. Very clever.
Here is how they word a request from law enforcement:
Under certain circumstances, we may be required to disclose your personal information in response to valid requests by public authorities, including to meet national security or law enforcement requirements.
No mention of a proper warrant, but instead a vague mention of some kind of "valid request". Whatever that is. It could be that the law enforcement agent basically just sends them an email asking for information. That could be a "valid request" right? Also notice that it mentions "public authorities" in general. Not necessarily law enforcement. That could anybody.
Okay, but how about your ability to delete the videos if you don't want them to be there? Here is how they word this in the Privacy Policy:
The right to request that we delete any personal information we have collected about you. Please note this right is not absolute and that SimpliSafe will, in some cases, retain personal information as allowed by applicable laws and to support essential functionality, such as maintaining your subscription.
I believe this statement speaks for itself.
Then the Privacy Policy also introduces a bunch of stuff that people should avoid like fire. For example, they work with analytics providers that obviously deal with selling data. And they list that they work with:
- Optimizely
- Amplitude
- FullStory
Only seeing the first two undermines any attempt at privacy with these things. Those are literally surveillance machines. But that doesn't stop there. There are option you can add, and I believe some poor idiots did, that add more surveillance by such companies as:
- Amazon
- Apple
Another interesting thing is this quote from the Privacy Policy:
At this time, our Site does not respond to “do not track” signals or similar mechanisms sent automatically by your browser to indicate you do not wish to be tracked or receive interest-based ads.
Which is just something I wanted to include because it made me cringe a bit while I got to that point.
And of course they say this:
Our Privacy Policy may change from time to time
Well this means that even some supposedly not so bad things in the policy might be altered and become worse over time.
No Warranty For Security
Both Terms Of Service and Terms Of Use have capital letters texts telling explicitly that there is no warranty for the devices and that they are not responsible for anything if anything goes wrong.
Like this statement:
YOUR USE OF THE WEBSITE, ITS CONTENT AND ANY SERVICES OR ITEMS OBTAINED THROUGH THE WEBSITE IS AT YOUR OWN RISK.
Meaning that they are not actually caring about your security.
Of course it could sound somewhat strange coming from a person that uses only Free Software that also clearly states similar things. But it is one thing to request a warranty from a program developed by random people on the internet with various levels of knowledge. And that is completely different to ask for a warranty from a device manufacturer that specializes on security specifically.
So What Should You Do If You Want Security?
The best way to have something like security cameras, perhaps even with remote access to their feeds is to make it yourself. There are security kits out there that record the streams of video into a hard drive in your house.
With even the most basic things like python's
http.server
module and one tutorial worth of setting up, you can make a Torified end-to-end encrypted way to see those video-files remotely from a phone, or any other computer. And there is no company in between that you need to trust.
But perhaps if you want to stay safe, you should not actually carry a phone with you. But that is an article for another day.
Happy Hacking!!!
Comments work only on the Tor site:
http://ttauyzmy4kbm5yxpujpnahy7uxwnb32hh3dja7uda64vefpkomf3s4yd.onion
http://ttauyzmy4kbm5yxpujpnahy7uxwnb32hh3dja7uda64vefpkomf3s4yd.onion