Is my robot vac spying on me? Data privacy, explained

“The walls have ears” is fast becoming an outdated phrase, especially now that your phone, your fridge, your Fitbit, even your dog’s collar, could potentially be listening in to whatever is happening around you and in your safe space—your home.

More and more often, you might see “robot vacuum” on such lists of home robotics, i.e. household spy items. If 63% of consumers are creeped out by smart devices, then the one that you schedule to roam about your hardwood floors and map your house, connect to the Internet, and stream video could be the creepiest creeper of them all.

Data privacy is an increasingly hot topic, with concerns that range from the apocalyptic to the rather mundane. But, is there anything to actually worry about?

In the modern data economy there are a lot of eyes on our personally identifiable information (PII). Hopefully, by looking at sensitive data through the lens of a little Roomba, we can get some answers, not only about iRobot's data management policies, but about data privacy law and regulation in the robot vacuum industry in general.

What is a smart robot vacuum?

At its most basic, the word “smart” placed in front of an appliance implies that it can connect to the internet. The term dates back to around 1995 with the introduction of IBM’s Simon Personal Communicator, and it has stuck.

Since then, “smart” has evolved and broadened to define everything from compatibility with home assistants like Alexa and Google Home, to a home robotics product that is programmable, to the suggestion that an item possesses artificial intelligence.

In the world of robot vacuums this runs the gamut of being able to operate your robot vacuum from a cell phone via Wi-Fi to programming it to activate when you leave your house.

What kind of sensitive data can a robot vacuum gather?

All smart devices, like your cellphone or smart bulb, gather what is known as metadata. Examples of gathered metadata often include when you turn on an appliance and your duration of use.

You may have heard the term “metadata” used by privacy experts, because it is something hackers can passively gather without having to break into your network.

It’s akin to someone sitting outside your home and guessing that you’re cooking because your kitchen lights are on.

Aside from metadata, many smart robot vacuums use cameras or Lidar to create floor maps of your entire home as they clean. This helps it to navigate around obstacles and also enables it to stream sensitive data, like videos, to your phone as a mobile security system. In many cases, companies collect run time, square footage cleaned, and if the robot encounters any errors.

However, reporting from MIT Technology Review on iRobot, highlights just how powerful video capture capabilities on robotic vacuums can be.

December 2022 and January 2023 reporting shows how iRobot has collected video data of product tester’s homes, and used it for AI-training in surprising ways, sending it to be tagged and processed by contracted development teams outside the U.S.—in a policy that iRobot has claimed was covered by its tester privacy agreement, yet some testers have felt they didn’t sign up for.

Concerningly, MIT Technology Review reports that in 2020 at least 15 images of sensitive data ended up on private contractor Facebook groups. These include disturbing images of a woman sitting on a toilet in her home bathroom, as well as images of young children. While the tester models were tagged with labels that clearly notated “video recording in progress,” some of the testers felt that they hadn’t consented to their data being used in this way.

While these privacy incidents happened during product testing—which falls under a different privacy agreement than the one that applies to iRobot’s general consumers, and doesn’t necessarily reflect the data that is collected by consumer versions of iRobot, or the consumer version’s data collection capabilities—it provides a concerning illustration of just how powerful of a sleuth a robot vacuum has the potential to be, and just how specific and tricky data privacy language can be.

What are the data protection laws and data privacy regulations out there?

The most stringent and comprehensive law that we could find on record in the U.S. is the California Consumer Privacy Act (CCPA). The big highlights include: The right to know about the personal information a business collects about them and how it is used and shared, to delete personal information collected from them (with some exceptions), to opt-out of the sale of their personal information, and the right to non-discrimination for exercising their CCPA rights. The law also mandates that businesses publish a simple way to contact them in relation to CCPA concerns.

In 2020 Californians voted to amend the CCPA with Proposition 24, the CPRA. Fully implemented as of January 1, 2023, the CPRA protects data with two provisions, the “the right to correct inaccurate personal information that a business has about them,” and “the right to limit the use and disclosure of sensitive personal information collected about them.”

These expansions of the law should give you more control over how businesses distribute the data they collect about you, including sensitive data such as precise geolocation data, financial data… or theoretically video.

Even if you don’t live in California, robot vacuums that are sold nationally need to be compliant.

Companies like iRobot and Ecovacs also follow the data protection regulation GDPR, which is the European version of the CCPA.

What do the brands like iRobot, Eufy, and Ecovacs have to say about data privacy?

iRobot has pretty comprehensive documentation on how users’ sensitive data is stored. The eufy and Ecovacs privacy policy are similarly exhaustive (and a bit exhausting to read through).

iRobot

Mike Gillen, director of product and data security at iRobot tells us, “Beyond internal initiatives, iRobot promotes and sponsors a public bug bounty program, submits products to external penetration testing, and conducts routine automated scans on iRobot's operating environment.”

Eufy

When we asked Eufy for comment on how they use data for research and development they referred us to their data privacy statement and declined to comment further.

Ecovacs

Ecovacs’ privacy policy includes a number of third party analytics software including highly recognizable services such as Google Analytics, as well as less talked about tools such as Bazaarvoice, each of which comes with its own data collection policy.

The Ecovacs spokesperson told us their “latest models utilize a mix of Artificial Intelligence and Visual Intelligence... ‘AIVI’ models are certified by TÜV Rheinland, an independent, third-party organization that certifies consumer devices to meet the specifications of ETSI TS 303 645.”

When we asked about whether Ecovacs uses customer data for training, their answer was yes, but with tight restrictions. Certain Ecovacs products such as the Deebot use video for navigation.

“Deebot stores these videos/images in the cloud on an AWS server. This data may be accessed by Ecovacs for research and development, troubleshooting, and to help improve our products and services, for example to improve obstacle avoidance accuracy—with the customer’s opt-in/ permission.”

“All data (not just video stream) is encrypted using AES-128 (128-bit Advanced Encryption Standard). Access to the Video Manager feature on the app can also be password protected. These models have also achieved security and data protection certification through TÜV Rheinland to meet ETSI TS 303 645 standards.”

What if I want my sensitive data deleted?

For iRobot, the easiest way to have the collected and stored data deleted is to request it through the app.

However, we did catch this tidbit in iRobot’s Privacy Policy: “We reserve the right to anonymize your personal data, including information about Robot and Service usage, and to retain your anonymized information for our own records and for product and feature development purposes.”

Basically, this means that iRobot will eliminate any connection between you and the data collected, but your sensitive data may remain in iRobot’s servers.

Bethany Singer Baefsky, director of privacy and data protection officer at iRobot, says, “iRobot follows the GDPR standard for everyone when it comes to deletion, and we do not limit it just to the EU. That means that wherever you are, if you request data deletion, your personal information will be purged within 30 days, in accordance with GDPR standards.”

About general data protection regulation, she continues, “For data access requests, we comply with all statutory time frames. Where there is no statutorily required timeframe for providing data, or no legal requirement to provide data at all, we operate within the CCPA's framework and provide data in a commonly used, machine readable format within 45 days of receiving a verifiable request.”

Ecovacs indicates in its privacy policy that: “You can request to obtain a copy of Your Personal Information in a commonly used electronic format so that you can manage and move it. Be advised that we may not be able to delete your personal information without also deleting your user account.”

In plain English, this means that you can request a hard copy of all the sensitive data that has been collected on you and have it deleted from Ecovacs’ servers, though it will probably erase your account as well. ‘

They said as much when we asked them directly, “Clearing videos/photos from the app also deletes them from the server. A factory reset of the robot will also clear any locally saved maps of your home.”

Who in their right mind would still want a smart robot vacuum?

The answer to this question comes as a single word: Convenience.

Imagine you’re out running errands or at your kid’s soccer game and you get a call that guests are coming over to your house in an hour: Are your floors presentable? Is there pet hair everywhere?

By accessing an app on your phone, you can activate your smart robot vacuum and get some peace of mind that dust bunnies won’t be greeting your guests.

Final question: Is my robot vacuum a spy?

Yes, but probably not any more than your cell phone, your credit card, your ISP, your Alexa, your gym membership, or your neighbors. And, according to Singer Baefsky, at least in iRobot's case, you have to give informed consent.

The product experts at Reviewed have all your shopping needs covered. Follow Reviewed on Facebook, Twitter, and Instagram for the latest deals, product reviews, and more.