SimpliSafe Is Far From Safe
π 50
https://blenderdumbass.org/articles/how_to_spot_an_evil_law_ : π 1
https://blenderdumbass.org/articles/how_i_made_car_crash_animation_in_blender_for_moria_s_race_ : π 2
https://blenderdumbass.org/videos/peertube___i_fixed_the_curbs___exercise_in_pointlessness___dani_s_race_gta_clone___upbge_blender_3d_on_gnu___linux : π 1
https://blenderdumbass.org/ : π 1
https://blenderdumbass.org/reviews/licorice_pizza_2021_is_how_pta_beats_besson_at_his_own_game__while_getting_a_best_picture_oscar_nomination : π 1
![[avatar]](/pictures/favicon.png)
by Blender Dumbass
Aka: J.Y. Amihud. A Jewish by blood, multifaceted artist with experience in film-making, visual effects, programming, game development, music and more. A philosopher at heart. An activist for freedom and privacy. Anti-Paternalist. A user of Libre Software. Speaking at least 3 human languages. The writer and director of the 2023 film "Moria's Race" and the lead developer of it's game sequel "Dani's Race".
Information or opinions might not be up to date.
Once in a while, while watching a video on Invidious ( a proxy site allowing to watch YouTube videos in freedom ) I come across a very interesting advertising. SimpliSafe. A collection of home appliances that make security of the home supposedly simpler. And therefor makes your home safer. β© Reply
Just by thinking about a high tech company making security devices I cringe. So I had to look into it to see whether my gut feeling about this whole thing is right. Or perhaps I was wrong and SimpliSafe actually can be trusted. Spoiler Alert: I wasn't wrong! β© Reply
The Bogus Concept
Before we go through their dirty laundry let's talk about things I assumed that they do being a high tech company selling basically cameras that are connected 24 / 7 to their servers. β© Reply
At the very least with tethered devices like these the company might just shut the whole service down one day and everything you purchased will stop working. This happened multiple times already with various tethered devices. β© Reply
But then there is the elephant in the room. The insane level of total surveillance this kind of technology has to have in order for it's intended functionality to work. For example the advertised feature of seeing what's going on at your house from your phone. β© Reply
For this to work a video stream should be recorded by the cameras of those devices, this video stream should be sent to the company, in this case SimpliSafe, and then this video stream should be sent to your phone from the company. In an ideal way if such a system would actually be needed, it would be done with end-to-end encryption. But why would a security company think of security? I never had any faith in them actually implementing something like this, because I never thought that this company was anything but another attempt at selling surveillance to people. Oh boy, what I found by just looking a their privacy policy. β© Reply
Also a thing that I was afraid SimpliSafe was not about to even try to solve was the fact that police around the world find surveillance technology very handy to ignore basic investigation rules. In most countries a police officer should have a written, justified warrant to even enter your house without your consent. So something like looking at your security camera footage, should also include such a warrant. But if you consent to this footage being used by a company for, say the purpose of sharing it with law enforcement, this whole idea of a warrant goes right out of the window. Even if you did read what you consented to. β© Reply
This reminds me of a situation with a similarly bad taste that happened to the users of Amazon Kindle. One day a lot of people found that the device deleted one book simultaneously to a lot of people. People who paid for the book the way Amazon wanted them to pay for it. The irony of the situation was that the book itself was non-other but George Orwell's classic 1984. But the joke didn't end there. They apologized for the incident and promised that they will not do it ever again unless the government will ask them to. Exactly... If you read the book, you know how bad this sounds. β© Reply
A lot of countries today violate basic human rights, especially the right to privacy. China, Russia and North Korea are at the top of that list. And so imagine how great of a gift would something like SimpliSafe be to the tyrannical leader of such a country, if, say, the camera footage will be promised to be given only to the government if they ask to. β© Reply
See, end-to-end encryption is a very valuable tool especially for people in countries like these. But even in better countries, when there is a sign that something about the government is a bit phony, a non-legal protection of human rights against the government should also exist. Services like Tor, Matrix or Signal provide it. But SimpliSafe seems like something designed to do the opposite. β© Reply
Let's Read The Terms
So right out of the gate, the website simplisafe.com didn't work at all under LibreJS. Everything is done using proprietary JavaScript. Through the
When you scroll down to the bottom of the page you see a link to Privacy Promise which already sounds a little bit ridiculous. And that I thought was their Privacy Policy. If you look even closer, even lower on the page, with a very small print they have a link to the actual Privacy Policy. β© Reply
Clearly one was intended for the curious customers to click on. And the other was there to cover their asses if somebody will have a complaint of some sort. So let's go and compare the two to see if they differ in any way. β© Reply
You can immediately see the difference in presentation. One has pretty pictures and inviting look overall. The other looks like a tedious legal document, because technically it is one. β© Reply
Both start on a familiar empty statement that the company "takes your privacy seriously", probably in a hope that people will calm down immediately and not read any further than that. Then come differences. β© Reply
The privacy promise goes over technical things like that there is a light on the camera indicating that it records. And that there is a sound you can hear when it turns on and stuff like that. Which is an empty statement because the intended use, the use a person will buy those cameras for, is to record the video. So of course the camera will be working. This is what it is intended to do. β© Reply
Then it claims that the user has full control over the recordings. And under that they say something stupid like this: β© Reply
We will not share your information with law enforcement unless we are required to do so by law.
β© Reply
This already undermines everything related to your safety if you live in China or North Korea. The camera could simply not send any of the recordings over the network unless the person wants to see them. But no, they clearly have access to the recordings. And they can provide them to law enforcement. The law enforcement statement might suggest that they will wait for a proper warrant. But that is also kind of unclear. β© Reply
Then they claim that you can delete the video if you want to. And then they also tell you that you are free to turn the cameras off if you want to. β© Reply
In the privacy policy though they claim slightly different things. For example there is this hilarious statement: β© Reply
Your sensitive personal information will not be used for any additional purposes that are incompatible with the purposes listed above, unless we provide you with notice of those additional purposes or gather your consent as required by law.
β© Reply
Look how they are not saying that they will not use your data unless you both know about it and you have consented to it, but rather they user the word "or" to separate the two. So technically speaking they just have to provide a small print notification to you if they use the data in anyway that is not listed in the Privacy Policy. Very clever. β© Reply
Here is how they word a request from law enforcement: β© Reply
Under certain circumstances, we may be required to disclose your personal information in response to valid requests by public authorities, including to meet national security or law enforcement requirements.
β© Reply
No mention of a proper warrant, but instead a vague mention of some kind of "valid request". Whatever that is. It could be that the law enforcement agent basically just sends them an email asking for information. That could be a "valid request" right? Also notice that it mentions "public authorities" in general. Not necessarily law enforcement. That could anybody. β© Reply
Okay, but how about your ability to delete the videos if you don't want them to be there? Here is how they word this in the Privacy Policy: β© Reply
The right to request that we delete any personal information we have collected about you. Please note this right is not absolute and that SimpliSafe will, in some cases, retain personal information as allowed by applicable laws and to support essential functionality, such as maintaining your subscription.
β© Reply
I believe this statement speaks for itself. β© Reply
Then the Privacy Policy also introduces a bunch of stuff that people should avoid like fire. For example, they work with analytics providers that obviously deal with selling data. And they list that they work with: β© Reply
- Google - Facebook β© Reply
- Optimizely - Amplitude β© Reply
- FullStory β© Reply
- Amazon - Apple β© Reply
Another interesting thing is this quote from the Privacy Policy: β© Reply
At this time, our Site does not respond to βdo not trackβ signals or similar mechanisms sent automatically by your browser to indicate you do not wish to be tracked or receive interest-based ads.
β© Reply
Which is just something I wanted to include because it made me cringe a bit while I got to that point. β© Reply
And of course they say this: β© Reply
Our Privacy Policy may change from time to time
β© Reply
Well this means that even some supposedly not so bad things in the policy might be altered and become worse over time. β© Reply
No Warranty For Security
Both Terms Of Service and Terms Of Use have capital letters texts telling explicitly that there is no warranty for the devices and that they are not responsible for anything if anything goes wrong. β© Reply
Like this statement: β© Reply
YOUR USE OF THE WEBSITE, ITS CONTENT AND ANY SERVICES OR ITEMS OBTAINED THROUGH THE WEBSITE IS AT YOUR OWN RISK.
β© Reply
Meaning that they are not actually caring about your security. β© Reply
Of course it could sound somewhat strange coming from a person that uses only Free Software that also clearly states similar things. But it is one thing to request a warranty from a program developed by random people on the internet with various levels of knowledge. And that is completely different to ask for a warranty from a device manufacturer that specializes on security specifically. β© Reply
So What Should You Do If You Want Security?
The best way to have something like security cameras, perhaps even with remote access to their feeds is to make it yourself. There are security kits out there that record the streams of video into a hard drive in your house. β© Reply
With even the most basic things like python's
http.server module and one tutorial worth of setting up, you can make a Torified end-to-end encrypted way to see those video-files remotely from a phone, or any other computer. And there is no company in between that you need to trust.
β© Reply
But perhaps if you want to stay safe, you should not actually carry a phone with you. But that is an article for another day. β© Reply
Happy Hacking!!! β© Reply
Find this post on Mastodon
![[thumbnail]](https://upload.wikimedia.org/wikipedia/en/thumb/1/1f/Mission_Impossible_%E2%80%93_The_Final_Reckoning_Poster.jpg/250px-Mission_Impossible_%E2%80%93_The_Final_Reckoning_Poster.jpg)
![[thumbnail]](https://upload.wikimedia.org/wikipedia/en/5/56/The-island.jpg)
![[thumbnail]](https://notabug.org/jyamihud/JYTransactions-GTK/raw/master/icon.png){kind=icon}
![[thumbnail]](https://upload.wikimedia.org/wikipedia/en/b/b2/Final_Destination_3.jpg)