This is how your WiFi router gathers and manages your data.
Your Wi-Fi router is the central hub of your home network, which means that all traffic from all Wi-Fi devices under your roof passes via it on its journey to the cloud. That's a lot of information, and it's enough to make privacy a real consideration when selecting a service.
The problem is that the average consumer knows very little about the privacy practices of router manufacturers and sellers. To begin with, data-gathering techniques are complex, and most privacy policies do a poor job of explaining them. To navigate through the dense legalese that fills them, it takes a lot of resolve for a single producer, let alone several. You'll have more questions than answers even if you go that far.
The problem(s) with data privacy policies
I dug through almost a dozen terms of service and other policy documents in quest of answers for this piece, but privacy policies aren't often written with full transparency in mind.
"All a privacy policy can tell you is that nothing horrible is going to happen," said Bennett Cyphers, a staff technologist at the privacy-focused Electronic Frontier Foundation.
"We acquire your data, and we may share it with our business partners or reveal it for any of these seven reasons," Cyphers explained. "That doesn't automatically mean the company is doing the worst possible thing with your data, but it does mean they have some leeway if they want to do something nefarious with it."
He's right: most of the privacy policies I looked at for this piece had many of the "wiggle cover" Cyphers highlighted, but with broad, ambiguous language and few specifics. Worse, many of these policies apply to the entire company, including all of its goods, services, and websites, as well as how data from sales transactions and even job applications is handled. As a result, much of what is mentioned about routers may be irrelevant.
There's also the issue of duration to think about. To put it another way, none of these privacy policies are particularly simple to comprehend. The majority of them are written in carefully crafted legalese that is intended to protect businesses rather than to inform you, the customer. Even while a few manufacturers are improving, with overview sections aimed at explaining the important parts in plain English, you'll still need to dig further into the fine print to gain a full understanding of what's going on with your data. If your company uses a third-party partner to provide additional services like threat detection or a virtual private network, you may need to read several privacy regulations to properly comprehend your data.
All of the policies I read said that the company in question collects personal data for marketing purposes, but I was curious if any of them tracked user web behavior, including websites visited while browsing. I also looked into if any manufacturers shared the personal data they collected with third parties outside of their control.
Is my router keeping track of the websites I go to?
Because your router is in charge of practically all of the web traffic in your house, it's hard to think it isn't keeping track of the websites you visit. Despite the fact that every major manufacturer admits to collecting some form of user data for the purpose of marketing, almost none of the regulations I evaluated expressly answered the question of whether or not a user should anticipate their internet history to be tracked or recorded.
What happens to my personal data?
I also enquired with the firms I researched for this essay regarding data that may be used to individually identify a user, as defined by the California Consumer Privacy Act of 2018. The law broadly defines "selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating a consumer's personal information to another business or a third party for monetary or other valuable consideration" as "selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means."
The majority of companies state in their privacy policies that they do not sell personal data, but the CommScope privacy policy, which covers both Arris Surfboard networking products and routers leased through your internet service provider, acknowledges that it shares information for marketing purposes, including identifiers as well as internet and other network activity information, in a way that qualifies as a sale.
According to a CommScope representative, "data used for some of our business operations, such as order fulfillment and performance analytics, as well as the use of'cookies' on our CommScope.com and Surfboard.com websites, may constitute the'sale' of 'personal information' under a conservative interpretation of California law."
Even though order fulfillment and cookies on CommScope's website aren't directly tied to the use of CommScope home networking hardware, the corporation's "yes" on the question of whether or not it sells data has some ambiguity. Nonetheless, it's worth noting that the corporation acknowledges that portions of its operations may be considered a sale under California law, whereas the majority of the manufacturers I researched did not.
"We can say that we do not sell data received from modems, and that data is not used for marketing purposes by CommScope," the company added. "However, when modems are ordered directly from us or when we provide customer service, that information is only'sold' as part of filling that order and providing those services (according to our interpretation of California law)."
Users in California can request that CommScope not sell their data on this website, but the business says it "reserves the right to take an alternate strategy" in response to requests from users outside of California.
Meanwhile, TP-Link informs CNET that it does not sell customer data and that no data obtained by its routers is used for marketing purposes. Nonetheless, the company's privacy policy appears to leave some room for interpretation: "Unless you give us permission, we will not sell your personal information; however, California law defines "sale" broadly enough that it may include the use of targeted advertising on the Products or Services, as well as the use of third-party services on our Products and Services."
Is it possible for me to opt out of data collecting completely?
According to certain manufacturers, yes. You have the right to request access to or deletion of data collected about you by others. Regardless of the details, some manufacturers provide more straightforward and practical options for protecting your privacy than others.
The best technique is to provide users with an easy-to-find tool for filing an opt-out request. Minim, the company in charge of Motorola's home networking software, is a great example. For routers like the Motorola MH7603, there's a clear option to opt out of data collection entirely in the Motosync app's settings page. "Users can opt out or withdraw consent for data collection at any moment by clicking the "withdraw" button in our router setup screen," Asus told CNET.
Regrettably, this is more of an exception than the rule. The majority of the manufacturers I examined do not provide an opportunity to opt out of data collection within their apps or websites, instead processing opt-out and deletion requests via email or a web form. Those links and addresses are frequently tucked away near the bottom of a company's privacy policy, where they are unlikely to be seen.
This is exemplified by Netgear. Apple exposes its data collection procedures, including opt-out alternatives, during iOS device setup, according to Apple's standards, but there's no way to opt out after that in the app. Users of Android, on the other hand, are unable to opt out.
A Netgear representative responded, "A user can erase their personal data by visiting to About > Privacy Policy in the Android app (or iOS) and clicking on the online form link in Section 13." "We'll look towards making this decision less hidden in the future."
Other manufacturers, such as D-Link and TP-Link, don't provide a direct way to opt out of data collection, instead directing privacy-conscious users to self-regulatory marketing industry groups like the Digital Advertising Alliance and the Network Advertising Alliance for information on how to opt out of targeted advertising via Google, Facebook, or Amazon, or to install blanket Do Not Track cookies offered by self-regulatory marketing industry groups like the Digital Advertising Alliance and the Network Advertising Alliance. That's better than nothing, but a more direct manner of opting out would be preferable, especially since Do Not Track signals may be ignored by some organizations.
"At this time, TP-Link does not honor Do Not Track signals," the company's privacy policy states.
As a result, Eero was born. Instead of providing an option to opt out of data gathering, the corporation informs customers that the only way to prevent its devices from collecting data is to not use them.
"You can stop all collection of information by the Application(s) by uninstalling the Application(s) and unplugging all of the Eero Devices," according to the Eero privacy policy.
You can request that Eero delete your personal data from its databases by sending an email to privacy@eero.com, but the company claims that there is no way to do so without disrupting a user's connection to Eero's servers and rendering their devices unusable.
According to the privacy policy, the company "may be permitted or compelled to retain such information and not remove it," so there's no guarantee that your deletion request will be granted. Even if Eero agrees to delete your data, you still have the option of making a backup.
"When we remove any information," Eero's policy adds, "it will be wiped from the active database," but "it may remain in our backups."
Food that had been provided
Data collection is all-too-common in today's consumer electronics, with concerns about smartphone apps, social media, phone carriers, online browsers, and more. Although my concerns regarding routers aren't as significant as those, you should still think about your home networking privacy.
Even if the data collecting looks to be safe, I believe that opting out of data collection wherever possible is a good idea. There's no way of knowing for sure where or how your data will be used, and privacy policies can only tell you so much about what data is being gathered. To that purpose, I've listed the opt-out choices for each of the companies mentioned in this article below. As I continue to test and evaluate networking hardware, I'll update this site.