TP-Link Tapo Smart Plug with Energy Monitoring

[Oldgreybeard]

TP Link are Chinese, and like all Chinese companies are 100% under the control of the Chinese government. This means that, by default, all information these units collect, and all control they exert over any appliance, are capable of being directly collected or influenced by the Chinese Communist Party. It also means that anyone buying such items is directly contributing towards a totalitarian regime that is carrying out genocide and the suppression of all non Han Chinese people's within the borders of mainland China. If people are OK with that, then fine, carry on buying these products and promoting them in order to promote genocide and the suppression of human rights.

[cojmh]

TP Link are Chinese, and like all Chinese companies are 100% under the control of the Chinese government. This means that, by default, all information these units collect, and all control they exert over any appliance, are capable of being directly collected or influenced by the Chinese Communist Party. It also means that anyone buying such items is directly contributing towards a totalitarian regime that is carrying out genocide and the suppression of all non Han Chinese people's within the borders of mainland China. If people are OK with that, then fine, carry on buying these products and promoting them in order to promote genocide and the suppression of human rights.

OGB,

I think we need to be a little careful here.

Yes, there are bad things happening in China, things that are inexcusable - but to tar all Chinese and all Chinese/chinese linked companies with the same brush is not exactly fair. My understanding is that TP-Link is headquartered in HongKong and whilst that is China now it still has a western background.

The other thing here is like it or not China is a manufacturing power house that produces a lot of things that goes into a lot of products that are not sold as "Chinese" products.

The question was about TP-link, I am happy to discuss the the pros and cons of the their EULA (and other companies) and practical ways to protect info/hardware from outside attack wherever that might come from. My simple point was that the information gathered is no worse than I see in lots of other companies and some of it is necessary to provide a service.

Oh and just for full disclose - whilst I am British, my wife is Chinese and like most things in life .... few things are black or white.

No hard feelings.

Jonathan

[Oldgreybeard]

Hong Kong lost every single Western value over the past few years, has a puppet government that has been put in place by the Chinese Communist Party and is now, to all intents and purposes a part of authoritarian China. It is not like Taiwan, that remains independent of the atrocities carried out everyday by the government of China, and no amount of whitewash BS will cover up the suppression and genocide being carried out every single day by the Han Chinese totalitarian government of China. China is every bit as extreme as Russia, more so in terms of the suppression of minorities and any nationality or religion that does not fall within the approved remit of the Chinese Communist Party. Anyone that thinks for one moment that the Chinese government is not collecting and making use of data collected by all connected products manufactured in China or Hong Kong is living in cloud cuckoo land and will, sooner or later, realise quite what they are consenting to in terms of the abuse of minorities (including minorities within Hong Kong).

I own Chinese made products that have internet connectivity. They have all been lobotomised by me to remove their connectivity to China. Worst was our Hikvision CCTV system, that was sending masses of data back to Chinese servers by default, to aid the Chinese intelligence services in their surveillance of every part of the world (and China has the highest level of video surveillance of any nation on earth). Same applied to our Sofar inverter, by default that connected our home LAN, and all the traffic on it, so the Chinese government servers that were collecting all the traffic from our home. That now has been lobotomised, and can now only communicated to our LAN, and has no internet access.

Well worth installing a utility like WireShark and spending a few hours seeing how much data is being transmitted to China and where in China it is going. It is pretty shocking just how much data collection is taking place, aided and abetted by the ignorant that have no idea they are acting as agents for a hostile foreign power.

Finally, no EULA has any legal standing at all if it originated within China. The Chinese government make no secret of the fact that they have the power and authority to do anything they wish with data that comes into China through the GFWoC. They have no laws protecting contracts, intellectual property or personal freedoms, and nothing written into any contract by any Chinese company is immune from being overridden by the government of China. They don't even recognise the concept of patent protection, as is very obvious from the very large number of exact copies made by Chinese companies.

[cojmh]

OGB,

Thank you for sharing your opinion of the situation - you are entitle to your view and I respect that.

I think it is best I withdraw from this discussion as I have clearly hit a nerve and don't wish get into an online debate about this topic as I don't see a happy ending to the discussion - the situation is too complex.

Have a good weekend.

[Mr Gus]

I have experience chasing counterfeiters in HK before hand over, so feel for the place & people being crushed underfoot these past years, & am very aware of what uk's (England) power of dominion has also done to others over the years / centuries.

It's data I want to circumvent as one in the eye, ..whoever it may be going to (initially) ..before circumnavigation the world for perpituity as a commodity, to date I have just returned, refused to use, used & uninstalled or installed kit on old phones specially for a purpose (that sit in a drawer no SIM card)

Switching off / paring back the Google machine / Facebook pre installed on machines is no simple task when things then pop up stating other services may not work if you continue to disallow them functionality.
So, anyone got any good optimisation tips (as OGB) calls it? ..tips for the common man / a video channel instructional for paring back on rogue (private) data flow?

OGB mentions wire shark (presumably monitor & report software) but what else is out there to auto tweak a layman through data blocking on anything "smart" ? ...even my washer (lg) allegedly has the potential for downloadable programming, ..why not just put them on a machine the old fashioned way!? ..a plethora of privacy & data waivers then follow ..to clean some clothes ffs.

Everyone wants a piece of your data, without exception, scools have opted for cheaper software for years now that parents connect to ...& Data smashes your back door in the least subtle manner from the time of your kids at 5 ..through 18 ..& few question it.

In schools they are now teaching money sense, but not data sense, beyond don't be coerced into sending nude pictures / cyberbullying subject matter, yet studiously ignoring the elephant in the attic they heavily promote.

I just want to scrape sticky fingered jam off my smart items & have operational functionality, not snooper/grass functions, ..including in an e v wall socket.
Any assistance out there for kasa & tp (tp-link looks like a no at this point) to get my head around?

[cojmh]

Hi Gus,

There are a few things that you can do but in the main part is, if you are suspicious of a device you should not use it because it is not so much the device itself and its own functionality that is worrying - but more what it can do when you put it into your home and use it. So it is also the "home protection" that you need to consider and unfortunately if you want to do it well then it will require investment.

So for example - If I was to put something on my network (like a smart plug, smart door bell etc.) can it snoop on my network and look at what else is going on - for example data going to and from my computer/phone/NAS etc. This is where I would be worried.

So it is not just the user info that your smart device is tracking, but the info it could possibly gain access to.

In my own case, I have invested in Ubiquiti network hardware (and yes I know there is the possibility of these being hacked too just like any device) and have the ability to do several things:

1. Segregate devices onto separate networks so that they cannot see each other. So in my case I run four distinct networks. One for my core devices that I trust with my sensitive data. A media network. A network just for smart devices (so plugs, Inverter, Alexa devices, smart bulbs etc.) and a network for guests. This way I keep things separate and limit the ability for something to snoop on my important devices.

2. The network level hardware tracks everything in and out of the network. So I can have a look and find problems. I can see what device is talking to what services and when etc. This allows me to kill communication I don't want. One of the worst devices I ever found was the NOW TV smart devices. Their own boxes are monitoring and sending huge amounts of information back.

3. I would also put in a DNS blocker (look up adguard or pihole to give you an idea). This service monitors what resources are being asked for on the internet by your devices and if it is considered risky or advertising based then it will drop the DNS response coming back from the internet - effectively blocking the devices suspect communication. You can do this with software as opposed to hardware though so this can be a free solution.

There are also a few other things I do but the above are the main things.

But ultimately you have to remember this:

1. You are trusting whatever equipment you buy to help you and be secure. So in my case I am trusting Ubiquiti and Adguard - their services can be hacked or mistakes made so you have to accept that there is not a perfect solution.
2. It is better not to use a suspect device than try to prevent its behaviour as there are always new ways found to defeat defences. My setup is not perfect but it does stop quite a bit.

Finally, I do not use Facebook or virtually any social media. Their primary function is to collect your data and monetise it. Even worse than the snooping data is the data that is used to manipulate you or people in general.

Something else to consider is your password security. If you do not have individual passwords for every single website/device you use then you are potentially opening yourself up to problems.

I hope that helps

[Oldgreybeard]

Very hard to track down where data is going, I found. In the case of our Hikvision CCTV (before I lobotomised it and stopped it talking to its Chinese masters) that was connecting to four outside servers. One was internet time, which I wasn't bothered about, that just keeps the clocks in the cameras set. One was connected to the Hikvision update service, probably not too worrying. The other two were a mystery and weren't obviously connected to Hikvision as a company, but were inside China. One was just sending small data packets that didn't have enough data to be anything other than stuff like time. position, activation status or something similar. The other was sending still frames from the cameras about every 30 seconds (not video). I'm pretty sure neither of these were going to Hikvision.

If I had to guess, then I'd suggest they were probably being used to build up or test image recognition, perhaps facial identification, software. My gut feeling is that there is a widespread covert programme to ID the face of every person on the planet. Such a data base would be extremely useful for any state intent on controlling any population, and we already know that China (and many other countries) quite openly use facial recognition. It was very obviously a breach of GDPR, but then China has always ignored GDPR, as it ignores many other non-Chinese laws and regulations.

It takes a lot of time and effort to trace what bits of kit are doing with the data they capture. Some of it is made easier because others have done work on it. This was the case with the Hikvision data, and is also the case with other systems that send data to far off shores that are not covered by UK or European laws on data protection. Ring doorbells, Alexa, Google Nest etc all send masses of raw data to overseas servers all the time they are on. At least Amazon will let you have this data on request, but you need to be prepared to sift through mountains of data that they hold. Great fun going through partial recordings of bits of TV, your kids arguing (or getting up to worse after hours), etc. All faithfully recorded when the device falsely recognises the trigger word (which they seem to do very often).

[cojmh]

Oh something esle I forgot to say.

If you use online/cloud services:

1. Encrypt everything you put onto Dropbox/One Drive etc. if you can - so even if they get access to your files they are not usable without a decryption key.
2. Try to make sure whatever service you use is hosted (and run from if possible) the EU. The data protection laws in the EU whilst not perfect are much better than the USA (which is better than the far east where it is pretty much non-existant)
3. If you use Password managers/VPN as well as picking EU based services see if you can find one that is audited by a third party to check their service is not logging your activity and/or is secure.

With network/data security it is important to have multiple layers of protection if possible because as technology moves forward and software upgrades new vulnerabilities can be introduced (or found) so it is best to have more than one layer of protection incase one layer is compromised.

[Oldgreybeard]

I think the very best way to view any of these smart gadgets is to ask one simple question, "Where is the money coming from to run the service?"


No company is going to "sell" a gadget for, say, £30 (typical price for a "smart speaker") and then provided years of "free" support for it, in the form of banks of servers interpreting speech, thousands of staff doing everything from design and manufacture to software development and ongoing maintenance, not to mention the energy used by all the servers that allow these things to work.

So, where does the money come from, if it isn't coming from the purchase price of the product (which is almost certainly not enough to have manufactured it)? The answer is that all the income from these devices comes from the data they gather. That's not just the data they gather after they are triggered to send speech from a room to their servers, via the code word, it's also all the data they gather when they either mistake the key word or when the device isn't sure the keyword has been spoken, so sends the loop of sound it's recorded to the servers for verification.

This happens a lot, as the speech recognition capability built in to these things is exceedingly simple and not very accurate It only has to try and correctly interpret one single word, in the case of the Amazon devices that word is "Alexa". Once it thinks it has heard that word it sends the whole loop recording (these things record a loop all the time they are on) to Amazon's servers, almost always outside the UK, in a country where the laws are more lax. The back end system overseas has a far more powerful voice recognition capability, and it is that which does all the heavy lifting, both answering the request and storing key data elements that can be sold to advertisers, like the likely gender of the voice, the nature of the question, and specific products or topics mentioned, the time and exact location of the recording, the number of different voices heard, that background sounds (radio, TV, music) being played (used for determining interests) etc.

All this data is aggregated to build a picture of the household, so Amazon knows how best to target advertising in future. Amazon (and many others) has a sliding scale of charges for ads, and if it can provide its advertising customers with an accurate profile of a customer's interests, then advertisers will pay more, as targeted ads have a far better success rate than random ads.

A good example would be my mother in law. She has an Alexa, and is partially sighted. Almost all of the advertising she gets, though the post, on her iPad, people knocking on her door, etc is related to her age and the fact she's partially sighted. Her two children now have to call in regularly to tell her to ignore all the stuff she doesn't need that is targeted at her because of her age and disability and clear out all the junk mail she's collected. She finds it particularly hard to deal with the multitude of phone calls from people selling a wide range of aids for the elderly. My wife had to set up a call screening phone service for her a couple of weeks ago, because the volume of sales calls was getting to be intolerable. I am absolutely certain that the majority of this nuisance advertising is coming from her Alexa, which is regularly selling data to advertisers that she is a likely profitable mark for them.

People can make their own minds up as to whether this is a good or bad thing, or even if it's ethically sound. My view is that if anyone is dumb enough to agree to put a spying device in their home then they deserve all they get, but this line gets blurred with the elderly who may not appreciate just what they are agreeing to by getting one of these things.

[Mr Gus]

Bloody hell chaps, ..thanks for the on going discussion points n' explanations, I will read these a few times over, hopefully they'll stick with me.

I refuse cloud back up of anything, wife & daughter sadly are part of the problem, ..wife got caught out the other week in a bank fraud, ..to say too much "told you" would be much marital strife because she's been scammed before & I told her it was coming, products, services, contracts, & now banking.

I keep my phone separate & rarely use it for online activity ..which makes many laugh, & have only recently dropped my guard a bit due to home pc crashing & burning, hopped into sites old pc & that has done the same, so it's a kindle or nothing (with as much turned off as possible)

Connectivity, or lack thereof leads us to take risks & loosens our resolve eventually.

OGB, printed mail spam takes a long time to reduce, requires stupid amounts of swearing & effort to get a bit of adherance, so I doubt spam mailings are kindle / Amazon based, it's an area I get very angry about & follow up when I have time & mail in my hands, ..takes hours to get details wiped & blacklisted b& is likely too much for an old lady sadly govt are in this area, I had very frequent calls to the "voluntary" code of conduct body who eventually lost their day with me logging complaints.

..after which it has been really quiet for a few years, for envelope letterbox stuffers, charity bags & allsorts!
Read into that as you will, however when I deal with a back end boy or whatever, it's expunge, blacklist, cease & desist orders that have the most chance.

Some (off Manchester based data gatherers just don't give a damn & neither law or govt bodies take them to task)