Is my Air Fryer spying on me? Evidence of excessive smart home surveillance

Which? research has found evidence of excessive smart device surveillance – from air fryers demanding permission to listen in on your conversations and sharing data with TikTok, to TVs wanting to know your exact location. 

The consumer association rated products across four categories and gave them overall privacy scores for factors including consent and what data access they want. Researchers found data collection often went well beyond what was necessary for the functionality of the product – suggesting data could, in some cases, be being shared with third parties for marketing purposes.

]In the air fryer category, as well as knowing customers’ precise location, all three products wanted permission to record audio on the user’s phone, for no specified reason. The Xiaomi app linked to its air fryer connected to trackers from Facebook, Pangle (the ad network of TikTok for Business), and Chinese tech giant Tencent (depending on the location of the user).

The Aigostar air fryer wanted to know gender and date of birth when setting up an owner account, again for no clear reason, but this was optional. The Aigostar and Xiaomi fryers both sent users’ personal data to servers in China, although this was flagged in the privacy notice.

The Huawei Ultimate smartwatch – as with all the products on test – requires privacy consent to work properly. It requested nine “risky” phone permissions – the most of all devices on test. Which? defines “risky” as giving invasive access to parts of someone’s phone.

These included precise location, the ability to record audio, access to stored files or an ability to see all other apps installed. The company said all had a justified need. Huawei also said that no user data is used for marketing or advertising purposes. Which? found some trackers active on the Huawei watch, but Huawei said they are active only in certain regions. 

Bestsellers on Amazon, the Kuzil and WeurGhy smartwatches were found to be essentially the same product. Both required consent to work – if declined, the product will only operate as a watch, without the accompanying smart features. There was none of the legally required information on how long the smartwatches would be supported with security updates. However, both watches did not appear to use any trackers.

Smart TV menus are littered with ads and thirsty for user data. The Hisense and Samsung TVs Which? tested required a postcode at set up – though both brands said customers can use a partial postcode and that it was only used for some content localisation features. Samsung claimed supplying a postcode was not mandatory but Which? found it appeared mandatory in its tests.

The LG set asked for a postcode, but providing it was not mandatory. Samsung’s TV app requested eight risky phone permissions, including being able to see all the other apps on the phone, second only to the Huawei smartwatch. The Hisense did not connect to any trackers that researchers could detect, but Samsung and LG linked to a number of them, including Facebook and Google. 

The analysis of smart speakers found that the Bose Home Portable speaker and app take the fewest upfront phone permissions of all the products on test, but are stuffed with trackers, including Facebook, Google and digital marketing firm Urbanairship. The Bose speaker also fared poorly on how it secured customer consent for data tracking. 

By contrast, Amazon Echo gives useful options to skip various requests to share data. Consumers need an Amazon or Google account to use the Echo Pop or Nest Mini, respectively. They use trackers that Which?’s researchers expected to see, mostly their own. However users cannot selectively opt out, hence their low star rating.

All of the devices on test wanted to know users’ precise locations.

Which?’s research highlights how manufacturers are currently able to collect excessive data from consumers, often with little transparency about what it will be used for. The ICO is due to publish new guidance for smart product manufacturers in Spring 2025. 

However, Which? is concerned that manufacturers based abroad could take advantage of the challenges of enforcing compliance with guidelines. 

Says Harry Rose, Which? magazine editor, said:

“Our research shows how smart tech manufacturers and the firms they work with are currently able to collect data from consumers, seemingly with reckless abandon, and this is often done with little or no transparency. 

“Which? has been calling for proper guidelines outlining what is expected of smart product manufacturers and the ICO has confirmed a code is being introduced in Spring 2025 – this must be backed by effective enforcement, including against companies that operate abroad.”

Consumer advice – How to improve your data privacy

Care about what you share: Some data collection is optional during setup and that means you can opt out (although potentially with consequences in terms of functionality). Only share what you are comfortable with.

Check permissions: On iOS and Android, you can review permission requests before downloading an app, and check what each app has access to in your settings.

Deny access: Also in your phone settings, you can potentially deny or limit access to data such as location, contacts, and so on. Although, that might stop or limit aspects of the app.

Delete recordings: Using the Alexa and Google Assistant settings, you can set your voice recordings to be deleted automatically rather than stored after a period of time.

Read the privacy notice: Do at least browse the policy, particularly the data collection sections. You have the right to object to a company processing your data.

Right of replies

Samsung

“At Samsung, the security and privacy of our customers’ data is of the utmost importance. And we employ industry-standard security safeguards and practices to ensure that the data are secured. Customers are also given the option to view, download or delete any personal data through their Samsung accounts. Customers can find more information about our privacy policies at www.samsung.com/uk/info/privacy.”

Hisense 

“Hisense UK values its relationships with its customers and respects their data privacy rights. We are compliant with all UK data privacy laws and only capture the postcodes of our customers to enable them to receive regional specific content, enhancing their user experience. If users are concerned, then many of our TVs will accept a partial postcode.”

An Amazon spokesperson said: 

“We design our products to protect our customers’ privacy and security and to put them in control of their experience. For example, we build easy-to-use controls for our customers—these include physical buttons or shutters, simple in-app controls, and prompts within the device set up experience—and have created resources that explain how our devices and services work and the options available to customers.”

Google

“Our customers’ privacy is very important to us and Google fully complies with applicable privacy laws and provides transparency to our users regarding the data we collect and how we use it. For those moments when users want additional privacy controls on Google Nest smart speakers and displays, users can use Google Assistant in Guest Mode. When in Guest Mode, Google Assistant won’t say or show personal results, personal contacts, and automatically deletes audio recordings and Google Assistant activity. “

Huawei

“Huawei takes consumers’ privacy incredibly seriously. Clearly, to be useful lifestyle and health/fitness partners, smartwatches require permissions to access a number of personal data; we are very clear both on the devices at set-up, and on the companion app Huawei Health, which permissions are required and why, and users have full control over turning them on or off at any time.”

In a lengthy statement Xiaomi said that “respecting user privacy has always been among Xiaomi’s core values, which includes transparency, accountability, user control, security, and legal compliance”. It said that it adheres to all UK data protection laws, and “we do not sell any personal information to third parties”, and certain functions are only active in select global markets, such as Tencent services only used in China.  “The permission to record audio on Xiaomi Home app is not applicable to Xiaomi Smart Air Fryer which does not operate directly through voice commands and video chat,” it added. 

Cosori

“We prioritize privacy, and subject to our internal compliance requirements, the smart products must comply with GDPR. However, without specific test reports from your firm or the test lab, we cannot comment further.”

LG declined to comment. Aigostar and Bose did not respond. WeurGhy and Kuzil were uncontactable.

Chris Price