By now, it’s common knowledge that government agencies can utilize Internet-connected technologies to spy on individuals in their homes, map out their daily routines, and use algorithms to determine their personal preferences and tastes. It shouldn’t come as a surprise that Internet service providers (ISPs) are capable of an equivalent degree of surveillance through Internet-connected devices that people have in their own homes like baby monitors, cameras, and television setup boxes (just to mention a few).

Ironically, ISPs are capable of monitoring people in their homes, even if the particular devices being used are specifically set up to protect a user’s privacy. As previously mentioned, organizations being capable of this kind of surveillance is relatively common knowledge, however most concerns were directed at people with malicious intentions like cybercriminals. In March 2017, Congress repealed an Obama-era law preventing ISPs from selling personal information to third parties, which gave users more autonomy over what information they share. ISPs are in a very powerful position when it comes to selling this kind of data that primarily entails how and when individuals access the Internet, but not what those people send or receive.

This information is valuable to ISPs and their potential buyers because of how easy it is to analyze, along with the insights this information contains to an individual’s lifestyle. These capabilities raise the question as to whether or not smart device broadcasts yield any lucrative data. Researchers at Princeton University conducted an experiment to answer this question, by setting up a mock smartphone that contained seven Internet-connected devices. The aim was to determine what they might reveal about their users. Four devices were easily identifiable by ISPs through the way they connected to the Internet.

This wouldn’t be problematic for a device like the Amazon Echo, which instantly revealed its identity (was one of the connected devices in the experiment). Other devices that incorporate Internet activity like insulin pumps and wearables (just to mention a few) can contain valuable information to advertisers just by knowing people use them for connecting to the Internet.

Encrypted connections are a popular method of preventing the amount of information an ISP can gather about an individual. It’s worth noting URL addresses beginning with HTTPS encrypt their traffic. Although an ISP or other network observer could see a user visited a specific website, they won’t know the specific pages that individual visited or what specific activities they engaged.

It’s worth mentioning encryption doesn’t necessarily stop an ISP from determining which Internet of Things devices a user has, or seeing when those devices are used. In the Princeton study, researchers discovered ISPs could even determine a user’s sleep patterns by detecting when sleep trackers connect to the Internet. The study also revealed ISPs could identify when home security cameras detect movement and when someone was watching a live stream.

The researchers believe there might be ways to reduce this kind of snooping from ISPs, with one way being to deliberately fill a network with small portions of traffic. This is achievable by an individual running all of their Internet traffic through a VPN, which is programmed to record and play back that traffic, even when nobody is using that particular IoT device. This might result in the slowing down of the network. Having said that, it’s ultimately up to the consumers to evaluate the privacy risks that come with using Internet-connected devices. It’s difficult enough for us to make informed decisions when it’s not completely clear what specific data ISPs collect, or how they’re using that information. This degree of surveillance is possible anywhere, but there are fewer restrictions in the US on what information ISPs can now sell.