Who is watching in the nursery?

Luvion is one of the most widely used baby monitors in the Netherlands and a logical first candidate to start testing. An analysis of the privacy policy is always a first step, then you know what the agreements are with a manufacturer.

Where is that privacy policy?

In early October, there is no trace of a privacy policy on Luvion's website. After some searching, there appears to be another general 'terms of use' from 2014, predating the introduction of the AVG.

We contacted customer service and promptly there was suddenly a application privacy policy. Before you can read those, though, you may still want to turn off all marketing cookies. Against the rules (AVG), those are on by default and your data is shared with 944 partners.

The privacy policy itself is extremely general in what data is collected and what it is used for. For example, it is unclear whether your data will be processed by third parties (for marketing, or analytics), how it works with your consent to this, and whether your children's images will be stored within the European Union.

A little more clarity is available on the use of your camera and microphone. You have to (actively) turn these on yourself before anything can be recorded. Luvion will only grant itself access to recorded images, or audio, in the event of a support request. With the messy setup and basic content, though, the question is mainly how seriously Luvion takes your privacy. These are images and sounds of your children, though. Then you want to be clear for how long and where they will be stored.

Technical analysis

To our surprise, after announcing our enquiry, Luvion customer service sent diagrams that were clearly not marketing material. In accordance with the claim on Luvion website, there should be a direct (end-to-end) connection between the app and your baby monitor, equipped with adequate encryption. Should this be true, Luvion would be a great privacy-friendly solution.

'Rendezvous' (RDZ) is quite literally a first contact, "hello, here I am". 'STUN' is a standard which allows an app to connect to the Luvion baby monitor on your home network. The 'relay' ensures that the keys can be exchanged for encrypting the connection. At steps 7 and 8, the encrypted end-to-end connection should be established.

However, our own research shows that the communication flow between the baby monitor and the app is different: through Amazon (AWS) systems located inside and outside the EU (including in the US). In doing so, it is still possible that the data between the Hubble app and the baby monitor is encrypted ('end-to-end'), but this is no longer verifiable. The encryption could be broken at Amazon and your child's video goes through a US 'black-box'.

Who is Luvion?

'Luvion' is a brand name of a Dutch company that sells baby monitors made by US-based 'Hubble'. Hubble is part of Binatone (yes, from that classic game console), an originally British company now in Chinese hands. Almost naturally, we come across hardware from various Chinese manufacturers in the Hubble baby monitor.

Who is watching in the nursery?

The privacy statement agreements are flawed, we cannot technically verify how privacy-friendly Luvion really is, and the product is ultimately in both US and Chinese hands. So the data at Amazon (AWS) is retrievable by the US government. Once upon a time, someone thought about a baby monitor with excellent privacy protection. The people working at Luvion seem to do their best, but at a strategic level, privacy is not a factor at Luvion.

So we end up with the issue of digital sovereignty: we become dependent on foreign technology whose operation we do not know, on paper agreements and US legislation that we must hope adequately protects our privacy.

Luvion shows that things can be done differently, but they don't.

This article was produced in collaboration with, among others, Lukas van Houwelingen and Bas van Dijk (Utrecht University of Applied Sciences).