Smart locks endanger tenants’ privacy and should be regulated

The growing deployment of smart locks in apartments, often installed without tenants’ permission, has created a new stream of sensitive location data for law enforcement, landlords, and private companies. Tenants should not be forced to submit to tracking just to enter their home. At minimum, we need privacy laws that require consent to collect this data, a warrant for police access, and strong data minimization.

Smart locks come in many forms. At the most basic level, they are physical locks that can be opened with a nontraditional key like a smartphone or fingerprint. Most significantly from a privacy perspective, they allow the lock company (and sometimes landlords) to collect data each time you or any of your guests unlock your physical door. To do this, the locks themselves may be connected to the internet, or they can rely on an app you must install on your phone (the key) to transmit the data to the lock company’s servers. Depending on the model, the lock might also record other data—like an image of the person trying to unlock the door.

Smart locks have become increasingly popular in recent years, specifically with landlords. For example, in 2019, tenants in New York City forced a settlement after a landlord attempted to require tenants to use smart locks. The settlement required an option for physical keys. The smart lock at issue in that case was made by a company called Latch. While Latch was not named in the lawsuit, the company changed its privacy policy to remove reference to marketing and collection of other location data. Its software is reportedly in more than 125,000 dwelling units or commercial spaces. Many other companies make smart locks as well. They are part of the growth of smart home devices.

Privacy risks from smart locks

Despite their convenience to some people, smart locks can create a revealing data trail that raises concerns about law enforcement power, data privacy, and information security.

This data could give law enforcement a powerful new stream of data to be obtained without your knowledge. Companies tend to store this kind of data for much longer than necessary, and it is often unclear precisely what legal process companies require before handing it over to law enforcement. This gives police a tool to obtain a near perfect log of every time you or any guest entered your home—a particularly private place under the Fourth Amendment. In the past, police could theoretically piece this data together on their own with great effort by conducting an around-the-clock stakeout. But in all but the most important investigations, these tactics would be prohibitively expensive. Because it is easy for police to access smart lock data, police will more frequently use this tactic. Moreover, smart lock data is retrospective—meaning that police can go back in time to obtain data about periods of time before an individual was under investigation.

Landlords could use this data to harass or penalize tenants. Landlords seeking to evict a rent-controlled or otherwise unwanted tenant could use this data to find minor lease violations, like having a guest stay an hour longer than allowed by policy. Or the smart lock could be used to quickly lock out a tenant without notice. Moreover, forcing tenants to unlock their unit with a smartphone could exclude the 15 percent of the population who do not have a smartphone—disproportionately affecting older people and people with lower income. Renters, in general, tend to have less net worth than homeowners, and are more likely to be young, Black, or Hispanic.

Private companies who manage this data could sell it. This information — and the patterns — may be useful for marketers to create inferences about you, like: family makeup; job status; type of job; entertainment; and travel schedule. Some companies appear to understand the risk (and loss of trust) that comes with selling this deeply revealing personal data, and they have privacy policies that rule this out. However, as companies acquire more data, they will be tempted to profit from it at the expense of their users.

Both the smart lock itself and the system used to store the data could be hacked. Today, traditional door locks can be picked, and home windows can be smashed to gain entry. However, the scale of a smart lock hack could increase the potential for harm. One can imagine a nightmare scenario of a ransomware group locking an entire apartment building out of their homes until the landlord pays a hefty sum. Similarly, a hack of the backend system that stores smart lock data would expose sensitive information about guests, tenants, and patterns of life that, many times, is unnecessary to retain in the first place. The Federal Trade Commission has been concerned about smart lock security since 2015.

Finally, smart lock users themselves may be able to abuse the data. Previous news reports have detailed how smart home devices can be used by abusers to maintain control of family members. Having a constant log of when they unlock their door could make it much harder for people to escape their abusers and find help.

Need for laws to protect smart lock data

New York City is one of the only jurisdictions to pass a privacy law to specifically regulate smart lock data from both landlords and private companies. The law includes requirements about consent, the option of a physical key, minimization, retention, disclosure, use, and security. The law also contains a private right of action if a company sells the data. Other more general privacy laws would regulate this data as well. Smart lock data tied to an individual or home falls under the definition of personal data in states with comprehensive privacy laws — like California, Colorado, Connecticut, Utah, and Virginia. Some of the data may also be governed by the federal Electronic Communications Privacy Act—which limits how certain data may be shared with the government and non-government entities.

Given the privacy risks, we need strong privacy laws to regulate the use of smart lock data, with the following components:

1. Option for traditional lock: Tenants must be given the option to use a traditional lock and key that does not track and collect their personal data. Choosing to retain a traditional lock must not come with any reprisal or additional incentive to choose a smart lock instead.

2. Consent for processing: Landlords and companies must be prohibited from processing a person’s smart lock data, except with their informed, voluntary, specific, opt-in consent.

3. Data minimization: Companies and landlords must be prohibited from processing a person’s smart lock data, except as strictly necessary to allow the smart lock to securely function. This includes prohibitions on unnecessary re-use, sharing, or retention of the data. More specifically, landlords must be prohibited from using the data to harass or evict tenants.

4. Warrant requirement and notice: Companies and landlords must be prohibited from disclosing smart lock data to law enforcement, except with a particularized warrant based on probable cause, and prompt notice to tenants. Companies should also publish transparency reports about the number of law enforcement requests that they receive and how often they comply.

5. Security requirements: Companies must protect smart locks and smart lock data with strong information security protocols and must give notice if that security is breached. Smart locks must have a physical key back up in case of failure or compromise.

6. Private right of action: People must have a private right of action to sue the corporations or landlords that violate their statutory privacy rights. Remedies must include liquidated damages, injunctive and declaratory relief, and attorney fees.