SmartThings - Company Feed Back - To End Users

[Teken]

Like many others here I am a member of several HA sites where I have devices in use. Other times I simply lurk and read what the competition is up to or has to offer. I always find it interesting to see how small to large companies engage, communicate, and disseminate information.

 

Below is just one small snippet of a reply about a security white paper ST is developing to address the ever pressing need for more security.

 

Some parts of the reply in my view are basic canned responses which is typical in business. This is OK given the on going development and unknowns.

 

Better to be safe then sorry because we all know Americans love to sue!

 

As you read further along you can see more details are being provided that are not scripted or canned. This is not only surprising but shows care, thought, and genuine care for the customer.

 

To date its safe to say there have been little to no interaction from Smartlabs in the area of security or even on a basic level.

 

One would think given the massive increase of HA being deployed by various companies they would want to lead the charge and have a dedicated PR person to engage the public, no?

 

Anyone who has taken a few moments to read the UDI forum its apparent the team takes a active role and interest in issues, ideas, and problems at hand. Its never shocking to see Michel the CEO reply in kind with a solution or offer guidance to a question.

 

Why??

 

Then you have the extreme side of things like ST which also takes the time to address questions posed by the general public.

 

Why??

 

As we circle back to Smartlabs and ask the same very question how come no one is tasked to communicate to the general public about issues, bugs, etc.

 

Why??

 

The reality is no one is perfect, as it is indicated in my signature what people should strive to do each and every day is not seek for perfection but work toward progress. Moving forward by learning from past mistakes and not repeating them is how we measure progress.

 

Perhaps Joe Dadda and his senior management should take a small page of ST and start working toward progress in the area of communication and interaction with the masses.

 

 

========================================================

------------------------------------------------------------------------------------------

 

 

 Quick question.

Again, sorry for the delay in getting answers to your questions here. I'll do my best to answer them one by one:

Since this document only addresses physical devices and their virtual representation in the physical graph. Would it be fair to assume that virtual devices and smartapp data is also owned by the user? Example, my location isn't tied to a device (maybe the hub) is that data private?

Yes - this policy doesn't apply ONLY to devices that are connected to the hub, but to all event and account data for a given Location.

There are specific policies governing the use of anonymized and aggregated data, as well as the sharing of data with third-party businesses opted-in to by the user available in our Terms of Use and Privacy Policy available on the SmartThings website.

Is using another cloud based service that has no physical device also protected user data?

There's some nuance here since we don't have any control over the remote system and how they use your data. As above, event data that is stored in the SmartThings Platform is treated by SmartThings as protected user data, but once that information leaves the SmartThings Platform - say, because the user linked their SmartThings account to a remote cloud service or accepted incremental Terms and Conditions associated with a third-party business - that data becomes governed by the Terms of Use and Privacy Policies of the remote service. This is also detailed in our Privacy Policy available on the SmartThings website.

How is that data protected from ST employees and contractors or 3rd party providers?

There are instances in which SmartThings operations and support personnel must gain access to databases to ensure the operation of the service and to support users in solving issues that arise. There are internal policies in place to minimize access to data including limiting the number of employees who have direct access to databases for the purposes of maintaining and operating the service, and requiring that any support personnel be granted explicit permission from users before accessing their data through our support tools. We are currently working on documenting all of the specific policies and procedures around our information security and privacy programs and additional detail will be included in the more detailed white paper when it is published. In the meantime, our Terms of Use and Privacy Policy are always available on the SmartThings website.

What audit trail exists to show who accessed my private data, since it is considered private by SmartThings, will you be compliant with all state laws regarding user data privacy?

SmartThings always endeavors to maintain compliance with all regulatory requirements for the regions in which we operate. As above, additional detail around specific policies and procedures will be included in the white paper when it is published.

If I suspect my data has been compromised what is the proper way to file a complaint and what would be the resolution to these incidents, if/when they would occur?

If you suspect that your data has been compromised, please reach out to support@smartthings.com to begin an investigation. Resolution would be dependent on the specifics of each case, though as above, additional documentation around policies and procedures is under development.

What is SmartThings policy on unauthorized data access disclosure? Will you publicly announce it or just notify the effected users or keep it quiet?

As always, we'll comply with local regulations - though again, there's a lot of nuance here and beyond that it'll depend entirely on the specifics of the case. This is also another area that will be addressed in more detail in the development of the documentation of policies and procedures.

As for security / vulnerability disclosures, we've had disclosures from third-party security research firms come through our support@smartthings.com channel, and we've always taken them seriously and made sure to quickly validate submissions, remediate any issues, and re-test once patches are in place. This has been the the case with disclosures from companies like Gotham Digital Science, Tripwire VERT, and the NCC Group who have all worked with us to ensure that we patch discovered vulnerabilities before they publish their reports.

 

In all of these cases, support has escalated these disclosures and we've exchanged keys with the submitter to manage secure communications, but I do like the suggestion to make available a public key specifically for these types of submissions. We'll look into that further.

Thanks,
-d