IoT Devices in Indian Homes: Privacy Risks You Are Ignoring

The smart bulb in your bedroom is talking to a server in Shenzhen. It does this every eleven minutes. You didn't ask it to. You didn't know it was happening. You just wanted a bulb you could dim from your phone.

I keep running into this. Every few weeks, someone tells me about the great deal they got on a smart home gadget during a sale — an Alexa for Rs 2,999, a Wi-Fi camera for Rs 1,200, a robot vacuum that was "practically free" with some cashback scheme. They're excited about it. Then I ask if they've read the companion app's permissions list, or checked where the device's data goes, and I get a blank stare. Nobody reads that stuff. I get it. But that doesn't make the consequences any less real, and honestly, it's getting harder to stay patient about it.

An Explosion Nobody's Watching

India's smart home device market crossed $6 billion in early 2026, according to IDC's latest Asia-Pacific numbers. That's not surprising. Brands like Xiaomi, Realme, Amazon, Google, and a dozen white-label Chinese manufacturers have made connected devices absurdly cheap. Smart TVs dominate — nearly 85% of televisions sold in India last year were "smart" — but voice assistants, connected security cameras, smart plugs, Wi-Fi doorbells, and even connected water purifiers are becoming standard in urban middle-class homes.

What's infuriating is that while the devices have gotten cheaper and slicker, the privacy practices behind them haven't improved at all. If anything, they've gotten worse. The race to sell at the lowest price means cutting corners on security, and the thing that gets cut first — every single time — is the firmware update cycle and data handling transparency. A Rs 1,500 Wi-Fi camera isn't going to come with a dedicated security team maintaining its software. It'll get maybe one firmware update after launch, probably none, and then it'll sit on your network for three years with whatever vulnerabilities it shipped with.

What These Devices Actually Collect

Let me walk through this device by device, because the specifics matter more than vague warnings.

Smart speakers — Alexa, Google Home, and their various Indian-market clones — listen for their wake word constantly. Amazon and Google both confirmed in previous years that human reviewers sometimes listen to recordings for quality improvement. They've scaled that back after public backlash, but the recordings still exist on their servers. What most people don't realise is that the device sometimes activates when it shouldn't. A word that sounds vaguely like "Alexa" triggers recording. Background conversations get captured. Amazon's own data shows that accidental activations happen multiple times a day in active households. Those audio snippets include whatever was being said — arguments, financial discussions, medical conversations, private moments. They're stored, processed, and in some cases, retained indefinitely unless you manually delete them.

Smart TVs are probably the worst offenders in Indian homes, and nobody talks about them because we don't think of the television as a surveillance device. But most smart TVs sold in India come with Automatic Content Recognition (ACR) enabled by default. ACR takes periodic screenshots of what's on your screen — not just content from streaming apps, but anything displayed, including photos, video calls, even your desktop if you're mirroring your laptop. That data gets sent to advertising partners who build profiles about your viewing habits, political leanings, health interests, and purchasing patterns. A 2025 investigation by a European consumer group found that some smart TV brands were transmitting data to over 700 tracking domains. Indian brands aren't exempt from this. Xiaomi's Mi TV line and Realme's smart TVs both ship with ad-supported interfaces that rely on data collection.

Wi-Fi security cameras are where this gets genuinely scary. Budget cameras from brands sold on Amazon and Flipkart — often with thousands of positive reviews — regularly transmit footage to cloud servers in China. A security researcher I follow demonstrated in late 2025 that three popular sub-Rs 2,000 camera brands were sending unencrypted video streams to servers with no published data retention policy. One brand's companion app requested access to contacts, phone state, and SMS. For a camera. There's no legitimate reason for a camera app to read your text messages.

Smart plugs, bulbs, and appliances seem harmless because they're so simple. What could a light bulb possibly know about you? More than you'd think. Energy usage patterns reveal when you're home, when you sleep, when you leave for work, when you're on holiday. That data, in aggregate, builds a surprisingly detailed picture of your daily routine. A 2024 academic paper out of IIT Madras demonstrated that smart plug data alone could predict household occupancy with over 90% accuracy.

The Network Problem Nobody Mentions

Here's what makes this worse in Indian homes specifically: network segmentation is almost nonexistent. In a typical household, the smart TV, the security camera, the Alexa, the family's phones, the kids' tablets, and the laptop used for net banking all sit on the same Wi-Fi network. They can see each other. A compromised IoT device — that camera with outdated firmware, that smart bulb phoning Shenzhen — becomes a potential entry point into everything else on the network.

This isn't theoretical. The Mirai botnet and its variants have been actively exploiting IoT devices in India. CERT-In's advisories throughout 2025 flagged multiple campaigns targeting consumer routers and cameras in Indian IP ranges. Once a device is compromised, it can be used to sniff traffic on the local network, intercept unencrypted data, or serve as a launching point for attacks against other devices. Your banking app might use HTTPS, but if your phone is on the same network as a compromised camera that's running a man-in-the-middle proxy, the risk isn't zero.

Most Indian routers — the ones provided by Jio, Airtel, or BSNL — support guest networks, but almost nobody uses them. Setting up a separate network for IoT devices takes about five minutes. You go into your router's admin panel, enable the guest network, give it a different password, and connect all your smart home gadgets to that instead of your main Wi-Fi. Devices on the guest network can reach the internet but can't see devices on the primary network. It's not perfect isolation, but it's a massive improvement over having everything on the same subnet.

Data Leaving the Country, No Questions Asked

The DPDPA 2023 has provisions about data processing and consent, and it technically applies to IoT manufacturers operating in India. But enforcement against device makers has been essentially nonexistent as of early 2026. The Data Protection Board is still getting its footing. No IoT manufacturer has been penalised for non-compliant data practices. Not one.

Meanwhile, cross-border data transfers happen constantly. Your Xiaomi smart TV sends telemetry to servers in Singapore and China. Amazon Alexa recordings go to AWS infrastructure that could be anywhere. Budget camera brands don't even disclose where their servers are. The DPDPA allows cross-border transfers unless the government specifically blacklists a country — and so far, no country has been blacklisted. There's a gap between what the law says on paper and what happens on your network, and IoT devices live squarely in that gap.

What frustrates me most isn't the law's shortcomings — laws take time to catch up. It's that manufacturers face zero market pressure to do better. Indian consumers don't factor privacy into purchasing decisions for smart home devices. Price and features are everything. A camera that's Rs 500 cheaper will outsell a privacy-respecting alternative every single time, even if the cheaper one is sending your living room footage to an unknown server farm. Until that changes, nothing else will.

The Companion Apps Are Just As Bad

Every IoT device comes with a companion app, and these apps are a privacy disaster in their own right. I pulled up the permissions for five popular smart home apps on the Google Play Store last month. Every single one requested location access (fine, for device setup — but they want it "all the time," not just during setup). Three requested contacts. Two wanted phone state and identity. One wanted SMS access. The amount of data these apps request has nothing to do with controlling a light bulb or a thermostat. It's about building an advertising profile. The device is the Trojan horse; the app is the payload.

Indian users tend to grant permissions without reading because the alternative is that the device doesn't work. That's a dark pattern — make the device useless unless the user hands over their data. It's coercive, even if it's technically legal because a consent button exists. The consent is about as meaningful as agreeing to terms of service while your arm is being twisted.

The Voice Assistant Problem Runs Deeper Than You Think

I want to circle back to smart speakers because I think the privacy risk there deserves more attention than a passing mention. India had an estimated 15 million smart speakers in homes by late 2025, and that number's climbing fast because Amazon keeps discounting the Echo Dot to impulse-buy prices during every sale season. The pitch is convenience — ask Alexa to play music, set timers, check the weather, control your other smart devices. The reality is that you've installed a corporate-owned microphone in your living room that's listening for its wake word around the clock.

"But it only records after the wake word." Sure. In theory. Amazon's own transparency reports have shown that the wake word detection isn't perfect. The device activates on sounds that vaguely resemble "Alexa" — a name on TV, a word in a Hindi conversation that has a similar phonetic pattern, sometimes just ambient noise that the algorithm misinterprets. Each activation captures a snippet of audio, typically a few seconds, sometimes longer. Those snippets get sent to Amazon's servers for processing. In households where the speaker sits in a common area — the kitchen, the drawing room — those accidental recordings can capture arguments, financial discussions, health conversations, children's voices, and any number of private moments.

You can delete your voice history in the Alexa app (Settings, Alexa Privacy, Review Voice History), and you can opt out of the programme that lets human reviewers listen to recordings for "quality improvement." Most people don't know either of these options exists. The default is that everything gets stored and the review programme is opted-in. Amazon designed it this way. The friction to protect your privacy is high; the friction to surrender it is zero. That's not an accident.

Google Home devices have similar dynamics, though Google has been somewhat more transparent about their data practices after their own controversies in 2019. The fundamental tension remains the same: a device designed to listen to you is, by definition, listening to you. The question is only about how much gets stored and who gets to hear it.

Children and IoT: An Overlooked Intersection

Something that rarely comes up in IoT privacy discussions: children interact with these devices constantly. Kids talk to Alexa. They stand in front of Wi-Fi cameras. They watch content on smart TVs that track their viewing habits. They're exposed to IoT data collection from birth in many Indian households, and none of it requires their consent or their parents' informed consent in any meaningful way.

The DPDPA has specific protections for children's data — verifiable parental consent, a ban on behavioural tracking of minors — but these provisions were written with apps and platforms in mind, not IoT devices. A smart speaker doesn't know whether the voice giving it a command belongs to an adult or a five-year-old. A smart TV's ACR system doesn't distinguish between a parent's viewing and a child's. The law says children's data deserves extra protection; the devices aren't built to deliver it.

Some parents have told me they use Alexa as a kind of interactive babysitter — the kid asks it questions, plays games, listens to stories. That's understandable from a convenience standpoint. It also means Amazon has extensive audio data from that child, including speech patterns, interests, and interaction times. Whether Amazon's kids-specific privacy policies (they have separate ones for their kids' offerings) are adequate is debatable. Whether Indian parents are aware those policies exist at all is less debatable — almost none of them are.

What You Should Actually Do

I could give you a long list of precautions — change default passwords, disable cloud features, update firmware, review permissions, use local-only devices. And all of that is valid. But honestly, the single most impactful thing most Indian households can do is simpler than all of that.

Before you buy the next smart device, ask yourself: does this actually need to be connected to the internet? A regular LED bulb works fine. A non-smart TV with a Chromecast plugged in gives you streaming without the ACR surveillance. A local-storage security camera (one that records to an SD card and doesn't need a cloud subscription) costs about the same as the cloud-connected alternative but doesn't send your footage anywhere.

Not everything in your house needs to be smart. Some things are better off being dumb. A light switch that just switches a light is a perfectly good light switch. It doesn't need Wi-Fi. It doesn't need an app. It doesn't need to talk to Shenzhen at 3 AM.

If you already own smart devices, there are some practical steps worth taking beyond the guest network. Change the default password on every device that has one. The admin panel on your Wi-Fi camera probably still uses "admin/admin" or "admin/password" — change it to something unique. Disable features you don't use: if you don't use voice purchasing on Alexa, turn it off. If your smart TV has a microphone and you never use voice search, disable the mic in settings. Check whether your devices have firmware updates available and install them. None of this takes long, and each step closes a small window that attackers could otherwise climb through.

For new purchases, look for devices that support local-only operation — meaning they work without connecting to a cloud server. Cameras that record to local SD cards instead of cloud storage. Smart home hubs like Home Assistant that keep everything on your local network. Zigbee and Z-Wave devices controlled through a local hub rather than through a manufacturer's cloud. This approach requires a bit more setup, but it means your data never leaves your house, and no company can change their privacy policy and suddenly start selling your usage data to advertisers.

If you've already got smart devices — and most of us do — the one thing I'd urge you to do this week is set up that guest network on your router. Log into your router's admin page (usually 192.168.1.1 or 192.168.0.1, check the sticker on the bottom), find the guest network option, enable it, and move every IoT device to it. That single step puts a wall between your smart gadgets and your personal devices. It won't solve everything, but it's the highest-impact, lowest-effort change you can make right now.