Cloud requirements

The MONDO app is available on both Android and iOS app stores. Unfortunately, the first thing you encounter when launching the app is a login screen. This means that basic functionality like equalizer settings and firmware updates are completely inaccessible without creating an account.

The app’s permission requests are particularly concerning. On iOS, it immediately asks for location and Bluetooth permissions before you can do anything. On Android, the situation is worse – after logging in, you’re bombarded with requests for permissions that have no reasonable connection to headphone functionality, including access to all photos and media on your device, and the ability to manage phone calls.

While you can use the MONDO devices as standard Bluetooth headphones without the app, any customization or firmware updates require creating an account and accepting these privacy-invasive permissions.

Data portability

The app provides no way to export your data. While the privacy policy states “You can contact us to request deletion of your personal information through the methods provided in this Privacy Policy, and we will reply within 15 working days”, there is no automated way to access or download your data.

Ecosystem openness

The MONDO devices function as standard Bluetooth headphones and speakers, which means they’ll work with any Bluetooth-capable device without additional software. However, accessing features like equalizer settings requires installing the proprietary app and also creating an account and agreeing to an expansive privacy policy.

Data privacy

While it’s possible to use the headphones without the app (and thus avoid data collection entirely), the app’s privacy policy raises serious concerns about data collection and sharing practices. It seems to be a boilerplate policy without much thought for the actual service provided.

The app requests an alarming array of permissions that go far beyond what’s needed for headphone functionality:

• Complete access to photos and media
• Audio recording capabilities
• List of all installed apps
• Location data and WiFi network scanning
• External storage access
• System settings modification
• Phone call monitoring

The privacy policy includes broad data sharing terms with:

• Undefined “affiliates”
• Third-party advertisers
• Academic research
• Generic “partners”

There appears to be no automated process for data deletion for this, and the policy lacks crucial details about:

• Data retention periods
• Geographic location of data storage
• Process for correcting personal information
• Clear opt-out mechanisms for data collection

Tested on Android and iOS using version 1.0 of the Unwanted Cloud methodology.

The post Defunc MONDO Headphones – Privacy Review appeared first on Unwanted Cloud.

The Ulanzi TC001 is a versatile pixel display that can show various information including time, YouTube subscriber counts, and custom animations. What sets it apart is its commitment to local control and open standards support.

Cloud requirements

The initial setup of the TC001 is refreshingly straightforward and privacy-friendly. After connecting the device to your WiFi network, you access its interface through a web UI using its local IP address. No account creation is required for any functionality, including firmware updates.

While some features, like the YouTube subscriber count, require you to obtain an API key from Google Cloud, this is separate from the device itself and is a limitation of accessing YouTube’s data rather than a requirement from Ulanzi.

An especially noteworthy feature is that you can completely replace the stock firmware with the open-source AWTRIX 3 firmware if you prefer a fully open-source solution, though replacing the stock firmware does reduce some functionality (like showing YouTube Subscriber counts) unless integrated with a home automation system like Home Assistant.

Data portability

The device stores minimal data locally, primarily consisting of your display preferences and settings. When using the AWTRIX 3 firmware, all settings can be exported, making it easy to backup or transfer your configuration.

Ecosystem openness

The TC001 shines in its ecosystem approach. The stock firmware includes an AWTRIX v2 simulator, allowing you to use the AWTRIX protocol to control the display. This means you can combine the advanced built-in features like YouTube subscriber counting with AWTRIX applications.

It’s worth noting that while the stock firmware supports AWTRIX v2, the optional AWTRIX 3 firmware uses the newer v3 standard, which is not backward compatible. However, both versions work completely offline and provide local control over the device.

Data privacy

While we did not perform telemetry testing on the stock firmware, users who are extra concerned about privacy can opt for the open-source AWTRIX 3 firmware, which is known to be telemetry-free. The ability to completely replace the firmware with an open-source alternative provides the highest level of privacy assurance possible.

Other notes

While the TC001 excels in privacy and functionality, it’s worth noting some limitations. The device includes a built-in battery that is difficult to replace, as it requires removing the front screen which is secured with adhesive. Attempting battery replacement risks damaging the device, and permanent battery removal requires soldering skills. This design choice impacts repairability and environmental sustainability. However, given the device’s affordable price point (around $50) and the expected multi-year battery lifespan, these limitations may be acceptable to you.

Tested using version 1.0 of the Unwanted Cloud methodology.

The post Ulanzi TC001 Smart Pixel Clock – Privacy Review appeared first on Unwanted Cloud.

Although our review will use the Key Light Air, this review also applies to the other key lights that Elgato sells.

The Elgato Key Light range is very conscious of your privacy and is an excellent choice for a smart controllable key light.

Cloud requirements

The Elgato Control Center app is available on the Android and Apple play store. When launching the app for the first time, we are guided through the initial pairing process. The app has no concept of user accounts, all you have to do is to connect it to your WiFi.

The key light is controllable when your phone is connected to the same WiFi network as the light. All lights on your network are automatically discovered. One thing to keep in mind is that everyone on your network will be able to control the lights.

Data portability

The app or website does not have any dedicated data export, but there is practically no configuration to export aside from the lights name and current settings. There are also no user accounts.

Ecosystem openness

The Elgato Key Light can be controlled locally using a REST API without any cloud connection. See this blog post for API details and this library for a reference implementation. As mentioned previously, the API does not have any authentication, it’s open to all users on your network.

Data privacy

Elgato has a general Privacy Policy, however there is no links to it from the Android app. Via the Apple app store listing, we can see that the app collects some data, however no data that is linked to you.

Considering the absence of an account system, we have no reason to doubt this information.

We observed that upon startup, the Elgato Key Light Air does briefly communicate over the internet. However, the amount of data is very small and we have no reason to believe that any persistent tracking is occuring.

Tested on Android using version 1.0 of the Unwanted Cloud methodology.

The post Elgato Key Light Air – Privacy Review appeared first on Unwanted Cloud.

Although our review will use the Nanoleaf Elements, this review also applies to most other light panels that Nanoleaf sells.

While the Nanoleaf is not perfect from a privacy perspective, it strikes a good balance between convenience and usability.

Cloud requirements

The Nanoleaf app is available on the Android and Apple play store. When launching the app for the first time, we are guided through the initial pairing process. While the app puts a big emphasis on creating a Nanoleaf account and logging in, it is possible to skip this step. The app does not force you to create any account to fully use the device, earning it an A grade.

The device only works connected to your WiFi network. Once the device is configured, you can control it locally, but not remotely (eg. when you’re on your 4G mobile connection), which is expected. Multiple users can have access to the same Nanoleaf device – each user has to go through the pairing procedure, however it is very fast since you don’t have to set up the WiFi every time. A big bonus is that you can pair via NFC, which is very convenient.

Data portability

The app or website does not allow you to export your data. If you have a cloud account you can enable “Cloud sync” which syncs your rooms and light preset data, however if you do not use a cloud account you will have to set this up again if you ever reset your device.

Ecosystem openness

The Nanoleaf can be controlled locally using a REST API without any cloud connection. See this thread and this Postman collection for information.

Data privacy

Nanoleaf provides a well-written privacy policy. Although they are a Canadian company they claim their privacy policy is in the “spirit” of GDPR and that they will honor the rights that the GDPR provides users. While the privacy policy is not overreaching, there is no way to opt out of data collection from inside the app. There is also no way to get an automated GDPR export.

We observed that the Nanoleaf device does attempt to continuously communicate with online servers when it is running, but we did not check the contents of the communications. This is not possible to turn off. Considering that many devices in the Nanoleaf product line have a microphone and that WiFi is the only setup option, it is advised that you block the device from communicating with the internet. We confirmed that it was still possible to use the device locally even when it was blocked from communicating with the internet.

Tested on Android using version 1.0 of the Unwanted Cloud methodology.

The post Nanoleaf – privacy review appeared first on Unwanted Cloud.

Cloud requirements

When you take the Ember mug out of the box, it is pre-set to a temperature of 57 degrees celsius. If you are happy with this, you can use the mug without ever connecting it to the app. However, to set the temperature to anything other than the default, the app is required, as there are no physical buttons to control this on the mug.

The Ember app is available on the Android and Apple play store. When launching the app for the first time, we are guided through the initial pairing process. Once we have found our cup and are about to complete our process, a forced login screen appears. This means that in order to control the temperature of your mug or perform firmware updates, a cloud account is required.

The Ember app allows you to control the temperature of your cup and configure presets. This functionality does not inherently rely on anything cloud-connected, as commands are sent from your phone directly to your mug over Bluetooth.

Data portability

The app or website does not allow you to export your data. Furthermore, it was not possible to access your profile from within the app at the time of testing.

Ecosystem openness

Ember does not provide any API for use with your mug. There are no third party apps or open source code available to get the cup to work without the proprietary app. There is an effort to reverse-engineer the Bluetooth protocol.

Data privacy

Ember provides a well-written privacy policy and a terms of service. They do honor the GDPR. While the privacy policy is not overreaching, there is no way to opt out of data collection from inside the app. There is also no way to get an automated GDPR export.

Tested on Android using version 1.0 of the Unwanted Cloud methodology.

This review was amended on September 28, 2022 in response to a comment from lentzit.

The post Ember Mug – privacy review appeared first on Unwanted Cloud.