Is Your Coffee Maker Out To Get You?

A dubious research firm claims Chinese-made coffee makers are collecting user data for nefarious purposes.

What's that saying about glass houses? I'm not properly caffeinated yet, so I can't recall. Fortunately, I can pop over to the office coffee maker to remedy the situation—despite a recent report from a vaguely nationalistic data firm that suggests Chinese-made coffee makers are collecting user data for nefarious purposes. Ah, the sweet smell of sweeping generalizations in the morning!


Earlier this week, ultra-conservative news outlet The Washington Times reported on recent claims from New Kite Data Labs, a think tank devoted to exploring "how China is changing the role of private enterprise and using the openness of liberal democracies against itself." (Hmm, yikes!) The firm was founded by American researcher Christopher Balding, who recently published a report suggesting that one brand of smart coffee machines—those manufactured by Kalerm in Jiangsu, China—are collecting user data. "China is interested in all nature of data whether it is military data from top secret projects all the way through to your morning cup of coffee," the report reads.

All right. Let's get into it.


Is your coffee maker spying on you?

First, let's explore the claims put forth by New Kite Data Labs. Per the firm's report, the coffee machines gather customer information including a user's relative location, beverage preferences, and, in commercial settings like hotel breakfast buffets, different types of payments and routing information. (It's unclear to which coffee maker model the latter point might apply, although Kalerm does offer a large commercial model, like the kind you'd see at a convenience store. That model appears to accept user payment for coffee.)


The report specifies:

"While home use automated machines will not collect payment data, payment data can undoubtedly be considered sensitive information especially in a commercial setting. From payment type to routing information, payment details can and should be considered sensitive information."

Yes, true. Payment information is sensitive information. Here's the rub: New Kite Data Labs was unable to determine if the commercial Kalerm coffee makers are used to store payment information gathered from consumers outside of China.

"While we cannot say this company is collecting data on non-Chinese users, all evidence indicates their machines can and do collect data on users outside of Mainland China and store the data in China," the report said.


What evidence, you might ask? Unclear. Balding told the Washington Times that New Kite wouldn't disclose its research methods after publishing the report. Why? As the Times puts it, Balding "does not want China to stop him from learning more about its data collection."

The problem with the Internet of Things

I need to clarify that I'm not advocating for the Internet of Things, or IoT. (If you're unfamiliar, IoT refers to any kind of "smart" household device—your Amazon Echos, your Roombas, your Nest thermometers, etc.) I see no possible reason to ever purchase a smart coffee maker, and IoT does present security issues. A few years ago, we reported that certain smart coffee machines became vulnerable to hackers after a major ransomware attack. That's bad! I am not disputing that.


The problem with New Kite's report—aside from its murky research methods and dubious data—is its bizarre nationalist bent. "China is really collecting data on really just anything and everything," Balding told the Washington Times. "As a manufacturing hub of the world, they can put this capability in all kinds of devices that go out all over the world."

Yeah, man. Same for basically every other major company on Earth.

Do IoT manufacturers take advantage of low security and unclear data policies? They sure do—but so do U.S.-based companies like Facebook and Amazon. If you're concerned that your smart coffee maker might be collecting your data, I have bad news about your smart vacuum. And your Echo speaker. And your television. And your car.


Painting IoT vulnerabilities as a nationalist concern in the face of an "adversarial state" accomplishes nothing. If you really want to advocate for data privacy, start with the tech companies in your backyard. Or just don't buy a smart coffee maker. If you need me, I'll be waddling to my home coffee maker, robe gaping open, savoring the freedom of knowing that my coffee maker is dumb as a rock.