NAS & Privacy - how much data do they collect?

[Nettle]

Unlike a bare hard drive, a NAS is a small computer, with an OS and software. It's permanently connected to the network, and most people just leave their modem/router on 24/7 - so it's connected to the internet all the time.

These days, most devices and software talk a lot with their makers, and privacy - what and how much data is collected and how its used - has become an important issue.

I've been looking and can't find much on this concerning NAS's. Anyone have any info on this aspect?

Thanks.

 

[dosborne]

most devices and software talk a lot with their makers

They may *attempt* to talk to their makers, but it is easy to monitor and block if required.

This is not unique to NASs. Pretty much any device you connect to the network may "call home" or at least try to. This is where access restrictions, firewalls and monitoring come into play.

None of my devices are granted outbound internet access until I determine what they are connecting to and why. I *NEVER* enable automatic firmware updates as the last thing I want is any device (smart hub, smart socket, Echo, NAS, router, etc) updating and rebooting unless I know about it. Ideally, the device has a manual update processes rather than an internal only one as I like to store each and every firmware revision.

As every NAS manufacturer is different, and in fact each model and/or firmware revision could act differently, there is no single answer to your specific question. If you are considering a particular brand, then it is easier to research the vulnerabilities for those units.

 

[RMerlin]

Anything that involves communicating with them (outside maybe the new firmware checks) is normally opt-in for legal reasons. So as long you stick with a reputable company and you pay attention as to which extra service you enable, you should be fine.

 

[Nettle]

.... This is were access restrictions, firewalls and monitoring come into play.

None of my devices are granted outbound internet access until I determine what they are connecting to and why.....

Brilliant. I'm interested in gaining more control over the outbound traffic of the many devices on my network. As far as I can tell, Windows 10 firewall does not have outbound control. - EDIT - of course it does, I just forgot, but that won't control other devices. - Could I trouble you for some detail on what you use? I've sometimes thought a hardware firewall would be a good addition.

 

[Nettle]

Anything that involves communicating with them (outside maybe the new firmware checks) is normally opt-in for legal reasons. So as long you stick with a reputable company and you pay attention as to which extra service you enable, you should be fine.

Agreed that 'normally' we 'should' be fine. No need to be paranoid, but unfortunately all it takes is one or two examples to require us to keep on our toes. I'm reminded of this not very old story:

https://www.ftc.gov/news-events/blogs/business-blog/2017/02/what-vizio-was-doing-behind-tv-screen

And that's just TV watching. These NAS devices have all our precious and sometimes private data on them.

 

[RMerlin]

Agreed that 'normally' we 'should' be fine. No need to be paranoid, but unfortunately all it takes is one or two examples to require us to keep on our toes. I'm reminded of this not very old story:

https://www.ftc.gov/news-events/blogs/business-blog/2017/02/what-vizio-was-doing-behind-tv-screen

And that's just TV watching. These NAS devices have all our precious and sometimes private data on them.

If they did it without users's consent, then we wouldn't be able to tell you because if it had been known, legal actions would have been taken (like in Vizio's case). And if they do it with their user's consent, then you will have to look at what specific features you enable, because it will vary between manufacturers.

Bottom line is, nobody can really answer such a very broad question. Personally, I'm not aware of any major manufacturer sending back any form of data based on the NAS's content.

 

[dosborne]

I'm interested in gaining more control over the outbound traffic of the many devices on my network

For starters, I'd disable all internet traffic for any device I wasn't sure about (actually, I wouldn't use any device I really wasn't sure about). This can be done in your router, in the Network Map, Clients (icon), Select the device in question, Block Internet Access -> On.

After that, there are hundreds of utilities to monitor network traffic. Some run on your router, some as standalone devices, other as network sniffers.......

Personally, I run Pi-Hole (on a Raspberry Pi). It is easy to set up, assuming you have a Raspberry Pi, and has an easy to navigate GUI where you can see what your devices are trying to do (well, at least who they are trying to communicate with). This approach doesn't tell you what CONTENT is being sent, but limits with whom the devices connect. That's all I need to know. Either I trust the vendor, or I do not.

I see no need for any of my previous or current NAS units to have any internet access. I can download firmware and apps manually and install them as I see fit. Cutting communication provides a reasonable level of security. Ok, there are ways a 3rd party device could access and pass on stuff, but I'm not *that* paranoid.

By running a VPN, I can access my devices from anywhere.

Anything that needs internet access only, i.e. no internal network access, such as my echo dot, my smart switches, hue light hub, etc, get put on the "guest" network where they are isolated from my internal network.

Another option is to multi-home devices. My NAS (TS563) and my Raspberry Pi's have dual NICs so can connect to both the internet and my internal network exposing specific services / ports to each as is appropriate. At one point I did have one NIC on my NAS exposed with port forwarding as I was running a web site on it, ultimately I decided to move that off as I didn't want the risk. I believe a NAS should be for storage and backup, not web servers, media players, etc, but that's just my opinion.

My approach is pretty basic but I figure it provides a reasonable amount of security for very little effort or cost.

 

[Nettle]

If they did it without users's consent, then we wouldn't be able to tell you because if it had been known, legal actions would have been taken (like in Vizio's case). And if they do it with their user's consent, then you will have to look at what specific features you enable, because it will vary between manufacturers.

Bottom line is, nobody can really answer such a very broad question. Personally, I'm not aware of any major manufacturer sending back any form of data based on the NAS's content.

Oh I know Vizio is an extreme case - I just cited it 'cause 'normally' and 'should' reminded me of it.

A better comparison might have been Windows 10. Left in default out-of-the-box settings, it shares way more data with its maker than, say Win 7. You could spend a lot of time going through all the settings and figuring out what data transfer is actually meant by vague phrases like "improved customer experience", or you could read a few articles written by people knowledgeable in the field. I searched for such articles about NAS's, but found none. So wondered if anyone here might know anything.

 

[Nettle]

Personally, I run Pi-Hole (on a Raspberry Pi). . .

I had a look at pi-hole.net. Very cool. But if I've read the site right, with it you can block outgoing requests to specified domains, but not block all requests by a specific device. Is that right? I checked my router - it has device access management built into it. I can disallow device 'X' from any and all internet access right on the router. But I really like the network-wide ad-block of the pi. I can only guess it gets its list of domains to block by semi-regularly checking with the maker's server?

I believe a NAS should be for storage and backup, not web servers, media players, etc, but that's just my opinion.

Without getting into whether it "should" or not, I have the exact same intention for mine - local file storage and backup, nothing more.