Warning: *Privacy Not Included with this product
Samsung Galaxy SmartTag 2
The Galaxy SmartTag is a Bluetooth tracker that also lets you control some of your smart home devices with the click of a button. Cool. Pop this little puppy on your keychain and find your lost keys from up to 120 meters away. You can push a button on your phone to make the SmartTag play a sound to lead you right to that very important thing you lost. Or tap into the Galaxy Find Network help you find what you've lost if you're out of Bluetooth range. Before you buy though, know the SmartTags are only compatible with Samsung Galaxy phones and tablets. That's a little limiting. Oh, and Samsung is kinda terrible at privacy.
What could happen if something goes wrong?
Samsung's Galaxy SmartTags don't have the huge community network of devices helping track them that Apple's Airtags and Tile's trackers do. But, they’re working on it. In May 2023, they announced that they added millions of devices to their SmartThings Find network, growing it by 1.5 times since last year. Thankfully, just like other popular trackers, Samsung has taken some steps to help scan if an unknown SmartTag is nearby and tracking you, which is good. You should know that this setting has to be turned on, under "Unkown Tag Detection," then "Unkown tag alerts." Is this the best anti-stalking solution on the market? No. But because Samsung's network is not as vast as AirTags', they're not going to be as effective at long-range tracking. And because they're not as good at long-range tracking, SmartTags probably won't be the product of choice for bad actors.
Privacy-wise, it sure seems Samsung likes to collect a lot of data on users, not gonna lie (seriously, the children's data section in their Samsung account privacy policy seems nuts to us).. That might include your geolocation, browsing history, the super-broad "sensory information," and lots of other kinds of personal identifiable information. They can also create inferences about you (assumptions about your behavior and preferences) based on the other information they collect about you. Then, they say they can share (and possibly sell) some of that data around lots of places -- with affiliates, business partners, marketing partners, and “data analytics providers.” They also reserve the right to sell your data for advertising purposes. Tisk tisk. They also say they can share information about you “to law enforcement authorities … if required or permitted to do so by law or legal process.” Hmm. Since it’s not usually illegal to share your data, that wording leaves the door open for your information to be shared pretty much at their discretion.
Oh, and parents, if you have a child please don't create a Samsung account for them. As we mention above, what Samsung says they can collect and share on your child if you create an account for this is crazy. They say they can collect things like video, images, geolocation information, health information, calls and messages. And then they go on to say they can use that information about your child for things like " delivering content and responses tailored to your child and the way your child interacts with the services and features," and the broadly defined "To operate, evaluate and improve our business, including developing new products and services, managing our communications, analyzing our services and customer base, aggregating and anonymizing data, performing data analytics and undertaking accounting, auditing and other internal functions." That's not all though. They also say they can share your child's information with subsidiaries, affiliates, service providers, and "our business partners, such as wireless carriers, as well as third parties who operate apps and services that connect with certain Child Services". This all seems like a lot of potential collection and sharing of your child's personal information that you probably don't want collected and sold. Poor form, Samsung, and the many others who share personal data willy nilly.
Speaking of “nilly,” Samsung also accidentally leaked sensitive data to ChatGPT in early 2023 when their employees reportedly pasted code into the AI chatbot asking for help -- to check and optimize it. Samsung banned its use on all company devices and devices that connect to their network when they found out. It’s a good reminder for everyone that what you share with ChatGPT and most other chatbots is not private.
One last gripe? We did not get off on the right foot with Samsung. If you search for Samsung’s privacy policy, you’ll find a bunch of different results that link to different Samsung websites -- with different policies for their accounts and for their services and products which is kinda confusing because most people who have one probably have the other, too. We based this review on their most recently updated policy (and its Californian counterpart) that says it covers their connected devices and services. Privacy researchers sure do have confusing privacy policy ecosystems because it makes our jobs hard, and because we know if we're struggling to find and understand it when it's our job, what chance do consumers have when they have little time to sort through everything. Do better Samsung!
It’s finally silver lining time! It seems like Samsung might (but probably not) extend the rights that protect users under California’s stronger privacy law, CCPA, to all of the United States, since they call them “US Consumer Privacy Rights” and the form where you can request to access or delete your data lets you choose different states. And Samsung users in Europe have those rights by default thanks to their own privacy protection law, GDPR. If you want to exercise them, you can kick off the request by choosing your country here. Unfortunately though, Samsung doesn’t make that promise to all its users (even in the US) in their privacy policy. They say those rights are “subject to applicable law” so they’re not guaranteed no matter where you live. That’s a shame. And to put another damper on that potential silver lining -- completing that form to try and excercise your rights to have your data deleted is nearly impossible without a computer science degree. Again, Samsung, do better!
What could go wrong? Well, Samsung likes to show ads tailored to you through various ad networks, and say they do a lot of tracking of your online activities to do so. These little tags track the location of things you like tracked. They could help Samsung know you like to go bowling a lot, target you with ads for those ugly bowling shoes, you buy 8 pairs because, hey, why not, and then what are you going to do with 8 pairs of bowling shoes? OK, this is probably not likely, but also not impossible in our digital ad economy. Also, there are way worse things that could happen with all the huge amounts of data that Samsung collects on you. Especially given there not so great track record at protecting all that data.
Tips to protect yourself
- Check the tips on how to know if someone is tracking you without your consent.
- Use the Unknown Tag Search feature in Samsung SmartThings app, to be notified if you are being unwillingly tracked.
- Do not sign up with third-party accounts. Better just log in with email and strong password.
- Chose a strong password! You may use a password control tool like 1Password, KeePass etc
- Use your device privacy controls to limit access to your personal information via app (do not give access to your camera, microphone, images, location unless neccessary)
- Keep your app regularly updated
- Limit ad tracking via your device (eg on iPhone go to Privacy -> Advertising -> Limit ad tracking) and biggest ad networks (for Google, go to Google account and turn off ad personalization)
- Request your data be deleted once you stop using the app. Simply deleting an app from your device usually does not erase your personal data.
- When starting a sign-up, do not agree to tracking of your data if possible.
Can it snoop on me?
Camera
Device: No
App: Yes
Microphone
Device: No
App: Yes
Tracks location
Device: Yes
App: Yes
What can be used to sign up?
Yes
Phone
No
Third-party account
No
What data does the company collect?
Personal
"Identifiers: identifiers such as a real name, alias, postal address, unique personal identifier (such as a device identifier; cookies, beacons, pixel tags, mobile ad identifiers and similar technology; customer number, unique pseudonym, or user alias; telephone number and other forms of persistent or probabilistic identifiers), online identifier, internet protocol address, email address, account name, and other similar identifiers Additional Data Subject to Cal. Civ. Code § 1798.80: signature, bank account number, credit card number, debit card number, and other financial information Protected Classifications: characteristics of protected classifications under California or federal law, such as age and sex Location information: Information about nearby Wi-Fi access points, cell towers, and, with your separate consent, your device’s GPS signal, may be transmitted to us when you use certain Services. In addition, for certain Services, zip codes or postal codes and inferred locations using IP addresses may be transmitted to us when you use such Services. Inferences: inferences drawn from any of the information identified above to create a profile about you reflecting your preferences, characteristics, and behavior (for example, when you use the Customization Service or in connection with personalized ads served to you)"
Body related
Social
How does the company use this data?
How can you control your data?
What is the company’s known track record of protecting users’ data?
In April 2023, internal, sensitive data was leaked to ChatGPT from Samsung. As the result of the leak, Samsung banned use of generative AI tools at the company.
In early 2022, Samsung fell victim to the Lapsus$ cybergang, which boasted to have stolen 190 Gb of data from the tech giant. The data breach notice conspicuously notes that the breach “did not impact Social Security numbers or credit and debit card numbers.”TechCrunch asked Samsung if it collects and stores Social Security numbers and that this data is unaffected, but the company declined to say — only that the issue “did not impact” Social Security numbers. Samsung collects Social Security numbers as part of its financing options and as a requirement for users of Samsung Money.
In February, 2020, Samsung had a data breach on its UK customer account pages, affecting less than 150 people.
Child Privacy Information
Can this product be used offline?
User-friendly privacy information?
Trying to find, navigate, read, and understand Samsung's various privacy policies is a nightmare.
Links to privacy information
Does this product meet our Minimum Security Standards?
Encryption
Strong password
Security updates
Manages vulnerabilities
Privacy policy
Dive Deeper
-
The Galaxy SmartTag2 is here with big improvements but still limited to Samsung devicesAndroid Police
-
Samsung's New $30 SmartTag 2 Takes On Apple AirTagsCNet
-
Samsung Bans Staff’s AI Use After Spotting ChatGPT Data LeakBloomberg
-
Samsung bans use of generative AI tools like ChatGPT after April internal data leakTechCrunch
-
Galaxy users, take note: Samsung's probably selling your dataJR Raphael
-
Samsung SmartThings Update Aims to Prevent Tracker-Based StalkingMacRumors
-
Samsung cops to data leak after unsolicited '1/1' Find my Mobile push notificationThe Register
-
I found my stolen Honda Civic using a Bluetooth tracker. It’s the latest controversial weapon against theft.The Washington Post
-
5 Best AirTag Alternatives for Android UsersGuiding Tech
Comments
Got a comment? Let us hear it.