Is Your Wi-Fi Router Tracking Your Browsing? Here's What 30,000 Words of Privacy Policies Revealed

CNET

3 days ago

Nearly all of your internet traffic will go through your Wi-Fi router. That's a lot of data, and it's certainly enough to make privacy a concern when picking one out.
So, how can you find out if your router is collecting your data? You actually don't need to dig too deep to begin with. Your router manufacturer's privacy policy is a good place to start. Of course, they're usually long and dense documents and often come with contradictory language.
Data-collection practices are complicated, and manufacturers don't exactly make it easy to read through their privacy policies if you're an average internet user. More often than not, reading through the policy all the way through will leave you with more questions than answers.
Fortunately, I have a strong stomach for fine print, and after spending the last few years testing and reviewing routers for CNET, most manufacturers tend to respond to my emails when I have questions. So, I decided to read through over 30,000 words of privacy policies from seven major router manufacturers and talk to some experts. Here's everything I found out about how routers collect data about you.
All of the problems with privacy policies
I have more experience with routers than most, but the terms of use and policy documents I read for this article still weren't easy reading. Privacy policies typically aren't written with full transparency in mind.
Locating local internet providers
"All a privacy policy can really do is tell you with some confidence that something bad is not going to happen," said Bennett Cyphers, a staff technologist with the privacy-focused Electronic Frontier Foundation, "but it won't tell you if something bad is going to happen."
"Often, what you'll see is language that says, 'we collect X, Y and Z data, and we might share it with our business partners, and we may share it for any of these seven different reasons', and all of them are very vague," Cyphers continued. "That doesn't necessarily mean that the company is doing the worst thing you could imagine, but it means that they have wiggle cover if they choose to do bad stuff with your data."
He's not wrong: Most of the privacy policies I reviewed for this post included plenty of the "wiggle cover" Cyphers described, with vague language and few actual specifics. Even worse, many of these policies are written to cover the entire company in question, including its services, websites and how it handles data from sales transactions and even job applications.
That means that much of what's written in a manufacturer's privacy policy might not even be relevant to routers.
Then there's the issue of length. Simply put, none of these privacy policies are quick reads. Most of them are written in carefully worded legalese crafted more to protect the company than inform you, the consumer. A few manufacturers are starting to get a bit better about this, with overview sections designed to summarize the key points in plain English, but even then, specifics are typically sparse; you'll still need to dig deeper into the fine print to get the best understanding of what's going on with your data.
In cases where a company uses a third-party partner to offer additional services like threat detection or a virtual private network, you may need to read multiple privacy policies in order to follow where your data ends up.
All of that made for a daunting task as I set out to read through everything thoroughly, so I focused on finding the answers to a few key questions for each manufacturer.
All of the policies I read confirmed that the company in question collected personal data for the purpose of marketing. Personal data, like your name and address, is typically collected when you're buying the router or if you're calling for troubleshooting, for example. But do manufacturers share or sell that personal data with third parties outside their control? And do router manufacturers track web activity, including websites visited while browsing?
Let's take a closer look at what I found out.
Router manufacturer privacy practices
Tracks online activity Shares personal data with outside third parties Sells personal data Allows users to opt out of data collection Arris No No Yes* No Asus No No No Yes D-Link Unclear No No No Eero No No No No Google Nest No No No Yes Netgear No No No No TP-Link No No No No
*CommScope, which manufactures Arris Surfboard networking products, says it doesn't sell data collected from products, but rather, that some of its business operations including order fulfillment and data analytics may constitute a sale under California law. You can find more details on that in the "Is my data being sold?" section.
Is my router really tracking the websites I visit?
Before we begin, I'll note that this article covers the privacy policy of router manufacturers, not the privacy policies of internet service providers. If you're renting a router from your ISP, the information covered here likely won't apply to you as your ISP may monitor your router as it sees fit.
Almost all of the web traffic in your home passes through your router, so it's difficult to imagine that it isn't tracking the websites you're visiting as you browse. Every major manufacturer I looked into discloses that it collects some form of user data for marketing or technical purposes -- but almost none of the policies I read explicitly answered the question of whether or not routers log or record web history.
The sole exception? Google.
Google's privacy notice for Nest Wifi and Google Wifi devices was the only policy I found from any manufacturer that explicitly states that the products do not track the websites you visit.
Chris Monroe/CNET
"Importantly, the Google Wifi app, Wifi features of the Google Home app, and your Google Wifi and Nest Wifi devices do not track the websites you visit or collect the content of any traffic on your network," Google's support page for Nest Wifi privacy reads. "However, your Google Wifi and Nest Wifi devices do collect data such as Wi-Fi channel, signal strength, and device types that are relevant to optimize your Wi-Fi performance."
I asked each of the six other companies I looked into for this post whether or not they tracked the websites their users visit. Though none of them indicate as much in their privacy policies, representatives for five of them -- Eero, Asus, Netgear, TP-Link and CommScope (which makes and sells Arris Surfboard networking products) -- directly told me that their products do not track the sites that users visit on the web.
Eero
"Eero does not track and does not have the capability to track customer internet browsing activity," an Eero spokesperson said.
Asus
"Asus routers do not track what the user is browsing nor do our routers include targeting or advertising cookies," an Asus spokesperson said.
Netgear
"Netgear routers do not track any user web activity or browsing history except in cases where a user opts in to a service and only to provide information to the user," a Netgear spokesperson said, offering the examples of parental controls that allow you to see the sites your child has visited, or cybersecurity features that let you know what sites have been automatically blocked.
TP-Link
TP-Link also told CNET that it doesn't collect user browsing history for marketing purposes, but the company muddies the waters with confusing and contradictory language in its privacy policies. Section 1.2 of the company's main privacy policy says that browsing history is only collected when you use parental control features to monitor your child's web usage -- but a separate page for residents of California, where disclosure laws are more strict, says that browser history is collected using cookies, tags, pixels and other similar technologies, anonymized and then shared internally within the TP-Link group for direct marketing purposes.
When I asked about that discrepancy, a TP-Link spokesperson explained that the cookies, tags and pixels mentioned in that California disclosure are referring to trackers used on TP-Link's website, and not referring to anything its routers are doing.
"I will say our policy can be clearer," the spokesperson said. "That's something we're kind of working on right now, internally."
CommScope
CommScope, too, says that its products don't collect a its users' browsing history -- though the company makes a distinction between retail products sold directly to consumers and the routers it provides via service partnerships with third-party partners, most notably internet service providers.
"Regarding our retail Surfboard products, CommScope has no access or visibility to an individual users' web browsing history or the content of the network traffic flowing through these retail products," a company spokesperson said.
D-Link
Meanwhile, D-Link did not respond to multiple requests for clarification about its data collection practices, and it's unclear whether or not the company's products track any person's browsing data. I'll update this post if and when I hear back.
Ry Crist/CNET
Where exactly is my router data going?
Even if your router isn't tracking the specific websites you visit, it's still collecting data as you use it. Much of this is technical data about your network and the devices that use it that the manufacturer needs to keep things running smoothly and to detect potential threats or other issues. In most cases, your router will also collect personal data, location data and other identifiers -- and like I said, every company I looked into explicitly acknowledged that it uses data like that for marketing purposes in one way or another.
If a company is "using your data for marketing," that often means that your data is being shared with third parties. In that case, there is a risk that the company may share your data with a third party outside of its control, which would then be free to use and share your data however it likes.
"When data is used to target ads, it's usually not just used by the company that's collecting the data," said Cyphers. "The company is going to share it with a number of advertising companies who might share it downstream with a number of other, vaguely ad-related companies. All of them are going to use that data to augment profiles they already have about you."
With respect to routers, all of the companies I looked at acknowledged that they share user data with third parties for marketing purposes. However, the majority of these companies claim that these are in-house third parties bound by the company's own policies, and all of the companies I reached out to said that they don't share data with third parties for their own independent purposes.
CommScope notes that the way it handles and shares data used for performance analytics with its Arris Surfboard routers constitutes a sale of personal data under California law.
Ry Crist/CNET
Is my data being sold?
I also asked the companies I looked into for this post whether or not they sell data that could be used to personally identify a user, as defined by the California Consumer Privacy Act of 2018. That law defines a "sale" broadly to include, "selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer's personal information by the business to another business or a third party for monetary or other valuable consideration."
Most of the companies indicate in their privacy policies that they do not sell personal data, but the CommScope privacy policy acknowledges that it shares information, including identifiers as well as internet and other network activity information, for purposes including marketing in a way that qualifies as a sale as defined by California.
"Data used for some of our business operations like order fulfillment and performance analytics as well as the use of 'cookies' on our CommScope.com and Surfboard.com websites may constitute the 'sale' of 'personal information' under a conservative reading of the California law," a CommScope representative says.
There's some nuance to that "yes" on the question of whether or not the company sells data, especially since things like order fulfillments and cookies on CommScope's website don't directly relate to the use of CommScope home networking hardware. Still, it's noteworthy that the company acknowledges that some of its practices may constitute a sale under California law when the majority of the manufacturers I looked at did not.
"We can say that we do not sell data collected from the modems nor is that data used for marketing purposes by CommScope," the company added. "But where modems are ordered from us directly or where we provide customer support, that information is 'sold' (our read of the California law) only as part of filling that order and providing those services.
"Where we supply modems/gateways to service providers, they control their own privacy policy controls," the company added.
People in California have the right to tell CommScope not to sell their data on this website, but CommScope says that it "reserves the right to take a different approach" when responding to requests from users who live elsewhere.
Meanwhile, TP-Link tells CNET that it does not sell its users' personal data and that none of the data collected by its routers are used for marketing at all. Still, the company's privacy policy appears to create wiggle room on the topic: "We will not sell your personal information unless you give us permission. However, California law defines 'sale' broadly in such a way that the term sale may include using targeted advertising on the Products or Services, or how third party services are used on our Products and Services."
Enlarge Image
Motorola router users can find a clear option for opting out of data collection in the settings section of the Motosync app used to manage their device.
Screenshot by Ry Crist/CNET
Can I opt out of data collection altogether?
With some manufacturers, the answer is yes. With others, you can request to view or delete the data that's been collected about you. Regardless of the specifics, some manufacturers do a better job than others of presenting clear, helpful options for managing your privacy.
The best approach is to give people an easy-to-locate option for submitting an opt-out request. Minim, the company that manages Motorola's home networking software, is a good example. Head to the settings section of the company's Motosync app for routers like the Motorola MH7603, and you'll find a clear option for opting out of data collection altogether. Asus offers a similar option, telling CNET, "users can opt out or withdraw consent for data collection in our router setting interface at any time by clicking the "withdraw" button."
Unfortunately, that approach is more exception than norm. The majority of manufacturers I looked into make no mention of opting out of data collection within their respective apps or web platforms, choosing instead to process opt-out and deletion requests via email or web form. Usually, you'll find those links and addresses in the company's privacy policy -- typically buried towards the end, where few are likely to find them.
That's the case with Netgear. Pursuant to Apple's policies, the company discloses its data collection during setup on iOS devices, complete with options for opting out, but there's no way to opt out in the app after that. Android users, meanwhile, get no option to opt out at all.
"From the Android app (or iOS), a user can go to About > Privacy Policy and click on the web form link in Section 13 to delete their personal data," a Netgear spokesperson said. "We will look into making this option less hidden in the future."
Other manufacturers, including D-Link and TP-Link, don't offer a direct means of opting out of data collection, but instead, instruct privacy-conscious folks on how to opt out of targeted advertising via Google, Facebook or Amazon, or to install blanket Do Not Track cookies offered by self-regulatory marketing industry groups like the Digital Advertising Alliance and the Network Advertising Alliance. That's better than nothing, but a direct means of opting out would make for a better approach -- especially since some companies might not make use of Do Not Track signals like those.
"At this time, TP-Link does not honor Do Not Track signals," the company's privacy policy states.
Enlarge Image
Sections 8b and 8c of Eero's privacy policy make it clear that the only way to opt out of data collection is not to use Eero devices at all. Requesting that Eero delete the personal data it's gathered about you will render the devices inoperable, and Eero may still keep a backup of your data afterwards.
Screenshot by Ry Crist/CNET
This brings us to Eero. The company does not offer an option for opting out of data collection, and instead says the only way to stop its devices from gathering data is to not use them.
"You can stop all collection of information by the Application(s) by uninstalling the Application(s) and by unplugging all of the Eero Devices," the Eero privacy policy notes.
You can ask Eero to delete your personal data from its records by emailing privacy@eero.com, but the company claims that there's no way for it to delete its collected data without severing your connection to Eero's servers and rendering devices inoperable.
The privacy policy also notes that the company "may be permitted or required to keep such information and not delete it," so there's no guarantee that your deletion request will actually be honored. Even if Eero does agree to delete your data, that doesn't mean that the company won't keep a backup.
"When we delete any information, it will be deleted from the active database, but may remain in our backups," Eero's policy reads.
How to opt out of router data collection, no matter which router you use
Data collection is all too common in today's consumer tech, including concerns with smartphone apps, social media, phone carriers, web browsers and plenty more. I'd rank my concerns with routers beneath those -- but your home networking privacy is still worth paying attention to.
From my perspective, opting out of data collection whenever possible is typically a good idea, even if the collection itself seems harmless. There's simply no good way to know for certain where your data will end up or what it will be used for, and privacy policies will only tell you so much about what data is actually being collected. To that end, here are some options for opting out with each of the manufacturers covered in this post below. And, as I continue to test and review networking hardware, I'll keep this post up to date.
Asus
You can withdraw consent for data collection by heading to the settings section of the Asus web interface, clicking the Privacy tab, and then clicking "Withdraw." You can reach that web interface by entering your router's IP address into your browser's URL bar while connected to its network, or by tapping the options icon in the top left corner of the Asus Router app and then selecting "Visit Web GUI."
CommScope (Arris)
If you live in California, you can tell CommScope not to sell your data by filling out a form on this website, but the company won't guarantee that it will honor requests if you live elsewhere. There isn't a direct option for opting out of data collection in any of the apps used to set up and manage CommScope products, but the company notes that you can unsubscribe from promotional emails at any time.
D-Link
D-Link does not offer a direct option for opting out of data collection, but instead, directs you to opt out of interest-based advertising from participating companies by using Do Not Track cookies provided by the Network Advertising Initiative, a self-regulatory marketing industry group.
Eero
Eero has no opt out setting for data collection, as Eero claims that its devices are unable to function without sending device data to Eero's servers.
Google Nest
You can manage your Google Wifi or Nest Wifi privacy settings and opt out of certain data collection practices by opening the Google Home app and tapping Wi-Fi > Settings > Privacy Settings.
Netgear
Netgear doesn't offer an option for completely opting out of data collection, but you can fill out a form on this website to download and view any data that Netgear has collected or request that Netgear delete that data.
TP-Link
TP-Link doesn't offer a direct option for opting out of data collection, but it does share instructions for opting out of interest-based advertising via Facebook, Google and Amazon on its website. The site also offers information about Do Not Track cookies available from the Digital Advertising Alliance and the Network Advertising Initiative, which are self-regulatory marketing industry groups.
For more Wi-Fi tips, check out where you should set up your mesh router and why your ISP might be throttling your connection.