Until I have verification otherwise, I’m just assuming that Signify/Hue is going to just collect everything it can on me and sell it to third parties. This is why I, in general, immediately block ALL internet access for any IP device on my network unless there is a reason to have it talk to the cloud. I don’t have a single camera that can reach the Internet, yes this is a bummer sometimes because I might want a firmware update and, at least for now, you can generally download the bin file and upgrade it yourself so I schedule this once a quarter.
I never bothered blocking Hue because I wanted auto updates and all the scenes, but it’s now been blocked since this thread was started and everything is working just fine. When that stops being the case I’ll just link them up as Zigbee devices, ditch the hub and wash my hands of their hub.
The thing that really bugs me about companies like this is that they SAY they will only collect data on THEIR devices (technically they are mine now but whatever), however they can easily ARP out my network to see what other types of devices I use based on MAC address (not all resolve but the big ones do), get a count of how many IP devices I run and much more - without needing to hack my system to do this. Of course they all claim they wouldn’t dare do this but how many times have major manufacturers been caught with their hand in the cookie jar? It’s risk assessment, they will illegally (and against their TOS) collect everything they possibly can until the lawsuits force them to stop because they cost more than the sale of this private data.
I’ve sniffed many devices on my network, there’s not a single camera I own that doesn’t make very regular calls to Chinese sites - some are probably legitimate, but I have watched Foscam call Chinese servers 300+ times an hour!
So, just block them all and if you lose functionality then return them. Heck, I have full control over my ESP devices yet I still won’t allow them to the Internet for any reason.
It’s an offer, I pay through an account to support the devs. But I have my own setup that enables remote access. Plenty of guides around to get started if you’re interested.
I’m with them this time. Technically you don’t own them despite you payed for the hardware
Well, guess their is no need anymore for that really as most likely more operating systems than only iOS probably suck data like that already by default and might share them for the right incentiv too.
Mobile Handset Privacy: Measuring The Data iOS and Android Send to Apple And Google
Abstract — We investigate what data iOS on an iPhone shares
with Apple and what data Google Android on a Pixel phone
shares with Google. We find that even when minimally configured
and the handset is idle both iOS and Google Android share
data with Apple/Google on average every 4.5 mins. The phone
IMEI, hardware serial number, SIM serial number and IMSI,
handset phone number etc are shared with Apple and Google.
Both iOS and Google Android transmit telemetry, despite the
user explicitly opting out of this. When a SIM is inserted both
iOS and Google Android send details to Apple/Google. iOS sends the MAC addresses of nearby devices, e.g. other handsets and the home gateway, to Apple together with their GPS location.
Users have no opt out from this and currently there are few, if
any, realistic options for preventing this data sharing.
To be honest, I’m surprised how many people use the hue hub. I never even set mine up, just left it in the box because 4 bulbs + hub was cheaper than 4 bulbs when I bought it.
On the other hand, if anyone in Canada wants to send me their Hue Hub I’ll pay for the postage. I’m serious.
I’m surprised I read through this whole thread and although I understand the thought of privacy and not having accounts, we all have them and we all use them. In any case I don’t have any issues with accounts although am generally trying to move local.
I already complained about this 4 months ago, as I was already forced to use an account for Matter.
After getting lied to multiple times (like “for security reasons”), our conversation ended with “bullshit”. And I’m usually a very polite person.
I would move away from they hub instantly, unfortunately I still have the very oldschool round touchlink remotes, which don’t work with other zigbee controllers.
I now regret introducing my partner to the Hue ecosystem a year ago. I’ve had a complete change of heart, going from recommending it to avoid it at all costs.
And btw, how can an approx 40 page terms of use be legal?
My Pi-Hole indicates that my Philips Hue Bridge contacts diag.meethue.com every minute.
If I blacklist diag.meethue.com, Pi-Hole’s log indicates the frequency of requests increases dramatically from once a minute to every 2 to 5 seconds. As a result, the Hue Bridge floods Pi-Hole’s log and skews the daily statistics.
I then tried this trick to direct the Bridge’s DNS requests back to itself.
I added file /etc/dnsmasq.d/99-bypass.conf containing:
# Self DNS, silences DNS requests
dhcp-option=tag:selfDNS,6,127.0.0.1
# Silence DNS requests from Philips Hue Bridge
dhcp-host=XX:XX:XX:XX:XX:XX,set:selfDNS
Unfortunately, that failed to work. Pi-Hole’s log still shows once per minute requests from the Bridge to diag.meethue.com and it’s using my external DNS provider (OpenDNS) to perform name resolution.
So blocking diag.meethue.com results in a substantial increase in network traffic (i.e. blocked DNS requests) and my attempt to redirect its DNS requests to itself didn’t work. Does anyone have any other ideas for blocking the Bridge without increasing the frequency of its requests?
EDIT
FWIW, the Hue Bridge’s behavior when blocked (increased requests) is not unique. I’ve seen the same behavior when Nanoleaf Canvas is blocked.
Can’t you simply block all traffic between the hub and the Internet directly on your firewall or router to make life easier? I do that instead of changing Pi-Hole since while the majority of calls will use Pi-Hole because it’s calling a host name, some (like a handful of Chinese devices I have) call direct IP addresses.
I’ve seen similar results as you, you try to block something and suddenly it loses it’s mind and starts calling constantly, it’s very frustrating how many devices feel the need to talk to the Internet constantly. Granted, some of these are simple NTP requests but most are not and why I default to blocking any device that doesn’t absolutely require the Internet to work.
Ikea’s Styrbar and Tradfri remotes are inexpensive, and work nicely with ZHA. If remotes are the only reason to hold onto the Hue hub, I’d definitely look at the Ikea remotes as a replacement.
Pi-Hole will still register because it’s your default DNS, the firewall solution just keeps it from ever connecting even if it resolves. You can fix that, though, by editing the hub and setting the IP manually and set the DNS to a non-existent server. Alternatively you could also edit the routing tables of the Pi-Hole computer to actively reject all traffic from the hubs IP address with something like this:
# iptables -A INPUT -s 192.168.1.1 -j DROP
# service iptables save
Redirecting its DNS server address to itself seems to be having the desired effect (blocked and silent). However if I discover any drawbacks then I will use your suggestion.
You need a way to reach your HA installation, nabu casa is only more convenient, but totally optional if you know what to do (or have time to secure access to your HA)
Again, it’s convenience, until now the hub has been a fast way to configure lights, zones and scenes and then access your full lights configuration from HA using a local API
It’s privacy, it’s ease of access, it’s control, I know we have to deal with shitty cloud accounts, but in most cases you know it from the start and decide if you need that kind of device, here we have devices that we bought because of local access that are forced to move to a cloud account and this is not acceptable
Zigbee2mqtt has some support of touchlink, depending on the coordinator you use
I don’t know your zigbee setup but it’s worth a look
That probably still causes (useless) network traffic
Probably also causes network traffic as the dns requests most likely are send to LAN before they “bounce” back to the who hue. Like the device is spamming itself - but still utilizing your network.
And all people - including the ones that don’t use the cloud but stay local are forced to fulfill the data lust of Philips / signify (that are not even embarrassed to spreading lies about “security”)…
Technically you don’t own them despite you payed for the hardware 
