Privacy Architecture: Privacy by Physics

1. Introduction: The Privacy Problem in Outdoor Robotics

Autonomous outdoor robots operating in residential environments face an inherent tension: effective navigation requires environmental perception, but environmental perception in residential areas captures personal data. Forward-facing cameras, LiDAR scanners, and radar systems that enable robust navigation also generate data about people, vehicles, and property — creating surveillance capability as a byproduct of mobility.

The industry's standard response is software mitigation: capture everything, then selectively process, blur, or delete sensitive data. This approach manages a risk that has already materialized. The following documented incidents illustrate the operational consequences:

• Yarbo (May 2026): Security researcher Andreas Makris demonstrated to The Verge the full remote takeover of any Yarbo robot mower from 6,000 miles away. The vulnerabilities included a universal root password identical across all units, an unauthenticated MQTT broker for orchestration, hardcoded credentials in firmware version 2.3.9, and persistent diagnostic backdoor access. An estimated 11,000 devices worldwide were affected. Exfiltrated data included GPS coordinates of owners' homes, email addresses, Wi-Fi credentials, and live camera feeds; remote attackers could also override the physical emergency stop. Some compromised units were identified within kilometers of critical infrastructure including a major power plant. The disclosure is the first widely-documented incident in which the compromised device is an actuator rather than a sensor — a mobile-bladed machine that can be driven into traffic, into neighboring property, or onto a person [1].
• DJI Romo (February 2026): An engineer discovered that his $2,000 robot vacuum used a cloud authentication architecture so permissive that his personal device token granted access to live camera feeds, microphone audio, and 2D floor plans from approximately 7,000 other Romo units across 24 countries. No vulnerability was exploited in the conventional sense; he simply used his own credentials, and the servers returned everyone else's homes alongside his own [2].
• Ecovacs Deebot X2 (2024): Security researchers presented findings at DEF CON 32 demonstrating that the devices' Bluetooth connectivity could be exploited from distances exceeding 450 feet, granting root-level access to cameras and microphones with no physical proximity required and no hardware indicator that surveillance was active. The Ecovacs lawnmower line was equally exposed — Bluetooth remained active at all times on outdoor models, making them permanently discoverable [3].
• Dreame and Narwal (2025): Separate researchers identified real-time camera access vulnerabilities in both manufacturers' robotic devices [4].

Each incident shares a structural cause: forward-facing cameras and microphones capture identity-relevant data by design, and that data is transmitted to cloud infrastructure where server-side access controls determine who can reach it. When those controls fail — through misconfiguration, vulnerability, or policy — the data is already there to be accessed.

The Yarbo case marks a qualitative escalation in the public record. The compromised device is not a stationary sensor; it is a mobile actuator with cutting hardware. Threat models for connected sensors (smart speakers, doorbell cameras, robot vacuums) assume the primary harm is data disclosure. Threat models for connected actuators must additionally assume the primary harm may be physical damage to people or property, executed remotely with no acoustic or visual signature from the attacker's location.

2. The Two Privacy Risks in Outdoor Autonomous Systems

Outdoor robots operating in residential environments face two distinct categories of privacy risk, each with different mechanisms, different threat models, and different mitigation requirements.

2.1 Forward-Facing Cameras and Identity Capture

A forward-facing or panoramic camera on an autonomous outdoor robot captures everything within its field of view. In a residential environment, that routinely includes:

• Faces of residents, neighbors, children, visitors, and pedestrians — biometric data under GDPR, CCPA, and BIPA
• Vehicle license plates — uniquely identifying data linkable to registered owners through commercial databases
• Residential windows and interiors — architectural data revealing occupancy patterns, home layouts, and personal activity
• Neighboring property — data collected about third parties who have no relationship with the device owner and no opportunity to consent

The standard industry response is software-based mitigation: face detection and blurring algorithms, automatic deletion schedules, on-device processing, and policy commitments. These controls reduce downstream exposure but share a structural limitation: they operate after the capture event. The privacy risk materializes at the moment the sensor digitizes the scene. Every subsequent control is a secondary measure applied to data that has already entered the system.

Secondary controls fail. Software has bugs. Firmware is updated. Policies change under new ownership or regulatory pressure. The logical structure of "we capture your face but immediately blur it" is: trust the software, trust the policy, trust the company, trust the jurisdiction. This is a chain of trust, and chains break.

2.2 LiDAR and the Geometry of Private Space

LiDAR-based navigation systems introduce a distinct and often underappreciated privacy concern. LiDAR sensors emit laser pulses and measure return times to generate high-resolution three-dimensional point clouds of the operating environment. In residential deployment, this includes:

• Property boundaries, structural dimensions, and building footprints
• Driveway layouts, fence lines, gate positions, and entry points
• Adjacent streets, neighboring structures, and public spaces
• Parked vehicles, outbuildings, and garden infrastructure

The critical asymmetry with cameras: for camera imagery, software-based anonymization is at least theoretically possible. Faces can be detected and blurred. License plates can be masked. The sensitive information is separable from the navigational information.

For LiDAR point clouds, this separation does not exist. The sensitive information is the geometry itself. A point cloud that accurately represents the spatial structure of a property is the property map. There is no face to blur, no plate to mask. Anonymizing the geometry destroys the data — and destroying the data destroys the navigation. Software-based minimization is not a viable mitigation for LiDAR-based privacy risk; it is a category error.

If this data is stored on servers in jurisdictions with weak data protection standards, or by manufacturers subject to foreign government data access requirements, the aggregate mapping data becomes a geospatial intelligence asset over residential neighborhoods — built one yard at a time by devices homeowners purchased to cut grass.

3. Volta's Approach: Privacy Through Optical Geometry

If you can't see the camera, the camera can't see you.

This is not a slogan. It is a statement about optics. A camera has a defined field of view determined by its focal length, sensor dimensions, and physical orientation. Objects outside that field of view are not captured — not filtered, not deleted, not anonymized. They are absent from the optical path entirely.

Volta's downward-facing camera is oriented at a fixed angle constrained to 23 degrees above the horizon, mounted 7.8 inches (198 mm) above the ground surface. This geometry produces two operationally relevant zones:

The privacy guarantee does not require trusting software, trusting policy, or trusting the company's data handling practices. It requires trusting the physics of optics — that a camera cannot capture objects outside its field of view. This is verifiable by physical inspection of the hardware.

4. The Obstacle Avoidance Boundary

The 23-degree upper boundary serves a second function beyond privacy: it provides the forward-looking field necessary for timely obstacle detection. An object at ground level within the robot's approach path enters the camera's field of view with sufficient lead time for the safety system to halt blade rotation and halt movement.

The geometry is simultaneously the minimum necessary for safe obstacle avoidance and the maximum compatible with privacy-by-physics.

This boundary is not the widest field of view the hardware could support. A broader envelope would improve peripheral obstacle detection at the cost of capturing identity-relevant data above the horizon plane. Volta resolved this tradeoff deliberately — implementing a physical constraint in hardware that accepts a narrower detection cone in exchange for a geometry that cannot surveil.

Capturing everything and filtering afterward would have been the simpler engineering choice. The constraint exists because simplicity was not the priority. The correct engineering question is: what is the minimum sensor envelope that enables both safe navigation and agronomic analysis? The answer is a downward and slightly forward-facing cone. Everything above the horizon is unnecessary for the task — and its exclusion is the privacy guarantee.

5. Hardware-Based vs. Software-Based Minimization

Privacy engineering distinguishes two structural approaches to data minimization. The distinction matters more than any specific policy or control.

Software-based minimization processes captured data to remove sensitive elements after digitization. This includes face detection and blurring, license plate masking, automatic deletion schedules, on-device processing, and differential privacy techniques applied to transmitted data. These techniques are legitimate and reduce risk in systems where full environmental capture is architecturally necessary. They do not eliminate the capture event.

Hardware-based minimization constrains what data enters the system at the sensor level. Sensitive data is never digitized, never present in memory, and never available for processing — even transiently. There is no processing pipeline attack surface for identity data because identity data does not exist in the system.

6. Wireless Architecture and Attack Surface

Volta's privacy architecture extends beyond optical geometry to the device's wireless architecture. The Lawn Companion exposes no Bluetooth during normal operation. Wi-Fi AP mode is active only during the initial setup pairing process; once configuration is complete, the device connects to the home network as a client and never again generates a discoverable wireless access point.

There is no persistent local wireless interface for an attacker to reach. The Ecovacs DEF CON vulnerability — Bluetooth exploitable from 450 feet, active at all times on outdoor models — has no equivalent attack surface on the Lawn Companion because the interface does not exist in the operational state.

The privacy guarantee is not contingent on software functioning correctly, policies being followed, or firmware remaining uncompromised. It is a physical property of the sensor geometry and the wireless architecture — verifiable by inspection.

7. GPS Spoofing and Vision-Primary Navigation

Section added May 2026 in response to the Yarbo disclosure and the broader maturation of the GNSS spoofing threat for consumer robotics.

7.1 The Threat Model

GPS spoofing is the transmission of counterfeit Global Navigation Satellite System (GNSS) signals — typically L1 C/A on the GPS frequency, or equivalent on GLONASS, Galileo, BeiDou — that cause a receiver to compute a false position, false velocity, or false time. Historically, spoofing was a military and state-actor concern: documented incidents include the 2013 hijacking of a superyacht in the Mediterranean by University of Texas researchers [6], persistent spoofing in conflict zones, and confirmed displacement of commercial vessels in the Black Sea and Persian Gulf [7].

Three developments have collapsed the cost and skill barrier:

1. Software-Defined Radios (SDR) capable of GNSS signal generation are commercially available for under USD 500 (HackRF One, BladeRF, USRP B-series).
2. Open-source signal generators (gps-sdr-sim, gnss-sdr, GPS-Spoofer-Project) provide turnkey signal synthesis with arbitrary trajectory injection.
3. Public tutorials demonstrate end-to-end attacks on consumer drones, vehicles, and IoT devices with no specialized expertise required.

For an autonomous device that relies on GNSS as its primary navigation reference, this means a locally-positioned attacker — a neighbor, a thief, a trespasser, or a hostile actor near critical infrastructure — can dictate the device's perceived position without compromising its firmware, its credentials, or its cloud infrastructure. The attack is out-of-band with respect to the entire software security stack.

7.2 Why This Matters for Robotic Mowers

The current generation of GNSS-primary mowers (RTK-based systems requiring antenna installation and satellite reference) treats GNSS as the authoritative position source. The geofence is defined in GNSS coordinates; the cutting boundary is enforced relative to GNSS; the return-to-base path is computed from GNSS. If the GNSS receiver reports the device is at coordinate X, the robot acts as if it is at coordinate X — regardless of the surface beneath it.

Practical consequences of a successful spoofing attack against such a device include:

• Geofence escape: a falsified position offset translates into the robot crossing perimeter into adjacent property, public space, or roadway
• Cutting in restricted zones: flower beds, gravel paths, or installed irrigation — the robot is told it is on lawn, regardless of what is under it
• Vehicular hazard: a robot driven by spoofed coordinates into an active roadway becomes a hazard to motor vehicles, cyclists, and pedestrians
• Theft assistance: a robot displaced from its perimeter is significantly easier to physically remove
• Privacy escalation: when combined with the camera and Wi-Fi compromise classes documented in §1, spoofing extends the attacker's effective control over the device's behavior in physical space

These consequences require no compromise of authentication, no breach of the cloud, and no exploit of the firmware. The attack vector is radio.

7.3 Volta's Vision-Primary Architecture

The Lawn Companion does not treat GNSS as authoritative. The primary navigation system is visual analysis of the turf surface immediately beneath the device, as covered by U.S. Patent No. 11,297,755 B2 — "Method for controlling a soil working means based on image processing and related system" (filed 2017, granted April 2022, assignee Volta Robots S.r.l.) [12].

The downward-facing camera continuously classifies the surface beneath the wheels into grass / non-grass / boundary, using the same vision pipeline that drives agronomic analysis. The Lawn Intelligence™ stack maintains a per-cell biological state model of the lawn (H3 hexagonal indexing) and matches observed surface signatures against the learned property model.

Key architectural properties:

When GNSS data and visual ground truth disagree, the visual ground truth wins. A robot that visually detects grass-to-asphalt transition halts, regardless of what the GNSS receiver claims. A robot that visually detects continuous lawn proceeds, regardless of GNSS dropout. The robot's position estimate may be wrong; its physical location relative to the lawn surface cannot be falsified without modifying the lawn itself.

7.4 Defense in Depth

Vision-primary navigation is not a replacement for GNSS authentication, anti-spoofing receivers, or future regulatory mitigations (e.g., the European Commission's planned authenticated Galileo OS-NMA signal). It is an architectural complement that does not depend on the integrity of the radio signal at all.

The principle generalizes the same logic applied elsewhere in the Volta architecture:

The unifying rule: no single external signal that an attacker can manipulate is trusted as authoritative for safety- or privacy-relevant decisions.

7.5 Limitations of This Section

Vision-primary navigation is not a universal defense:

• Adversarial physical modification of the lawn surface (artificial turf patches, painted asphalt) could in principle deceive the visual classifier, though this requires physical presence and is detectable on inspection.
• The Lawn Companion still uses GNSS for coarse positioning, fleet telemetry, and theft detection — uses where spoofing causes data inaccuracy but not navigation failure.
• Long-term degradation of the camera (lens fouling, mechanical damage) reduces the classifier's confidence; the device fails safe by halting rather than relying on GNSS as a substitute.

8. Cloud Connectivity Without Surveillance

The privacy concern with cloud-connected outdoor robots is not cloud connectivity itself — it is the nature of the data being transmitted. A system that uploads LiDAR point clouds, environmental imagery, or navigational maps to remote servers creates legitimate surveillance risk regardless of the manufacturer's stated intentions. The data pipeline is the risk.

Volta's architecture resolves this by design. Because the perception system captures only downward-facing turf imagery constrained by the 23-degree field of view, the data available for cloud transmission is inherently limited to agronomic signal: turf density measurements, growth rate estimates, weed detection events, mowing pattern logs, and cell-level health classifications. Some images are uploaded — agronomy is a vision task and the model improves on real-world frames — but those images are, by the geometry of the sensor, frames of turf surface. No faces. No property maps. No geometric models of residential environments.

This makes cloud connectivity an agronomic advantage rather than a privacy liability:

• Cross-property learning. Patterns observed across hundreds of lawns — how specific turf species respond to mowing frequency changes in a given climate zone — improve the adaptive mowing model for every property in the fleet. This requires aggregated data that individual devices cannot generate alone.
• Seasonal and regional intelligence. Cloud-aggregated data reveals regional growth trends, drought stress patterns, and seasonal transition timing. A single robot operating on a single property cannot detect regional patterns; a fleet operating across climate zones can.
• Long-term property health tracking. Longitudinal agronomic data stored in the cloud enables property-level health histories, trend analysis, and early detection of emerging problems — capabilities that require persistent storage beyond the device's operational memory.

The data pipeline is clean from the source. Privacy and cloud intelligence are not in tension when the sensor geometry ensures that only agronomic signal enters the system.

9. Technical Advantages of Downward-Facing Vision

The privacy architecture is not a compromise with capability. Downward-facing orientation is also the technically superior choice for agronomic perception.

The system is simultaneously more private and more capable — not because of a tradeoff, but because the optimal viewing geometry for turfgrass analysis is the geometry that excludes human identity data.

10. Regulatory Alignment

The concept of privacy through physical design constraints aligns with several established frameworks in privacy engineering and information security.

10.1 Privacy by Design (PbD)

Developed by Ann Cavoukian, Privacy by Design identifies "privacy as the default setting" and "privacy embedded into design" as foundational principles. Downward-facing vision implements both at the hardware level — privacy is not a feature applied to the system, it is a consequence of the system's physical architecture.

10.2 GDPR Article 25

Article 25 requires data protection "by design and by default," explicitly favoring technical measures that minimize data collection rather than relying solely on organizational policies. Volta's architecture satisfies Article 25 through architectural impossibility of capture for the covered data categories — a stronger form of conformance than demonstrated technical controls, because it does not rely on those controls functioning correctly.

A system that cannot capture personal data inherently satisfies data minimization requirements for the data categories it is blind to. This is a stronger form of conformance than any software control can provide, because it does not degrade under adversarial conditions.

10.3 EU Cyber Resilience Act (CRA)

The CRA, in force since 2024 with full applicability scheduled for late 2027, requires manufacturers of "products with digital elements" — including connected consumer robotics — to implement security by design, restrict default attack surfaces, and disclose vulnerabilities within mandated windows. The Yarbo case illustrates the pattern the CRA is designed to prevent: universal credentials, persistent diagnostic backdoors, and uncoordinated disclosure response. Volta's architecture aligns with CRA principles structurally rather than retroactively.

10.4 Principle of Least Privilege

The principle of least privilege in information security holds that systems should have access only to the data they need for their function. A downward-facing agronomic camera has optical access only to agronomic data — a physical implementation of least privilege at the sensor layer. The system cannot exceed its privilege because the privilege boundary is enforced by geometry, not policy.

10.5 Data Minimization at Source

The principle of data minimization at source, distinct from downstream data minimization, holds that the most robust minimization occurs before data enters the system rather than after. Volta's architecture implements minimization at the point of sensing — the earliest possible intervention point in the data lifecycle.

11. Implications for Residential Deployment

Privacy concerns are a documented barrier to adoption of outdoor autonomous systems in residential environments. Homeowners express concern about robotic devices recording their property, their neighbors' property, and the activities of children and visitors. These concerns are legitimate — they are grounded in the actual sensor architectures of most deployed systems.

A system that is physically incapable of surveillance changes the trust calculus at its root. The relevant question shifts from "Do I trust this company's privacy policy?" — which requires evaluating institutional trustworthiness, jurisdictional protections, and the durability of policy commitments under ownership changes — to "Can this camera physically see anything private?" The answer, verifiable by inspecting the hardware geometry, is no.

The Yarbo case adds a dimension that residential homeowners had not historically been asked to consider: the device they own may be remotely operable by a third party in physical space, not only as a surveillance instrument but as a moving machine with cutting hardware. This makes the architectural questions — who can talk to this device, with what authority, through what channel — equally as relevant as the optical question.

This has practical implications for:

• Regulatory approval — architectural impossibility of capture simplifies compliance across jurisdictions
• Homeowner association acceptance — no surveillance capability to object to
• Neighbor relations — the device cannot record adjacent property regardless of operator intent
• Insurance and liability — devices that cannot be physically commandeered by third parties present a categorically different risk profile to liability underwriters
• Critical infrastructure proximity — for properties near sensitive sites (military, energy, government), architectural restrictions on remote takeover and on geospatial data capture are not optional features
• Social license to operate — the privacy guarantee is verifiable without technical expertise

A privacy guarantee backed by physics does not require the homeowner to understand software architecture, evaluate corporate governance, or track regulatory developments. It requires only the understanding that a camera pointed at the ground cannot see a face — and that a robot that knows where it is by looking at the ground cannot be told to be somewhere else.

12. Limitations and Open Questions

• Near-ground objects: The system can see objects at ground level (shoes, small toys). While these are not personal data in the GDPR sense, they are property.
• Indirect identification: Turf patterns theoretically could be matched to specific properties. Whether this constitutes personal data under GDPR is an open legal question.
• Future sensor additions: The privacy guarantee applies only to the current sensor configuration. Any future addition of non-downward sensors would require separate privacy analysis.
• Ankle-height capture zone: Objects at or very near ground level (pet paws, bare feet) may enter the field of view. These do not constitute biometric data but represent a boundary condition in the privacy architecture.
• Adversarial surface modification: Vision-primary navigation can in principle be deceived by physical modification of the operating surface (artificial turf, painted asphalt). This requires physical presence and is observable; it is a different threat class from remote spoofing.
• Cloud-side breach scope: A hypothetical breach of Volta cloud infrastructure would expose an archive of agronomic imagery (frames of turf surface). The architectural guarantee bounds what such a breach could reveal; it does not eliminate the value of standard cloud security controls.