Hello, this is Hamamoto from TIMEWELL.
"Physical AI" is a phrase I've been hearing a lot lately. AI that used to live inside a screen has stepped into the real world with a "body"—robot vacuums, humanoids, robot dogs. That in itself is exciting. But from where I sit, doing export control and economic security, I also see a different picture. Having a body means carrying a lot of sensors: cameras, microphones, LiDAR. In other words, these are convenient tools and, at the same time, potential exits for information.
That may sound overblown. But a robot vacuum being hijacked and used to spy has already happened in the real world. Where is the server for that Chinese-made recorder or camera? Is the data location of the AI service you signed up for left undisclosed? Checking "where does the data go" at the point of choosing equipment is what will tell in information security going forward. This time I'll lay out, from primary sources, real leak incidents, then China's legal framework, then the often-overlooked US CLOUD Act, and close with concrete points to check. If you're wondering whether your own AI use is sound from an information-security standpoint, check your footing first with our AI readiness check and read on.
Physical AI is a "walking sensor suite"—leaks are already happening
First, know that this is a matter of real examples, not theory. In August 2024, security researchers Dennis Giese and Braelynn Luedtke demonstrated at DEF CON that the Ecovacs Deebot robot vacuum could be hacked to remotely hijack its camera and microphone. Abusing the initial-setup Bluetooth connection from up to about 130 meters away, an attacker could thereafter break in via Wi-Fi from anywhere in the world, and silence the warning sound that plays when the camera is active—spying and eavesdropping undetected[^1]. And this didn't stay a lab demo. After the talk, cases were reported in Minnesota, California, and Texas where hijacked Deebots hurled slurs or chased people around[^2].
There are also leaks of data that was collected legitimately. With the Roomba, in-home footage captured in 2020 by development-stage units leaked externally by way of the contractor that processes AI training data. Some of the captured images included a person sitting on a toilet, and gig workers in Venezuela reportedly posted them to social-media groups[^3]. The maker acknowledged the capture and terminated its contract with the vendor. Being hijacked and watched, and having collected data leak for other purposes—both are happening.
Humanoids and robot dogs are no exception either. The Unitree Go1, a Chinese-made quadruped, was found by researchers to ship with an undocumented remote-access tunnel. With a single API key and default password, a third party could remotely operate it or view its camera feed; the researchers identified 1,919 units in operation, including machines connected to university and corporate networks in various countries[^4]. The 3D spatial maps and audio a robot's sensors collect are, in themselves, sensitive information tied directly to physical security. A walking sensor suite, quietly sending data somewhere. That's the picture to keep in mind first.
Struggling with AI adoption?
We have prepared materials covering ZEROCK case studies and implementation methods.
Chinese-made devices and the "where is the server" question
The sensor story leads straight into "which country the collected data sits in." Here, China's legal framework is unavoidable.
China's National Intelligence Law, in effect since 2017, states in Article 7 that all organizations and citizens shall, in accordance with law, support, assist, and cooperate with national intelligence efforts. Article 14 provides that intelligence agencies may request necessary cooperation from relevant organizations and citizens[^5]. A legal framework exists under which a company holding data in China finds it hard to refuse an authority's request. That is a fact.
But this is where I want to write carefully. The same law's Article 8 also places a caveat: national intelligence work shall be conducted in accordance with law, respect and protect human rights, and preserve the lawful rights and interests of individuals and organizations[^5]. Whether that caveat serves as an effective brake is debated even among legal scholars. So writing "it's Chinese-made, therefore data will definitely be siphoned off" is not accurate. The core lies less in the text than in the structure: independent judicial review works poorly, and operation is opaque. That placing data in China creates a risk of being unable to refuse authority access is, I think, closer to reality.
Actual concerns have been reported. A UK consumer group's investigation confirmed that air fryers from a Chinese maker were sending users' personal data to servers in China[^6]. The US Department of Homeland Security warned in a 2020 advisory that China's legal system could compel companies to secretly provide data or install backdoors[^7]. As for the home router maker TP-Link, an interagency assessment led by the US Commerce Department concluded a national-security sales ban was warranted, and a proposed ban was reported in 2025. But this is, at present, a proposal that has not become final[^8].
At the same time, there's a fair point to keep in view: country of manufacture and country of data processing are different things. Among voice-recording and transcription AI devices, some explain that even though the hardware is made in China, data processing is done in a US cloud[^9]. That is exactly why you need to check, before purchase, not "where it was made" but "where it is processed and stored."
The overlooked "US provider" pitfall: the CLOUD Act
So far, this has been about China. Yet "then it's safe to use US services" isn't so simple either. The US has a law called the CLOUD Act.
Enacted in 2018, its text (18 U.S.C. §2713) provides that a provider must disclose the contents of communications and records within its possession, custody, or control regardless of whether that data is located within or outside the United States[^10]. Put plainly: even if you keep data on servers in Japan, if the provider of that service is under US jurisdiction, US law enforcement can compel disclosure. Merely locating the data domestically does not escape jurisdiction.
Don't misunderstand: this is not a system that lets the government freely peek at anyone's data. Obtaining the content of communications requires a warrant issued by a judge on probable cause, and the target must be specified. Providers can object to the order[^11]. It is different from mass surveillance.
So how do you protect yourself in practice? The key is, literally, the encryption key. The CLOUD Act's text (§2523) provides that an agreement under the law shall not create an obligation for providers to be capable of decrypting data—so-called encryption neutrality[^12]. In other words, if the customer manages the encryption keys and the provider cannot access plaintext, the provider has no way to hand over the contents even under a disclosure order. Conversely, if the provider holds the keys and can handle plaintext, the contents can be exposed depending on the warrant. That is the dividing line.
This is not an armchair worry. In June 2025, in a French Senate inquiry on digital sovereignty, a legal officer of Microsoft France, under oath, was asked whether it could guarantee that French citizens' data would not be handed to the US government under the CLOUD Act, and answered, "No, I cannot guarantee that—but it has never happened before"[^13]. Even placing data in a domestic region, so long as the provider is subject to US jurisdiction, you cannot fully escape the CLOUD Act's reach. A symbolic exchange in which a major US company itself acknowledged this in an official setting.
So, check this at the point of adoption
Given all this, what to do becomes clear. When you adopt a device or AI service, check at the contract stage not just "is it convenient" but "where does the data go." Let me lay out the points I believe are worth examining in practice.
First, in which country is the data physically stored? Have the region written into the contract or data-processing agreement, not explained verbally. Next, beyond production, is data crossing borders unknowingly via secondary paths—backups, redundancy, AI inference or transcription processing? Third, which country's law governs the provider? For a US provider, the CLOUD Act; for a China-based one, the National Intelligence Law—look all the way to the parent's nationality and control relationships. Fourth, encryption and key management. Beyond encrypting transit and storage, who holds the keys is decisive, as discussed. Fifth, are subcontractors and subprocessors undisclosed, and is the service audited by a third party? And sixth, for devices, where do the camera, microphone, and LiDAR communicate, can it run offline, and does it send to the manufacturer by default?
This isn't just a private-sector fad. The Japanese government started an IoT security label scheme, "JC-STAR," in 2025, requires government information systems to store data domestically in principle, and selects clouds from ISMAP-assessed services[^14]. In the US, mechanisms such as the National Defense Authorization Act Section 889's ban on government procurement of Chinese-made communications/surveillance equipment, the FCC's "Covered List," and the Defense Department's Chinese Military Companies list (1260H) are, precisely, screening which equipment and providers to entrust data and communications to[^15]. Sensitivity to spatial data is rising, with Chinese LiDAR maker Hesai designated on the Defense Department's list and contractors' use being restricted[^16]. This screening happening at the national level has become something companies now do at their own scale.
How to choose an environment that doesn't leak
Finally, what to choose? The answer is simple: choose things where you yourself can explain where the data is, who can access it, and who holds the keys. Conversely, a service whose server location is undisclosed, or whose keys you hand entirely to the provider, carries—in exchange for convenience—a state where you cannot explain where the data goes.
Our enterprise AI, ZEROCK, was designed around this thinking. It handles data on domestic servers in Japan, and lets you control who can use which information. It's an option for organizations that want to use AI but don't want to send sensitive information to unseen overseas locations. Even if you can't stop the physical-AI devices themselves, at least for the AI foundation you entrust your core data to, you can keep the location, the jurisdiction, and the keys in your own hands. Of course, no mechanism is all-powerful. What matters is the habit of pausing, before jumping at convenience, to check "where does this data go." That habit is itself the most reliable breakwater. If you'd like to discuss how to protect your own data, reach out through an individual consultation. For the full picture of how regulations are moving in parallel across countries, reading our article tracking changes in export controls alongside this will help you grasp the background.
References
[^1]: Remote Bluetooth hijacking of the Ecovacs Deebot robot vacuum, demonstrated by Dennis Giese and Braelynn Luedtke (DEF CON 32, August 2024). TechCrunch (August 9, 2024). https://techcrunch.com/2024/08/09/ecovacs-home-robots-can-be-hacked-to-spy-on-their-owners-researchers-say/ [^2]: Real-world Ecovacs Deebot X2 incidents reported after DEF CON (Minnesota, California, Texas). Kaspersky official blog. https://www.kaspersky.com/blog/ecovacs-robot-vacuums-hacked-in-real-life/52837/ [^3]: Leak of in-home images captured by development iRobot (Roomba) units via an AI-labeling subcontractor. MIT Technology Review (Eileen Guo, December 19, 2022). https://www.technologyreview.com/2022/12/19/1065306/roomba-irobot-robot-vacuums-artificial-intelligence-training-data-privacy/ [^4]: Undocumented remote-access tunnel in the Chinese Unitree Go1 quadruped (CloudSail; 1,919 units identified; CVE-2025-2894). SecurityWeek. https://www.securityweek.com/undocumented-remote-access-backdoor-found-in-unitree-go1-robot-dog/ [^5]: China's National Intelligence Law (in effect 2017, amended 2018), Articles 7 and 14 (duty to cooperate) and Article 8 (caveat of respect for human rights and lawfulness). China Law Translate (English). https://www.chinalawtranslate.com/en/national-intelligence-law-of-the-p-r-c-2017/ [^6]: A UK consumer group (Which?) investigation that air fryers from a Chinese maker sent personal data to servers in China. The Register (November 5, 2024). https://www.theregister.com/2024/11/05/air_fryer_spying/ [^7]: US Department of Homeland Security, "Data Security Business Advisory" (December 22, 2020), warning that China's legal system could compel secret data provision or backdoor installation. https://www.dhs.gov/archive/news/2020/12/22/dhs-warns-american-businesses-about-data-services-and-equipment-firms-linked [^8]: The Commerce Department-led proposed sales ban on TP-Link home routers (a proposal as of October 2025, not yet final). The Washington Post (October 30, 2025). https://www.washingtonpost.com/technology/2025/10/30/tp-link-proposed-ban-commerce-department/ [^9]: The distinction between "country of manufacture" and "country of data processing/storage" for voice-recording/transcription AI devices (e.g., Plaud is made in Shenzhen but says data processing is on US AWS). No demonstrated leak to Chinese servers exists at present; treat as a company claim. Digitimes (September 3, 2025). https://www.digitimes.com/news/a20250903PD210/security-data-hardware-shenzhen-taiwan.html [^10]: CLOUD Act, 18 U.S.C. §2713 (data in a provider's possession, custody, or control must be disclosed even when stored abroad). Cornell Law School LII. https://www.law.cornell.edu/uscode/text/18/2713 [^11]: Procedural limits of the CLOUD Act (obtaining content requires a judge's warrant on probable cause; providers may object). Cross-Border Data Forum FAQ. https://www.crossborderdataforum.org/cloudactfaqs/ [^12]: CLOUD Act, 18 U.S.C. §2523(b)(3) (encryption neutrality: an agreement shall not obligate providers to be capable of decrypting data). Cornell Law School LII. https://www.law.cornell.edu/uscode/text/18/2523 [^13]: Sworn testimony by a Microsoft France legal officer before the French Senate (June 18, 2025), stating it could not guarantee data protection under the CLOUD Act. The Register (July 25, 2025). https://www.theregister.com/off-prem/2025/07/25/microsoft-exec-admits-it-cannot-guarantee-data-sovereignty/458553 [^14]: Japan's IoT security label scheme "JC-STAR" (IPA, launched March 2025), and the domestic-storage principle and ISMAP for government information systems. IPA. https://www.ipa.go.jp/security/jc-star/index.html [^15]: US NDAA Section 889 (ban on government procurement of designated Chinese communications/surveillance equipment) and the FCC "Covered List." FCC. https://www.fcc.gov/supplychain/coveredlist [^16]: Designation of Chinese LiDAR maker Hesai on the US Defense Department's Chinese Military Companies list (1260H) and the restriction on DoD/contractor use from June 30, 2026 under FY24 NDAA §805. House Select Committee on the CCP. https://chinaselectcommittee.house.gov/media/press-releases/gallagher-krishnamoorthi-applaud-inclusion-new-chinese-companies-including
