It might have its network adapter set to promiscuous mode, and is mirroring all network traffic it can see on the network to some host somewhere in case it gets unsecured http requests?
On a less malicious note, maybe it has cloud log reporting,and the developer left it on trace mode by mistake?
As others have said, put wireshark on it (but possibly not while connected to the internet, just look at the DNS requests).
We're a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.