Is Your Holiday Gift Spying on You? Find Out.

Mozilla

By Mozilla | Nov. 11, 2020 | Advocacy

PNI

Mozilla’s fourth-annual *Privacy Not Included buyers guide examines which connected products are the most trustworthy — and which are the creepiest. Our researchers pored over wearables, smart speakers, connected toys, gaming consoles, and other products to help consumers make informed choices


Can the smart speaker you bought mom for Christmas eavesdrop on her? Is your connected coffee maker vulnerable to hackers? And who is your daughter’s gaming console sharing her data with?

Mozilla is here to answer these questions.

Today, Mozilla is launching the fourth-annual *Privacy Not Included, a comprehensive shopping guide to help consumers determine which connected products they can trust — and which ones they should avoid.

We’re empowering consumers to choose products that respect their privacy and security. And we’re calling out companies when they fall short.

The 2020 *Privacy Not Included is Mozilla’s most ambitious edition yet. Our researchers reviewed 136 products — almost twice as many as last year — across seven categories: Toys & Games; Smart Home; Entertainment; Wearables; Health & Exercise; Pets; and Home Office.

Mozilla researchers combed through privacy policies, pored over product and app features, quizzed companies about their use of AI and encryption, and more. As a result, we answer dozens of crucial questions for consumers, like: Can this product’s camera, microphone, or GPS snoop on me? What data does the device collect and where does it go? And, What is the company’s known track record for protecting users’ data?

Says Ashley Boyd, Mozilla’s Vice President of Advocacy: “Holiday gifts are getting ‘smarter’ each year: from watches that collect more and more health data, to drones with GPS, to home security cameras connected to the cloud. Unfortunately, these gifts are often getting creepier, too. Poor security standards and privacy practices can mean that your connected gift isn’t bringing joy, but rather prying eyes and security vulnerabilities.”

Boyd continues: “*Privacy Not Included helps consumers prioritize privacy and security when shopping. The guide also keeps companies on their toes, calling out privacy flaws and applauding privacy features.”

Holiday gifts are getting smarter each year. Unfortunately, these gifts are often getting creepier, too.

Ashley Boyd, Mozilla's VP of Advocacy

Mozilla is introducing several new features this year. Our new “*Privacy Not Included” warning alerts consumers when a product has especially problematic privacy practices. And our “Best Of” category celebrates products that get privacy right. We added artificial intelligence (AI) criteria, alerting consumers if a product uses AI to make decisions about them. And we introduced a Home Office category.

Several familiar features also return in this year’s guide: The Creep-O-Meter is an interactive tool that allows shoppers to rate the creepiness of a product using emoji. And the Minimum Security Standards determine whether products meet safety baselines, like using encryption and patching vulnerabilities.


*Privacy Not Included highlights and trends include:

  • About 40 products were branded with the dreaded “Privacy Not Included” warning, like the Facebook Portal and Fossil Gen 5 smart watch. About 20 products failed to meet Mozilla’s Minimum Security Standards, like the Hamilton Beach Smart Coffee Maker and Schlage Sense Smart Deadbolt.
    • Amazon’s Halo Fitness Tracker is especially troubling. It’s packed full of sensors and microphones. It uses machine learning to measure the tone, energy, and positivity of your voice. And it asks you to take pictures of yourself in your underwear so it can track your body fat.
    • Roku is a privacy nightmare. The company tracks just about everything you do — and then shares it widely. Roku shares your personal data with advertisers and other third parties, it targets you with ads, it builds profiles about you, and more.

  • 22 products were awarded “Best Of” for exceptional privacy and security practices, including the Kano Coding Kits, the Sonos SL One smart speaker, and eight different Apple products.
    • Eufy Security Cams are especially trustworthy. Footage is stored locally rather than on the cloud, and is protected by military-grade encryption. Further, Eufy doesn't sell their customer lists.
    • Apple is living up to its privacy reputation. Apple products don’t share or sell your data. They take special care to make sure your Siri requests aren't associated with you. And after facing backlash in 2019, Apple doesn’t automatically opt-in users to human voice review.

  • Products are getting creepier, even as they get more secure. Many companies — especially big ones like Google and Facebook — are improving security. But that doesn’t mean those products aren’t invasive. Smart speakers, watches, and other devices are reaching farther into our lives, monitoring our homes, bodies, and movements. And often, consumers don’t have insight or control over the data that’s collected.

  • The pandemic is reshaping some data sharing for the better. Products like the Oura Ring and Kinsa smart thermometer can share anonymized data with researchers and scientists to help track public health and coronavirus outbreaks. This is a positive development — data sharing for the public interest, not just profit.

  • Connected childrens’ toys and pet products are particularly creepy. The KidKraft Kitchen & Market pairs with Alexa and is made for kids as young as three — but there’s no transparency into what data it collects. Meanwhile, devices like the Dogness iPet Robot put a mobile, internet-connected camera and microphone in your house — without using encryption.

  • AI is becoming commonplace. At least one third of products in the guide use your personal data to make decisions for you and about you. Smart speakers converse with you, thermostats learn your preferences, and cameras detect your face. Sometimes this technology benefits consumers, but other times it benefits the manufacturer — like allowing Roku to target ads. In general, there’s limited transparency into how or even if products are using AI.

  • Tech companies want a monopoly on your smart products. Amazon, Google, and others are offering a family of networked devices, pushing consumers to buy into one company. For instance: Nest users now have to migrate over to a Google-only platform. Google is acquiring Fitbit. And Amazon recently announced it's moving into the wearable technology space. These companies realize that the more data they have on people's lives, the more lucrative their products can be.

  • Privacy regulations are starting to have an impact. New rules have emerged in recent years to protect consumers’ privacy, like the GDPR in Europe and the CCPA in California. As a result, more products are giving consumers control, like the ability to delete their data from a device or app. Further, it’s now easier than ever before for Mozilla researchers to determine what data is being collected and whether it’s being sold.