How to Use This Guide

Need help understanding how to use this guide? Here you go:

Creep-O-Meter

Our new Creep-O-Meter is for you to share your opinion. Read the review of the product, then rate how creepy or not creepy you think the product is and how likely you are to buy it. Click vote to see how your opinion stacks up to others.

Our Minimum Security Standards

We developed a set of minimum security standards we think all connected products should meet at the very least. Think of it as a “you must be this tall to ride” set of standards. These include five basic things: The product must use encryption, the company must provide automatic security updates, if a product uses a password, it must require a strong password, the company must have a way to manage security vulnerabilities found in their products, and the company must have an accessible privacy policy. If you would like to learn more about our minimum security standards go here.

Can it spy on me?

Just because a device has a camera, microphone, or tracks location doesn’t mean it will spy on you. It simply means it could and you should be aware of that. Also, many connected devices are controlled by apps on your phone. The apps often ask to use the phone’s camera, microphone or location tracking. Keep an eye on that, as some of the permissions the apps ask for might surprise you.

Encryption

Encryption is your friend. It protects your private and personal information by scrambling it up into a code so that the only people or machines who can read it are the ones on the other end who have the key to unscramble that code. Products that don’t use encryption send personal information over the internet unscrambled so anyone can see it.

Privacy policies

Privacy policies detail a lot of important information about how companies collect, use, and share your personal information. Because of that, this information should be easily found and easily understood. You’ll notice we included reading levels of all the privacy policies in this guide thanks to the Usable Privacy Policy Project. Some have middle school reading levels and some have college reading levels. Needing a college degree to understand how a company plans to use your personal information is not ideal.

Shares information with third parties for unexpected reasons

Nearly every company collects some kind of information on its users. That’s how the internet works. It’s how they use and care for this information that matters. You should know whether a company shares or sells your personal information to others and for what reasons.

For the purpose of this report Mozilla determined that if according to a company’s privacy policy, it appeared to share data with third parties that could then use that information to market or advertise to customers, then we labeled it as “Shares information with third parties for unexpected reasons.

Change Default Password

Remembering passwords might be annoying, but having a good password is still one of the best lines of defense we have when it comes to protecting our privacy and security. It’s great when a password is required. But default passwords that are the same for all consumers and never change can be just as bad. You should be required to change a default password. Products with a default password that does not require changing can leave users’ personal information exposed.

Automatic security updates

Sometimes security vulnerabilities are found in products after they are sold to the public. For that reason, companies should have a way to quickly push a security update out to the product automatically so it fixes the security vulnerability without the consumer ever needing to worry about it.

Delete the data it stores on you

Companies collect a lot of data on their consumers. Who controls that data? Being able to contact a company and ask them to delete any data they have on you is a very good thing.

Parental controls

Parental controls on toys, tablets, smart speakers, and many other connected devices can be a very good way to protect the privacy and security of both young and old. Not all products need parental controls, but parents should look to see if they are an option for connected products they will buy and let their children use.

Company manages security vulnerabilities

Security vulnerabilities in products happen. It’s how companies manage them when they arise that matter. We looked at whether or not companies have a system in place to manage vulnerabilities in the product when they are found. This includes having a point of contact for reporting vulnerabilities or an equivalent bug bounty program.

What could happen if something goes wrong

It’s likely nothing bad will happen with most of the products in this guide. However, it’s also good to think through what could happen if something goes wrong. We lay out a potential worst-case scenario for each product, in some cases for fun and in some cases based on things that have already happened with the product.

Updates

When news breaks or we come across a relevant article about a product in this guide, we will share it in the updates section on each product page.

Comments

We love to hear your thoughts and feedback on the products in this guide. And others users might like to join you in a conversation about any experiences or concerns you’ve had with a product. Please join the conversation in the comment section at the bottom of each product page.

Methodology

If you would like to read more about the research methodology we used to create this guide, here is a post our researchers wrote about that.

Why We Made This Guide

Welcome to version 2.0 of our *Privacy Not Included buyer’s guide. The goal is to help you shop smart—and safe—for products that connects to the internet.

Last year we made version 1.0 of this guide. We didn’t know if people would be interested in a guide about the privacy and security of connected toys and smart home products. Turns out, they were. And it wasn’t just people who were interested. We discovered companies were too. It seems both consumers and companies are starting to see the value in connected products that are safe, secure, and private.

We took the lessons learned last year and put them to work to build a better guide this year. What does that look like?

This guide is more opinionated.

We realize people want to just know which products are safe and which aren’t. We are Mozilla—not a consumer product review company—so we won’t say “Buy this, don’t buy that.” Instead, we used our technical expertise to create a set of minimum security standards we think all products should meet in order to be sold in stores. Those standards include using encryption, automatic security updates, requiring strong passwords, having a system to manage vulnerabilities, and having an accessible privacy policy. Look for the “Meets Our Minimum Security Standards” badge on products in the guide.

There is a Creep-O-Meter.

We wanted users of this guide to be able to share their opinion too. It’s important companies, and other consumers, see which products people think are safe, and which products people feel are a bit creepy. So we created our Creep-O-Meter—a users rating on each product—to let folks give their opinion too. Try it out, it’s fun.

Bigger and better.

We added a few things this year. Our product list has grown to 70 connected products across six categories. Last year we answered the questions “Can it spy on me?” and “What does it know about me?”. This year we added “Can I control it?” and “Does the company show it cares about consumers?” to that list. Hopefully the information provided in each product review will help people shop smart for connected products.

You’ll notice a lot of research went into this guide. Fortunately, we have access to some of the best minds around in the privacy and security space. Janice Y. Tsai, a privacy researcher here at Mozilla, and Rebecca Ricks, a former Mozilla Fellow, came together to comb through privacy policies and apps, and reach out to companies with questions about encryption and bug bounty programs. We were also lucky to collaborate with the smart researchers working on the Usable Privacy Policy project at Carnegie Mellon University. The reading levels of privacy policies come from their Explore Usable Privacy website. Check it out, it’s a great resource to quickly scan the content of privacy policies.

We hope you use and enjoy this guide to help you think about, shop for, and buy products that show they value privacy and security. We as consumers need to demand that value from the people who build our products. It’s how we’ll start to make the internet, and our lives, a bit safer in this digital world.

Thank you!
The Team at Mozilla

For any questions about the guide or to offer constructive feedback, please email jen@mozillafoundation.org