How to Use This Guide

Need help understanding how to use this guide? Here you go:

Our Minimum Security Standards

We developed a set of minimum security standards we think all connected products should meet at the very least. Think of it as a “you must be this tall to ride” set of standards. These include five basic things: The product must use encryption, the company must provide automatic security updates, if a product uses a password, it must require a strong password, the company must have a way to manage security vulnerabilities found in their products, and the company must have an accessible privacy policy. If you would like to learn more about our minimum security standards, go here.

Encryption

Encryption is your friend. It protects your private and personal information by scrambling it up into a code so that the only people or machines who can read it are the ones on the other end who have the key to unscramble that code. Products that don’t use encryption send personal information over the internet unscrambled so anyone can see it.

Security updates

Sometimes security vulnerabilities are found in products after they are sold to the public. For that reason, companies should have a way to quickly push a security update out to the product automatically so it fixes the security vulnerability without the consumer ever needing to worry about it.

Strong Password

Remembering passwords might be annoying, but having a good password is still one of the best lines of defense we have when it comes to protecting our privacy and security. It’s great when a password is required. But default passwords that are the same for all consumers and never change can be just as bad. You should be required to change the default password to a strong password. Products with a default password that does not require changing can leave users’ personal information exposed.

Manages vulnerabilities

Security vulnerabilities in products happen. It’s how companies manage them when they arise that matter. We looked at whether or not companies have a system in place to manage vulnerabilities in the product when they are found. This includes having a point of contact for reporting vulnerabilities or an equivalent bug bounty program.

Privacy policies

Privacy policies detail a lot of important information about how companies collect, use, and share your personal information. Because of that, this information should be easily found and easily understood.

Creep-O-Meter

Our Creep-O-Meter is for you to share your opinion. Read the review of the product, then rate how creepy or not creepy you think the product is and how likely you are to buy it. Click vote to see how your opinion stacks up to others.

Can it snoop on me?

Just because a device has a camera, microphone, or tracks location doesn’t mean it will snoop on you. It simply means it could and you should be aware of that. Also, many connected devices are controlled by apps on your phone. The apps often ask to use the phone’s camera, microphone or location tracking. Keep an eye on that, as some of the permissions the apps ask for might surprise you.

How does it handle privacy?

Security and privacy are two separate concerns when it comes to connected products. A company can take measures to make a device secure, while also being questionable on how it handles the data that device might collect on you. Consumers should ask questions like what data does the device collect, how does the company use that data, who does it share that data with, and can you delete the data they collect?

How does it share data?

Nearly every company collects some kind of information on its users. That’s how the internet works. It’s how they use and care for this information that matters. You should know whether a company shares or sells your personal information to others and for what reasons.

Can you delete your data?

Companies collect a lot of data on their consumers. Who controls that data? Being able to contact a company and ask them to delete any data they have on you is a very good thing.

Collects biometrics data?

Your voice, heart rate, activity levels, stress levels, sleep patterns, menstrual cycles, even your fingerprint and facial features are some of the most intimate, sensitive data devices can collect on you. You should be aware if a device collects this data and how that data is used after it is collected.

Parental controls

Parental controls on toys, tablets, smart speakers, and many other connected devices can be a very good way to protect the privacy and security of both young and old. Not all products need parental controls, but parents should look to see if they are an option for connected products they will buy and let their children use.

User friendly privacy info?

Privacy information should be clear, readable, and communicate basic information to consumers about what happens to their data. Privacy policies are often written more for lawyers than consumers. That’s why it’s nice to see more and more companies creating consumer-friendly privacy pages to outline how they handle your personal information and the data they collected on their users. We hope to see this trend continue.

What could happen if something goes wrong

It’s likely nothing bad will happen with most of the products in this guide. However, it’s also good to think through what could happen if something goes wrong. We lay out a potential worst-case scenario for each product, in some cases for fun and in some cases based on things that have already happened with the product.

Updates

When news breaks or we come across a relevant article about a product in this guide, we will share it in the updates section on each product page.

Comments

We love to hear your thoughts and feedback on the products in this guide. And other users might like to join you in a conversation about any experiences or concerns you’ve had with a product. Please join the conversation in the comment section at the bottom of each product page.

Methodology

If you would like to read more about the research methodology we used to create this guide, please check out our methodology section.

Monetization of the Guide

Mozilla Foundation does not receive any money from the companies featured in this guide or from linking to sites where users purchase products. We are currently experimenting with Web Monetization on a small number of our properties. Web Monetization is an open standard that enables publishers and platforms to compensate creators directly, outside of the dominant advertising model. Only users with a Web Monetization enabled extension in their browsers will be aware of the implementation. Read more about our Web Monetization experiment here.

Further reading

If you’d like to know how connected devices are created, and what could actually be done to make them better, check out Mozilla’s Internet Health Report special edition: *Privacy Included: Rethinking the Smart Home.