How to Use This Guide
Need help understanding how to use this guide? Here you go.
If you don’t find the product you are looking for, search to see if we reviewed any other products made by that company. Often, criteria will match from one product to another from the same company. We simply don’t have time to review all the connected products out there.
*Privacy Not Included Warning Label
Our *Privacy Not Included buyer’s guide comes with *Privacy Not Included warning labels on products we think consumers should think twice about before buying. It’s no small thing to assign such a label to a product, so we set ourselves some strict standards. If we can’t confirm a product meets our Minimum Security Standards, it automatically earned the *Privacy Not Included label, as we feel those standards are the minimum a product should meet to be on the market. We also look at how a company uses the data the product collects on you, how you can control the data the company collects, and what the company’s known track record is over the past two years for protecting their users’ data. How a company performs on these criteria determines if we assign them the warning label. You will see little in our review section of the guide to help you understand what our concerns are.
What could happen if something goes wrong
It’s likely nothing bad will happen with most of the products in this guide. However, it’s also good to think through what could happen if something goes wrong. We try to identify what risks and concerns users should have about the product. We often lay out a potential worst-case scenario--in some cases for fun and in some cases based on things that have already happened.
Tips to Protect Yourself
While we don’t think all the responsibility should be on consumers to protect themselves when they buy a connected product, the reality is, the more you can do as a consumer, the better. We lay out a few tips of things you can do to be a little safer, whether it be to set up two-factor authentication, lock down your privacy settings, or remember to opt-out of data sharing. And we try to link to places to help you understand how to do this too.
Time Spent on Research
We approach our research for *Privacy Not Included from the viewpoint of you, the consumer. We don’t purchase the products and test them in a lab. Consumers can’t do that. Instead, we look at all the publicly available information we can find to try and understand the privacy and security concerns you should be aware of. We want to help you understand how long this takes us, in part so you know we’ve taken the time to get things right. But also to help you understand how ridiculous it is that consumers are expected to spend so much time researching connected products before they buy them just to hopefully protect their privacy. It shouldn’t be like this. Companies should do better by building privacy by design into their products.
If a product receives our *Privacy Not Included warning label, we give it a Thumbs Down. If we designate a product as Best Of, it receives a Thumbs Up. If a product receives neither, we give it a Thumbs Sideways.
Our Creep-O-Meter is a reader-generated rating - and an opportunity for you to share your opinion. Read the review of the product, then rate how creepy or not creepy you think the product is. Click vote to see how your opinion stacks up with others. It helps other consumers understand the risks of a product and shows companies how creepy customers find their products. Look at the top of the page to see the “people voted” rating of each product in the guide.
Can it snoop on me?
Just because a device has a camera, microphone, or tracks location doesn’t mean it will snoop on you. It simply means it could and you should be aware of that. Also, many connected devices are controlled by apps on your phone. The apps often ask to use the phone’s camera, microphone or location tracking. Keep an eye on that, as some of the permissions the apps ask for might surprise you.
What is required to sign up?
To use a product do you need to give up your email address, your phone number, or sign in through a third party such as a social media account like Facebook? This is good to know ahead of time so you’re aware of what you’ll need to use the product.
What data does this product collect?
Connected devices collect information on their users. We look at what personal, body-related, and social data a product is likely to collect on you when you use it. Knowing what sorts of personal information you’ll need to give up to use a product is useful to help understand just how much a company could be learning about you. The more information you give up, the better they may know you. Personal data includes things like name, email address, phone number, gender, age, and date of birth. Body-related data includes things like voice recordings, fingerprint, facial recognition, height, weight, heart rate, sleep data, menstrual cycles, and blood oxygen levels. Social data includes things like your contacts and friends or connections you have through a platform, like gamer friends through a gaming console or connections you have through a fitness app.
How does it use this data?
Nearly every company collects some kind of information on its users. That’s how the internet works. It’s how they use and care for this information that matters. You should know whether a company shares or sells your personal information to others and for what reasons. This criteria is one of the criteria we use to determine if a product receives our *Privacy Not Included warning label. Companies that share or sell your data to third parties received a mini-warning label.
How can you control your data?
Many companies collect a lot of data on their consumers. Who controls that data? Being able to contact a company and ask them to delete any data they have on you is a very good thing.
What is the company’s known track record of protecting users’ data? + mini ding
It’s one thing for a company to say they care about their users’ privacy. It’s another thing to show that. We look at the track records of all the companies in the guide dating back three years to see if they had known data leaks, security vulnerabilities, or other privacy missteps. This criteria is one of the criteria we use to determine if a product receives our *Privacy Not Included warning label. Companies that have multiple or serious privacy or security breaches receive a mini-warning label.
Can this product be used offline?
Does every product really need to be connected to the internet to work? What happens if the internet goes out or you just want to use that smart scale as a scale? Some *Privacy Not Included users reached out to us over the past couple of years and asked us to include this in our guide. We aim to please!
User friendly privacy info?
Privacy information should be clear, readable, and communicate basic information to consumers about what happens to their data. Privacy policies are often written more for lawyers than consumers. That’s why it’s nice to see more and more companies creating consumer-friendly privacy pages to outline how they handle your personal information and the data they collected on their users. We hope to see this trend continue.
Our Minimum Security Standards
Encryption is your friend. It protects your private and personal information by scrambling it up into a code so that the only people or machines who can read it are the ones on the other end who have the key to unscramble that code. Products that don’t use encryption send personal information over the internet unscrambled so anyone can see it.
Sometimes security vulnerabilities are found in products after they are sold to the public. For that reason, companies should have a way to quickly push a security update out to the product automatically so it fixes the security vulnerability without the consumer ever needing to worry about it.
Remembering passwords might be annoying, but having a good password is still one of the best lines of defense we have when it comes to protecting our privacy and security. It’s great when a password is required. But default passwords that are the same for all consumers and never change can be just as bad. You should be required to change the default password to a strong password. Products with a default password that does not require changing can leave users’ personal information exposed.
Security vulnerabilities in products happen. It’s how companies manage them when they arise that matters. We looked at whether or not companies have a system in place to manage vulnerabilities in the product when they are found. This includes having a point of contact for reporting vulnerabilities or an equivalent bug bounty program.
Does the product use AI?
More and more products use artificial intelligence these days. It’s not just smart speakers and facial recognition in security cameras either. It’s AI in dog toys and fitness trackers and connected workout equipment. For our reviews, we defined AI as: Automated technology that makes decisions for you and/or changes continually based on your user data. What does all this mean for consumers? We’re just starting to understand. However, most consumers don’t know when AI is being used or how it may affect their experience. We believe companies should provide this information to consumers as AI-enabled products become more prevalent and its decisions about you - and for you - more consequential. For more on Mozilla’s position on creating trustworthy AI, you can read our whitepaper Creating Trustworthy AI.
Is this AI untrustworthy?
Too often, AI in our world comes with bias or unethical behavior. Unfortunately, it’s nearly impossible to tell if a company’s AI algorithms are trustworthy and ethical or not, and there’s not a commonly agreed upon framework for ‘trustworthy AI’ features and policies. However, we do know that companies are often not transparent about how their AI algorithms work, and that leaves us concerned overall. If we are able to find credible reporting that shows an AI is untrustworthy, we will note it here and issue a warning label with a clear description about how we came to this conclusion.
What kind of decisions does the AI make about you or for you?
We think consumers should know if a product uses their personal data to make decisions for or about them. To answer this question, we look to see what the company says the product’s AI is doing? We can’t always tell though, and that is not good.
Is the company transparent about how the AI works?
One of the biggest issues surrounding artificial intelligence in our consumer products is having access to essential information about how AI-enabled features work. For example, what data does it collect and how does it use that information to make decisions for or about you? Knowing how it works lets users evaluate if there may be a chance of bias or ethical implications they should consider before using a product driven by AI. We think companies should have publicly available information explaining this. We’ll let you know if they do.
Does the user have control over the AI features?
We let you know if there is any way to opt out of AI or adjust the settings of the AI if you would like.
When news breaks or we come across a relevant article about a product in this guide, we will share it in the updates section on each product page.
We love to hear your thoughts and feedback on the products in this guide. And other users might like to join you in a conversation about any experiences or concerns you’ve had with a product. Please join the conversation in the comment section at the bottom of each product page.
If you would like to read more about the research methodology we used to create this guide, please check out our methodology section.