PNI graphic

Mozilla researchers reviewed 151 connected products — from smart speakers to exercise bikes — to determine if they protect consumers’ privacy and security

(SAN FRANCISCO, CA | TUESDAY, NOVEMBER 16, 2021) — Gifting someone a gadget has become a holiday tradition, but these days it can be rife with risk. You might buy exercise equipment that sells the recipient’s most intimate data, or a smart speaker that eavesdrops on your parents.

To help consumers determine which connected products they can trust — and which privacy-skirting tech gifts they should avoid — Mozilla today launches its fifth-annual *Privacy Not Included holiday shopping guide.

The goal of the guide is two-fold: arm shoppers with the information they need to choose gifts that protect their friends and family, while also spurring the tech industry to do more to safeguard consumers.

For this 2021 edition, Mozilla researchers spent more than 950 hours reviewing 151 popular connected gifts across six categories: Smart Home, Toys & Games, Entertainment, Wearables, Health & Exercise, and Pets. Researchers combed through privacy policies, pored over product and app features, and quizzed companies. Researchers answer questions like: Does this product have a camera, microphone, or location tracking that could snoop on you? Does the product use AI, and how? What data does the device collect and how does the company use it? And, What is the company’s known track record for protecting users’ data?

Mozilla identified 46 products that have especially problematic privacy practices, branding them with a ‘*Privacy Not Included” warning label. Some of the worst offenders include Facebook Portal, Amazon Echo, and NordicTrack Treadmill.

On the other hand, researchers identified 22 “Best Of” products that get privacy right by not collecting, selling or sharing data, including the Garmin Venu, iRobot Roomba, and Apple Homepod Mini. The guide also identifies which products meet Mozilla’s Minimum Security Standards, like using encryption and requiring users to use a strong password.

Says Jen Caltrider, *Privacy Not Included lead researcher: “While gadgets may be getting smarter, they are also getting creepier and way more prone to security lapses and data leaks — even among leading companies like Microsoft, Amazon, and Facebook. We also found that consumers continue to shoulder way too much of the responsibility to protect their own privacy and security. Consumers are asked to read complicated documents scattered across multiple websites to even begin to understand how their data is being used.”

“While gadgets may be getting smarter, they are also getting creepier and way more prone to security lapses and data leaks."

Jen Caltrider, Mozilla

Caltrider continues: “Smart exercise equipment stood out as especially problematic. Consumers buy equipment like a Peloton bike or a NordicTrack treadmill to work out in the privacy of their own home. Unfortunately, there seems to be little privacy with these devices.”

Highlight and trends of the 2021 *Privacy Not Included guide include:

  • 46 products were branded with a “*Privacy Not Included” warning label. Facebook is the creepiest of the big tech companies. Its Facebook Portal is equipped with an AI-powered smart camera and microphone that sends data back to Facebook (er, Meta) regularly. Meanwhile, Amazon's Echo Dot for Kids can read your children bedtime stories — all while helping Amazon potentially learn a lot about your kid. And the e-reader Onyx Boox doesn’t even have a privacy policy.
  • 22 products were awarded “Best Of” for exceptional privacy and security practices. Apple is the least creepy of the big tech companies, since they don't share or sell your data. Garmin’s fitness watches also protect users’ personal data. And the Sonos One SL speaker is especially built without a microphone.
  • Home exercise equipment companies do not let you workout in the privacy of your own home. Companies like Peloton, NordicTrack, Tonal, and SoulCycle collect a large amount of personal information, and sell or widely share this data to make more money off of consumers. The NordicTrack Treadmill is especially problematic: They can sell your data, call or text your phone number even if you’re on a do-not-call list, and may collect data from data brokers to target you with ads.
  • Privacy laws can make a difference (depending where you live). Consumers living in areas with strong privacy laws have an advantage when it comes to data deletion or being able to request that a company not sell your data. For example, many companies openly admit they have different rules for consumer data for people who live in California, thanks to the California Consumer Privacy Act (CCPA).
  • Privacy policies are hard to read — and sometimes even find. Very few companies publish safety tips and best practices for privacy when using their products. Further, too many companies make it difficult to even find their privacy policies. Major culprits include Kwikset, Amazfit, Ubtech, Onyx Boox, Fi Series 2 and Whistle pet trackers.

Amazon’s Alexa is everywhere. That makes us nervous. Amazon Alexa is embedded in numerous products, including ones that Amazon doesn’t manufacture. That concerns us because Alexa and Amazon retain records of Alexa interactions. Even if you ask Amazon to not collect personal data on their kids, they say they still might collect some data. And Alexa Skills seem to be problematic in its oversight/privacy.