Your Privacy Focused Holiday Shopping Guide
For the second year, Mozilla is releasing *Privacy Not Included. We’ll help you identify which connected devices provide robust privacy and security features — and which ones don’t.
He sees you when you’re sleeping
He knows when you’re awake
He knows if you’ve been bad or good…
The lyrics to “Santa Claus Is Comin’ to Town” detail an omniscient Saint Nicholas. But in 2018 — in an era of always-listening products and apps — the lyrics might as well be detailing the latest connected device.
This holiday season, Mozilla is helping consumers identify which connected products are secure and trustworthy — and which aren’t. The goal: help consumers shop for gifts based on how well they protect the privacy and security of their friends and family, in addition to traditional factors like a product’s price and performance.
For the second year, we’re releasing *Privacy Not Included, a shopping guide that lists connected devices’ privacy and security traits. Mozilla researchers spent the last several months exploring whether or not products encrypt personal information, offer automatic security updates, have clear privacy policies, and more.
Our researchers focused on the season’s most popular connected devices in the United States, from Nintendo Switch and the latest Roku to Fitbits and assorted drones, smart watches, and even a smart dinosaur. This year’s guide features:
- In-depth reviews of 70 products across six categories: Toys & Games; Smart Home; Entertainment; Wearables; Health & Exercise; and Pets.
- 32 products were awarded a badge for meeting the Minimum Security Standards created by Mozilla, Internet Society and Consumer International. To receive a badge, products must: use encryption; have automatic security updates; manage security vulnerabilities using tools like bug bounty programs and clear points of contact; and require users to change the default password if a password is required. Products receiving a badge include: Nintendo Switch, Google Home, Harry Potter Kano Coding Kit, Athena Safety Wearable, and the Behmor Brewer Coffee Maker.
- Mozilla researchers did not make a conclusive determination if over half of the products met Minimum Security Standards. This was based on factors including if a company did not respond to inquiries or if a company’s response conflicted with recent independent security audits or penetration tester reports.
- Answers to important questions like, “Can this product spy on me?” “Is it tracking my location?” and “Can I control the data it collects about me?”.
- The debut of the Creep-O-Meter, an interactive tool allowing readers to rate how creepy they think a product using a sliding scale of “Super Creepy” to “Not Creepy,” as well to share how likely or unlikely they are to buy it. The home page of the *Privacy Not Included guide lists product based on rankings from Not Creepy to Super Creepy (Nearly 2,500 ratings were submitted by users during the guide’s beta testing period that began in late October.)
- An assessment of how easy — or hard — it is to read a products’ privacy policies using Carnegie Mellon’s Explore Usable Privacy project, which created an algorithm to determine reading levels. The most common reading level required is a college reading level (grade 14). Tile Mate’s privacy policy is identified as the most difficult, requiring a college graduate reading level (grade 18), while the Tractive GPS 3G Pet Tracker is identified as the easiest to read, requiring a middle school reading level (grade 8).
We soft-launched this year’s guide at MozFest in October. And already, readers are weighing in. Nintendo Switch — which features encryption and automatic security updates — has emerged as one of the more trusted devices among users in the guide, with 72% of readers saying “not creepy.” Alternatively, the FREDI Baby Monitor — which lacks encryption and has the default password “123” — has 73% of readers saying “super creepy.”
So, why does Mozilla publish *Privacy Not Included?
There’s no shortage of holiday shopping guides. But most focus on price and performance, not privacy. We believe that’s a major oversight. Each day, more and more headlines emerge about flawed connected devices. These devices can track our locations without us knowing; they can sell our data to a galaxy of advertisers; and they often can be hacked or manipulated. In recent years, even stuffed animals and a children’s doll have been compromised.
*Privacy Not Included is part of Mozilla’s work to spark mainstream conversations about online privacy and security — and to put individual internet users in control of their own data. This guide compliments other Mozilla initiatives, like our consumer privacy campaigns; our annual Internet Health Report; and our roster of Fellows who develop research, policies, and products around privacy and security.
Thanks for reading. And safe shopping!