Spies beneath the Christmas tree: holiday shoppers must be on guard

Slowly but surely, Christmas shoppers are getting in the holiday spirit of merrymaking and gift-giving. Many shopping lists are filled with smart devices, which are connected to the Internet. If you have such items on your list, you should pause for a second and consider whether this great gift will turn into a means of spying on your loved ones. How? It’s simple: Many Internet-enabled devices have direct access to a camera or microphone or can gain such access with the help of a smartphone app. Or they can track your location. Certain questions remain unclear, such as: What happens with the data? Where and how long are they stored? And who has access to them?

To create more transparency and help you make your buying decisions, Mozilla has teamed up with the U.S. organization Consumer Reports and put together a shopping guide for Internet-enabled devices. The guide is broken down into the categories of toys, game consoles, home hubs, smart-home accessories, gadgets, health and exercise.

The shopping guide called *privacy not included explores such questions as whether and how the reviewed products can spy on users, what the devices know about them and what could happen in the worst-case scenario. It also provides information about whether the provider will unexpectedly share the data with a third party and whether it will delete user data upon request. The information page for each product also includes a link to the privacy statement of the respective providers.

One of the oddest Internet-enabled devices that Mozilla and Consumer Reports checked is Edwin the Duck. With the help of a connected smartphone app, this rubber ducky can track your location. Does it have privacy controls? Are you kidding?

The smart soccer ball Adidas miCoach is also outfitted with an app that is also just itching to be connected to a camera, microphone and location. It also requires a user account, but offers no privacy controls. However, the ball’s maker does pledge that it will not share user data with a third party and will delete the information upon request. But whether the company actually keeps its promise is something else entirely. Normally, you cannot check to be sure.

Just two years ago, Hello Barbie, a doll with a built-in microphone, exemplified the menace posed by connected toys. It transmitted audio recordings of children to a server, which then passed them on to third parties. But that was hardly the only problem. The app used by the doll was vulnerable to attacks. This meant that, in theory, strangers could eavesdrop on the kids. Since then, the doll’s makers, Mattel & ToyTalk, have rewritten their policies on data storage and data protection multiple times. But, of course, Hello Barbie still comes equipped with a recording device that captures any words spoken near it.

Digital home hubs like Amazon Echo/Show and Google Home should be kept at arm’s length. They are activated by the use of such signal words as “Alexa” or “OK, Google.” To be able to hear them, they have to constantly listen to voices in the room. But you cannot say with any certainty whether the microphone or camera (like the Amazon Echo Show) that is installed in the device is actually recording something or what may be recorded and stored if it is doing so. Google, for instance, also shares the information collected by the device to third parties for advertising purposes.

Mozilla and Consumer Reports aren’t exactly thrilled by game consoles like Microsoft Xbox, Sony Playstation or Nintendo Switch. Admittedly, these devices are unable to spy on people with the help of cameras or microphones by default. But the consoles do enable assumptions to be made about individual users that are based on what games, TV shows and other apps these individuals use and when. Microsoft also shares the data with third parties for advertising purposes.

Smart home devices like the smart lighting system Philips Hue, iRobot’s vacuum cleaners Roomba or WiFi speakers Sonos Play:1 also reveal much more information about users than first meets the eye. Mozilla and Consumer Reports say the manufacturers of these products can draw conclusions about activities in the home, create specific maps of homes or determine a resident’s mood based simply on the type of music that is played. These data will then be used for advertising purposes.

Health and exercise products like the electric toothbrush Braun Oral-B Genius Pro 8000, the thermometer Kinsa Smart Ear or the fitness tracker Fitbit Surge act in much the same way. They all use a Bluetooth-connected smartphone app to vacuum up data, some of which are also used for advertising purposes.

As the shopping guide prepared by Mozilla and Consumer Reports shows, you should always keep one thing firmly in mind when you give or use Internet-enabled devices: Third parties could be snooping on you. As always, you need to carefully weigh the benefits of technical innovations against issues related to your privacy. In the end, it will be the buying and usage behavior of you, the consumer, that will determine which technologies – with all of their benefits and drawbacks – will succeed and which ones will fail.