Spies Beneath the Christmas Tree: Holiday Shoppers Must Be on Guard

Slowly but surely, Christmas shoppers are getting in the holiday spirit of merrymaking and gift-giving. Many shopping lists are filled with smart devices, which are connected to the Internet. If you have such items on your list, you should pause for a second and consider whether this great gift will turn into a means of spying on your loved ones. How? It’s simple: Many Internet-enabled devices have direct access to a camera or microphone or can gain such access with the help of a smartphone app. Or they can track your location. Certain questions remain unclear, such as: What happens with the data? Where and how long are they stored? And who has access to them?

To create more transparency and help you make your buying decisions, Mozilla has put together a shopping guide for connected devices. The guide is broken down into the categories of toys & games, smart home, entertainment, wearables, health & exercise, and pets.

The shopping guide called *privacy not included explores such questions as whether and how the reviewed products can spy on users, what the devices know about them and what could happen in the worst-case scenario. It also provides information about whether the manufacturer will unexpectedly share the data with a third party and whether it will delete user data upon request. The information page for each product also includes a link to the privacy statement of the respective providers (if available).

One of the connected devices that did poorly in Mozilla’s study and did not even meet their minimum security standards is the Video Doorbell by Amazon subsidiary Ring. According to Mozilla, the doorbell with built-in motion detector, IP camera and intercom raises a number of red flags: For example, Ring stored customer data – including video recordings – unencrypted on an Amazon cloud server and employees could access any of this data. In addition, the company is not very transparent about their privacy and data deletion practices.

The Artie 3000 Coding Robot designed to help teach kids to code doesn’t do much better. It’s unclear, for example, if the data connection between Artie and your computer or app is encrypted. In addition, the robot seems to function as an open Wi-Fi hotspot that isn’t password protected. There is therefore a risk that Artie could be hacked and any data sent over its Wi-Fi could be open to anyone. Beyond that, there seems to be no privacy policy for this product.

Digital home hubs like Amazon Echo (Show, Smart Speakers) and Google Home should be kept at arm’s length. They are activated by the use of such signal words as “Alexa” or “OK, Google.” To be able to hear them, they have to constantly listen to voices in the room. But you cannot say with any certainty whether the microphone or camera (in the case of Amazon Echo Show) that is installed in the device is actually recording something or what may be recorded and stored if it’s doing so. It’s also unclear to what extent Amazon and Google share the information collected with third parties for advertising purposes.

Mozilla isn’t exactly thrilled by game consoles like Microsoft Xbox, Sony Playstation or Nintendo Switch. Admittedly, these devices are unable to spy on people with the help of cameras or microphones by default. But the consoles do enable assumptions to be made about individual users that are based on what games, TV shows and other apps these individuals use and when. The console manufacturers may also share data with third parties for marketing or advertising purposes. The same applies to streaming devices such as Amazon Fire TV, Google Chromecast and Apple TV.

Smart home products like the Wi-Fi smart speaker Sonos One with Amazon Alexa and Google Assistant also reveal much more information about users than first meets the eye. Mozilla says the manufacturers of these products can draw conclusions about activities in the home or determine a resident’s mood based simply on the type of music that is played. These data will then be used for advertising purposes.

Health and exercise products like the fitness trackers Fitbit Charge 3 and Samsung Galaxy Fit act in much the same way. They all use a Bluetooth-connected smartphone app to vacuum up any kind of health data, some of which are also used for advertising purposes.

As Mozilla’s shopping guide shows, you should always keep one thing firmly in mind when you give or use connected devices: Third parties could be snooping on you. As always, you need to carefully weigh the benefits of technical innovations against issues related to your privacy. In the end, it will be the buying and usage behavior of you, the consumer, that will determine which technologies – with all of their benefits and drawbacks – will succeed and which ones will fail.

This blog post is an updated version of an article first published on December 7, 2017.