Spies beneath the Christmas tree: holiday shoppers must be on guard

Connected devices and smart home products rank high on many people's Christmas gift lists. But buyer beware: The prying eyes of such products can frequently look deeply into consumers’ private lives.

Weihnachtsgeschenke / Christmas gifts

Björn GreifEditor

Slowly but surely, Christmas shoppers are getting in the holiday spirit of merrymaking and gift-giving. Many shopping lists are filled with smart devices, which are connected to the Internet. If you have such items on your list, you should pause for a second and consider whether this great gift will turn into a means of spying on your loved ones. How? It’s simple: Many Internet-enabled devices have direct access to a camera or microphone or can gain such access with the help of a smartphone app. Or they can track your location. Certain questions remain unclear, such as: What happens with the data? Where and how long are they stored? And who has access to them?

To create more transparency and help you make your buying decisions, Mozilla has put together a shopping guide for connected devices. The guide is broken down into the categories of toys & games, smart home, entertainment, wearables, health & exercise, and pets.

The shopping guide called *privacy not included explores such questions as whether and how the reviewed products can spy on users, what the devices know about them and what could happen in the worst-case scenario. It also provides information about whether the manufacturer will unexpectedly share the data with a third party and whether it will delete user data upon request. The information page for each product also includes a link to the privacy statement of the respective providers (if available).

Cameras out of control

One of the connected devices that did poorly in Mozilla’s study and did not even meet their minimum security standards is the FREDI Baby Monitor. According to Mozilla, the baby monitor with a built-in IP camera can be easily hacked: it uses no encryption and “123” as default password. Potentially, someone could access the video feed and spy on the family. In addition, there seems to be no privacy policy for this product.

The FREDI Baby Monitor fails when it comes to protecting privacy and security (Source: FREDI).
The FREDI Baby Monitor fails when it comes to protecting privacy and security (Source: FREDI).

The camera drone Parrot Bebop 2 does not do much better. It also forgoes encryption and is therefore easily hackable. There is even a free tool available that autonomously seeks out, hacks, and wirelessly takes over Parrot drones within Wi-Fi distance. Everyone can download the tool to create their own army of zombie drones. Creepy!

The living room eavesdropper

Digital home hubs like Amazon Echo (Dot, Plus, Show, Spot) and Google Home should be kept at arm’s length. They are activated by the use of such signal words as “Alexa” or “OK, Google.” To be able to hear them, they have to constantly listen to voices in the room. But you cannot say with any certainty whether the microphone or camera (in the case of Amazon Echo Show and Spot) that is installed in the device is actually recording something or what may be recorded and stored if it is doing so. It’s also unclear to what extent Amazon and Google share the information collected with third parties for advertising purposes.

Google Home constantly listens to voices in the room (Source: Google).
Google Home constantly listens to voices in the room (Source: Google).

Mozilla isn’t exactly thrilled by game consoles like Microsoft Xbox, Sony Playstation or Nintendo Switch. Admittedly, these devices are unable to spy on people with the help of cameras or microphones by default. But the consoles do enable assumptions to be made about individual users that are based on what games, TV shows and other apps these individuals use and when. The console manufacturers may also share data with third parties for marketing or advertising purposes. The same applies to streaming devices such as Amazon Fire TV, Google Chromecast and Apple TV.

Nosy smart home and fitness devices

Smart home products like the smart lighting system Philips Hue or the Wi-Fi smart speaker Sonos One with Amazon Alexa also reveal much more information about users than first meets the eye. Mozilla says the manufacturers of these products can draw conclusions about activities in the home or determine a resident’s mood based simply on the type of music that is played. These data will then be used for advertising purposes.

Health and exercise products like the fitness trackers Garmin Vivosport and Fitbit Charge 3 or the smartwatch Samsung Gear Sport act in much the same way. They all use a Bluetooth-connected smartphone app to vacuum up data, some of which are also used for advertising purposes.

Fitness trackers like Garmin’s Vivosport often collect data for advertising purposes (Source: Garmin).
Fitness trackers like Garmin’s Vivosport often collect data for advertising purposes (Source: Garmin).

As Mozilla’s shopping guide shows, you should always keep one thing firmly in mind when you give or use connected devices: Third parties could be snooping on you. As always, you need to carefully weigh the benefits of technical innovations against issues related to your privacy. In the end, it will be the buying and usage behavior of you, the consumer, that will determine which technologies – with all of their benefits and drawbacks – will succeed and which ones will fail.

This blog post is an updated version of an article first published on December 7, 2017.