Mozilla Makes a Naughty List of Gifts That Aren't Secure

In its second annual “Privacy Not Included” guide, the nonprofit highlights internet-connected items that value your privacy—and the ones that may not.
Image may contain Vehicle Transportation Aircraft and Airplane
Joby Sessions/Getty Images

A good rule of thumb when it comes to internet-connected toys is not to buy them. Security too often sits too low on the priority list of the companies that make them. But in a new report, Mozilla, the nonprofit behind the popular Firefox browser, has a more finely tuned privacy appraisal of not just toys but dozens of popular holiday gifts—some of which may not rate much better than coal.

Mozilla’s “Privacy Not Included” guide, now in its second year, rates 70 products, ranging from toys and smart speakers to a sous vide, across multiple categories. It’s also rolling out—along with advocacy groups Internet Society and Consumers International—new “minimum security requirements,” and awarding badges to items that score high marks.

“We want to provide people information about how to make informed decisions when shopping for gifts that are connected to the internet,” says Ashley Boyd, vice president of advocacy at Mozilla. “These products are becoming really popular. And in some cases, it’s easy to forget that they’re even connected to the internet.”

Among the important signifiers of a trustworthy stocking stuffer, according to Mozilla’s rubric: the use of encryption, pushing automatic software security updates, strong password hygiene, a way to deal with vulnerabilities should they arise, and a privacy policy that doesn’t take a PhD to parse.

The most surprising result of Mozilla’s testing may be how many products actually earned its seal of approval. Thirty-three of the 70 items in the “Privacy Not Included” guide passed muster; fans of the Nintendo Switch, Google Home, and Harry Potter Kano Coding Kit can sleep a little easier. On the other end of the scale, Mozilla highlighted seven products that may not hit the mark—yes, including the sous vide wand, the Anova Precision Cooker. Also scoring low marks in Mozilla's accounting: the DJI Spark Selfie Drone (no encryption, does not require users to change the default password), the Parrot Bebop 2 drone (no encryption, complex privacy policy), and unsurprisingly, at least one baby monitor.

DJI says that there's no indication that the Spark has ever been hacked, other than intentionally by enthusiasts looking for a performance boost. And to its credit, the company is also proactive in fixing issues that do arise; just last week, it patched an authentication bug that would have allowed hackers to access user accounts.

Anova CEO Steve Svajian says that the company plans to add encryption to the next generation of its product, and is exploring ways to add it retroactively to those already on the market. "We take privacy and security very seriously," says Svajian. "It's crucially important for the community to trust what we do."

The remaining 30 items on the list all exist somewhere in the murky middle, usually because Mozilla was unable to confirm at least one attribute. Which may be the real takeaway from the report: Typically, you have no reasonable way to find out if a given internet-connected device is secure. “If you can’t tell, that says that there’s a problem of communication between manufacturers and consumers,” says Boyd. “We would love for makers of these products to be more clear and more transparent about what they’re doing and not doing. That’s a big place we think change is needed.”

Mozilla rightly acknowledges that a survey of 70 products shouldn’t be seen as any sort of definitive buying guide. There are thousands of internet-connected presents waiting to be gifted this year, all of them offering a wide range of privacy controls. But that’s not the point. “The number of products is a drop in the bucket,” adds Boyd. “We’re trying to drive a conversation where manufacturers can see that consumers care about this information. We’re trying to give people essentially a way to look at any product and what to look for, what questions to ask.”

Still, giving a simple thumbs-up or thumbs-down—or, in the majority of cases, no thumb at all—feels overly broad. To badly paraphrase Tolstoy: Secure products are all alike; every not-secure product is not secure in its own way. The risks of a hackable baby monitor far outweigh those of a cooking implement, and a garbled privacy policy seems less problematic than a disregard for encryption. Those distinctions aren’t immediately clear when you scan “Privacy Not Included,” and in fact become further complicated by a “Creep-O-Meter,” which lets readers rate how creepy they think a given product is, regardless of its actual merits.

At the very least, Mozilla's guide does elucidate what can actually go wrong if someone compromises your gear. Take, for example, that sous vide: “Someone could hack your Wi-Fi, crank up the cooking temperature on your sous vide, and overcook your steak,” reads the entry, presenting a worst-case scenario that’s not quite grade A. Svajian also disputes Mozilla's characterization of how Anova handles customer data; the company uses it for analytics and marketing purposes, but does not and will not ever sell it to third parties.

So yes, Mozilla may be painting with an overly broad brush here. But at least those issues are weighed against the report’s admirable goals. Simply knowing it exists might help consumers think twice about letting an internet-connected camera or microphone into their home, no matter how adorable the teddy bear it’s attached to.

“So much of the news that people are reading about the technology industry is scary. People aren’t clear what to do and how to improve their safety online,” according to Boyd. “Consumer products are a great place for people to learn more, because they’re things that people bring into their home. This is a place where people are pretty empowered.”


More Great WIRED Stories

UPDATE 11/12/18 12:00PM: This story has been updated with comment from Anova CEO Steve Svajian.