Before purchasing that Nintendo Switch you’ve been eyeing, have you considered how secure the device is?
Mozilla is hoping you will. The privacy-centric nonprofit responsible for web browser Firefox and digital reader Pocket released a holiday shopping guide that puts security and privacy reviews of popular products front and center.
It’s the second year in a row the company published its guide, combining researcher expertise with crowd-sourced user feedback.
The holiday shopping guide reviews the privacy policies and security settings for 70 popular consumer tech devices, from headphones to Star Wars toys to a precision cooker.
The full list, called Privacy Not Included, also lists products based on a crowd-sourced determination of how “creepy” they are based on their security and privacy settings and the functionality of the product itself. Products that meet Mozilla’s minimum security requirements are marked with a badge; those minimum security requirements are centered on the company’s privacy practices, use of encryption and requirement of strong passwords, as well as whether the company enables automatic security updates and monitors security vulnerabilities.
Ashley Boyd, Mozilla’s vp of advocacy, said the goal is to help consumers know how to ask the right questions about security settings and help them make informed buying choices. She also hopes consumer interest in privacy and security will prompt consumer tech manufacturers and developers to be held to a higher standard when it comes to securing the devices they make.
“There’s so much that’s out of [consumers’] control,” Boyd said, “and we haven’t seen a lot of accountability at the highest levels when things go wrong.”
The products on the list run the gamut, including home speaker sets, ereaders, fitness trackers and baby monitors. Products like the Switch, the PS4, a Harry Potter-themed coding kit, a Beeline bike compass, a Behmor smart coffee maker and a Mycroft smart speaker met Mozilla’s minimum security requirements and were rated by users as “not creepy,” the highest marks for the list. In total, 32 of the 70 products met Mozilla’s minimum security requirements.
“This product does a seemingly poor job protecting privacy and security,” the buyers’ guide warns about the monitor. “There is a lot of anecdotal evidence out there demonstrating these baby cameras are regularly and routinely hacked. Potentially, someone could access the video feed during private moments and spy on your family.”
Some of the products the Mozilla team reviewed share data with third parties for various “unexpected reasons”—that is, for purposes not tied to the actual functionality of the product. Several of the products that met Mozilla’s minimum security requirements, like some smart speaker varieties, still were dinged for sharing data with third parties for unexpected reasons.
Concerns about data sharing are top of mind for Mozilla, Boyd said. The company is considering creating a shopping guide in coming years that will review in more detail how companies share data and how they address privacy issues. One challenge: Some companies were hard to get a hold of when asked for more detailed information about how data was being shared with third parties, said Rebecca Ricks, a former Mozilla fellow who reviewed privacy policies for the guide.
“Privacy policies are not designed for educating consumers,” Ricks said, “but to protect companies from legal liability.”
Boyd’s hope is that consumer buying guides like Mozilla’s can inform consumers about security and privacy issues, highlight good actors in the space and help move forward the conversation about privacy and security.
“I like to imagine a nutrition label for privacy policies,” Boyd said, “where consumers can see exactly what they’re getting.”