Some holiday gifts are more festive than others, while those that snoop on their users could be seen as decidedly less so.
So says the Mozilla Foundation, the nonprofit behind the FireFox browser, which recently posted its annual "privacy not included" holiday gift guide to highlight potential security and privacy concerns on a slew of internet-connected products.
Take, for example, a smart coffee maker that Mozilla says is capable of eavesdropping, or a fitness tracker that measures the tone of its user's voice while requesting scantily clad photos. Both are among the 37 connected products branded with a "privacy not included warning label" of the 136 reviewed by the group.to Mozilla. The product also doesn't meet Mozilla's baseline security standards, "which is surprising from a big company like Hamilton," according to Boyd.
Hamilton Beach does not "collect personally identifiable information through the Alexa enabled coffee maker," emailed a spokesperson for the company, which listed consumer names, addresses and phone numbers as among the data it does not compile. "Since we do not collect this information, we cannot offer to delete it."
Made for youngsters as young as 3, the $300 wood kitchen-and-market set comes with self-checkout, a working smart scanner, fridge, freezer and smart faucet. Buyers can also add an Alexa smart speaker (sold separately), along with RFID sensors.
Amazon states that Alexa doesn't promote products, content or services to kids or collect information about children. That may be true, but Mozilla expressed concern that Amazon doesn't explicitly state that as part of its policies. The group also couldn't confirm whether the KidKraft product met its minimum security standards.
Amazon took issue with Mozilla's concerns, saying parents have control over enabling Alexa, and can "review and delete voice recordings associated with their account at any time through the Alexa app or through the Alexa privacy hub," a spokesperson said in an email. .
KidKraft also weighed in. "The goal behind this product is to make the experience with Alexa as robust as possible, while keeping the child's safety in mind by limiting the ability to search the internet or outside sources using Alexa. Not only is the Alexa 2-in-1 Kitchen & Market Alexa skill child-directed (meaning a parent needs to approve and enable it), but it also follows strict content guidelines set by Amazon which are different than regular skills," Susan Russo, KidKraft's vice president, brand & product marketing, stated.
"If your child is playing with the Unicornbot and the camera is on and records the kid playing, we have no idea how Ubtech handles these recordings," Mozilla stated.
Ubtech did not respond to a request for comment.
A fitness band packed with sensors and microphones to track steps, heart rate, sleep, calories and more, the Amazon Halo listens to you and uses machine learning to measure the tone, energy and positivity of your voice to "help strengthen communication." It also asks for photos of you in your skivvies to assess your body fat, according to Mozilla.
Amazon says the photos are automatically deleted from the cloud after they are processed. But given the general lack of security for personal data on the web, "giving Amazon a picture of yourself in your underwear sounds like a truly terrible idea," according to the guide. Added Boyd: "We were particularly alarmed by this one."
Amazon's response to Mozilla's concerns was lengthy: "Privacy is foundational to how we designed and built Amazon Halo. Tone is an opt-in feature. The mics on Halo Band are off and remain off until and unless a customer chooses to opt-in to use Tone. If a customer opts-in, the mics can easily be turned off any time simply by pressing the button on the band. If a customer opts-in, Tone speech samples are processed locally on the customer's phone and deleted automatically after processing, so they never go to the cloud and no one ever hears them. Body scan images are processed in the secure Amazon cloud and automatically deleted, so no one but the customer ever sees them. Amazon Halo health data is not used for marketing, product recommendations or advertising. We do not sell customers' Amazon Halo health data."
A roving robot toy for your pet, the Dogness iPet Robot puts a mobile, internet-connected camera and microphone in your house — seemingly without using encryption, according to Mozilla.
Dogness did not respond to a request for comment.
The smart lock from Schlage uses a Bluetooth connection to unlock your door, meaning you and your phone need to be within about 30 feet of the entrance for it work. Bluetooth technology has shown to have some well-known security vulnerabilities, according to Mozilla, which also said Schlage didn't respond to its request for information on how it protects users.
"Schlage may disclose your personal information for marketing purposes, which isn't great but also isn't uncommon," Mozilla added.
A spokesperson for Schlage responded in an email: "Whether using BLE- or WiFi-enabled communication for our Schlage Sense Smart Deadbolt or Schlage Encode Smart Wifi Deadbolt, we've applied additional encryption above and beyond what is standard. We do not sell consumer data to third parties, and our connected products do offer privacy policies to our customers."