As we draw ever-closer to Black Friday, Cyber Monday, and all the shopping days in between, you’ll have no shortage of cheap, flashy, internet-connected gadgets to choose from for holiday gifts. But in the frenzy, don’t forget that the widgets you buy will live at recipients’ houses—or on their wrists—for months or years to come. With that in mind, it’s worth considering security and privacy risks involved, so you know what you’re getting people into before they unwrap the box.
Connected devices have a problematic track record on security and data privacy, whether they’re being used in businesses, industrial control systems, or homes. And sensors like cameras or devices that track your location generate very sensitive data that could be abused. That doesn’t mean you have to avoid IoT devices at all costs. But it’s worth weighing the potential risks when deciding whether to get someone an internet-connected gadget, and choosing which one specifically to gift.
In the last year alone, companies like Google, Amazon, and Apple were caught using human reviewers to transcribe some user audio recordings from smart speakers—a practice consumers didn’t know about and largely couldn’t control before the revelations. Google’s Nest Guard product turned out to have an undocumented microphone in it that no one knew about. And an army of off-brand—or “white label”—IoT devices has continued to flood the market without accountability.
“I think giving IoT devices as gifts is not necessarily a bad idea, because some of these devices can help improve people’s standard of living,” says Jatin Kataria, principle scientist at the IoT security firm Red Balloon. “But I would be more careful about which companies you are buying from and what kind of data you are sharing with these devices. For example, I would use a smart thermostat or smart lightbulbs, but I wouldn’t keep them on the same network as my PC.”
Most people don’t have the time or know-how to take those types of precautions, though. That goes double when it comes to kids, who generally don’t have the means or ability to make informed choices about what devices they use, where their data goes, or how it might be used.
“There are some privacy-protecting fitness trackers for kids, but on a larger point that is a sensitive and specific decision to make that might not be the best gift for someone who’s not a parent to buy,” says Ashley Boyd, vice president of advocacy at Mozilla. She points out that buying IoT devices for kids can end up “normalizing even this low-level surveillance.”
Though the stakes are particularly high for children, those same concepts apply universally. For the past few years, Mozilla has put out its Privacy Not Included evaluation of IoT devices like smart speakers, wireless headphones, e-readers, smart home devices, and more. The group lays out minimum security standards and then assesses products and their privacy policies against these benchmarks.
Boyd says that this year 62 out of the 76 gadgets Mozilla assessed passed the standards, up from 33 out of 70 in 2018. This improvement reflects growing industry awareness that IoT devices are more of a liability than a help without the most basic security protections. But as Boyd points out, “it’s a minimum.” Manufacturers could still do much more. Some devices, like the Sonos One SL speaker, have moved toward simpler and less risky design by removing non-essential sensors like microphones. Mozilla also found that Parrot’s Anafi Drone has overhauled its security and privacy features in positive ways. But the drone’s price point is now hundreds of dollars higher than last year, indicating that security and privacy may still be a challenge for manufacturers to prioritize in low-end devices.