Mozilla Wants to Make Security and Privacy a Front-and-Center Holiday Shopping Issue

Company is highlighting how gadgets stack up

The holiday shopping guide reviews the privacy policies and security settings for 70 popular consumer tech devices, from headphones to Star Wars toys to a precision cooker.
Headshot of Kelsey Sutton

Before purchasing that Nintendo Switch you’ve been eyeing, have you considered how secure the device is?

Mozilla is hoping you will. The privacy-centric nonprofit responsible for web browser Firefox and digital reader Pocket released a holiday shopping guide that puts security and privacy reviews of popular products front and center.

It’s the second year in a row the company published its guide, combining researcher expertise with crowd-sourced user feedback.

The holiday shopping guide reviews the privacy policies and security settings for 70 popular consumer tech devices, from headphones to Star Wars toys to a precision cooker.

The full list, called Privacy Not Included, also lists products based on a crowd-sourced determination of how “creepy” they are based on their security and privacy settings and the functionality of the product itself. Products that meet Mozilla’s minimum security requirements are marked with a badge; those minimum security requirements are centered on the company’s privacy practices, use of encryption and requirement of strong passwords, as well as whether the company enables automatic security updates and monitors security vulnerabilities.

Ashley Boyd, Mozilla’s vp of advocacy, said the goal is to help consumers know how to ask the right questions about security settings and help them make informed buying choices. She also hopes consumer interest in privacy and security will prompt consumer tech manufacturers and developers to be held to a higher standard when it comes to securing the devices they make.

“There’s so much that’s out of [consumers’] control,” Boyd said, “and we haven’t seen a lot of accountability at the highest levels when things go wrong.”

The products on the list run the gamut, including home speaker sets, ereaders, fitness trackers and baby monitors. Products like the Switch, the PS4, a Harry Potter-themed coding kit, a Beeline bike compass, a Behmor smart coffee maker and a Mycroft smart speaker met Mozilla’s minimum security requirements and were rated by users as “not creepy,” the highest marks for the list. In total, 32 of the 70 products met Mozilla’s minimum security requirements.

Other products didn’t hold up under Mozilla’s scrutiny. Perhaps the creepiest and least-secure item rated by Mozilla was the FREDI Baby Monitor, a video camera that doesn’t use encryption, require users’ change the default password (which is “123”) or have a privacy policy (that Mozilla could get its hands on).

“This product does a seemingly poor job protecting privacy and security,” the buyers’ guide warns about the monitor. “There is a lot of anecdotal evidence out there demonstrating these baby cameras are regularly and routinely hacked. Potentially, someone could access the video feed during private moments and spy on your family.”

Some of the products the Mozilla team reviewed share data with third parties for various “unexpected reasons”—that is, for purposes not tied to the actual functionality of the product. Several of the products that met Mozilla’s minimum security requirements, like some smart speaker varieties, still were dinged for sharing data with third parties for unexpected reasons.

Concerns about data sharing are top of mind for Mozilla, Boyd said. The company is considering creating a shopping guide in coming years that will review in more detail how companies share data and how they address privacy issues. One challenge: Some companies were hard to get a hold of when asked for more detailed information about how data was being shared with third parties, said Rebecca Ricks, a former Mozilla fellow who reviewed privacy policies for the guide.

“Privacy policies are not designed for educating consumers,” Ricks said, “but to protect companies from legal liability.”

One of the ways the company is trying to draw attention to privacy in the 2018 guide is to highlight the estimated reading level for the privacy policies that accompany certain products. That estimation was done with help from Carnegie Mellon researchers, who developed an algorithm to measure privacy policy reading levels. Most of the products in the guide had privacy policies written at a college reading level, Mozilla said. The Bluetooth-connected item tracker Tile Mate, which is intended to help users keep track of items like keys and luggage, required an estimate Grade 18.

“You shouldn’t need a college degree to be able to understand a product’s privacy policy,” Boyd said.

Boyd’s hope is that consumer buying guides like Mozilla’s can inform consumers about security and privacy issues, highlight good actors in the space and help move forward the conversation about privacy and security.

“I like to imagine a nutrition label for privacy policies,” Boyd said, “where consumers can see exactly what they’re getting.”

@kelseymsutton Kelsey Sutton is the streaming editor at Adweek, where she covers the business of streaming television.