Mozilla’s privacy report on gadgets has returned just ahead of the holidays to remind us that many high-demand devices and smart-tech gizmos are far, far creepier than they let on. And wouldn’t you know it, many of Amazon’s products failed basic privacy and security tests.
The nonprofit on Wednesday released its third-annual Privacy Not Included report, which this year assessed more than 70 popular items across several categories, including toys, entertainment, and wearables. Each device was evaluated for minimum security standards, such as encryption of data, security and password protocols, vulnerability assessments like bug bounty programs, and a clear and available privacy policy. The guide also answers questions about whether each device can track your location or eavesdrop, and whether it shares, or allows a user to delete, collected data.
An interactive emoji at the top of its guide offers a quick, user-based assessment of each of the dozens of products reviewed based on their creep factor. (You can vote on a scale of “not creepy” to “super creepy.” This year, 60 of the products reviewed met Mozilla’s minimum security standards.
Gadgets like the Nintendo Switch and the Sonos One SL, for example, were decidedly “not creepy.” Meanwhile, Airpods, iPad, and Apple TV ranked further down the list. While each met the nonprofit’s security standards, all three have the capabilities that might let an attacker snoop on users either through a microphone, camera, or location tracking—or all three, as with the iPad—though the report does commend Apple on its overall privacy and security track record. Those Apple products were deemed just a “little creepy” by the report.
Amazon, Google and Facebook, however, made Mozilla’s privacy shit list. Google Home, for example, met Mozilla’s security standards but was dubbed “super creepy” by users for the fact that Google can target users based on everything it’s gathered about them through their search and browser history, places they’ve visited, and all of the other data they share with its products. As the guide states, it’s “all fun and games until those weirdly specific targeted political ads start tracking you all around the internet.” Its Next Max was also pegged as “very creepy,” though not as bad as the Home.
Google did not immediately return a request for comment.
Also tagged by users as “super creepy” was Facebook’s Portal, which—somewhat miraculously—hit all of Mozilla’s basic security markers. As the guide notes, however, Portal only works by connecting to Facebook. That’s not an especially great idea considering Facebook’s stunningly abysmal track record with managing user data and its violations of user trust.
Given all this, it’s highly inadvisable to invite a Facebook device—complete with a microphone and smart camera—right into your home. Truthfully, this was the least surprising device to wind up at the bottom of Mozilla’s privacy report.
“Portal from Facebook was recognised by Mozilla with its highest rating for meeting the ‘Five basic steps every company should take to protect consumer privacy,” the company said in a statement by email, completely failing to address all the other stuff. “We support Mozilla in their continued effort to educate consumers on the importance of privacy and security.”
Amazon’s Smart Plug, Fire TV, Fire HD Kids Edition, Fire HD Tablet, Echo Show, Echo smart speakers and Ring security cameras (both indoor and outdoor) were all rated varying degrees of creepy. (Amazon’s Kindle, meanwhile, landed a “not creepy” rating.) Ring and the Echo Show were the worst offenders on the list, with Mozilla designating both—and colour me shocked here—as “super creepy.”
While the Echo Show met Mozilla’s baseline security threshold, the report specifically called out voice data collection and human review that could allow a stranger to listen in on private conversations.
Amazon, for its part, maintains that it is doing plenty to protect user privacy and security and inform customers of its data practices, thank you very much.
“Customer trust is our top priority and we take customer privacy and security seriously,” an Amazon spokesperson told Gizmodo in a statement by email. “We design Alexa and Echo devices with multiple layers of privacy protections, from microphone and camera controls to the ability to view and delete voice recordings.” The spokesperson added that Alexa users “can visit the Alexa Privacy Hub to learn more about these options and other features that provide transparency and control over their Alexa experience” along with the site’s URL.
Unlike the Echo Show, several Ring products did not meet Mozilla’s security standards. Beyond the fact that the company handed over data to police about how users responded to U.S. law enforcement requests, encouraged people to report their neighbours, and solicited access from police to real-time 911 call data—making Ring a veritable narc and privacy scourge—Mozilla was unable to conclude whether Ring used secure encryption, noted its lack of transparency around privacy, and said the company “doesn’t have a great track record for securing customer data or hiring experienced security engineers.”
“Of the products that rated poorly, one of the standouts is Ring,” Ashley Boyd, Mozilla’s vice president of advocacy, told Gizmodo by phone. “We think that the Ring product is really problematic in terms of not giving customers straightforward information about how it’s working with police departments and how it’s using customer data.”
Boyd noted that Ring, in particular, is a good example of the ways that data use and collection should be considered both on an individual as well as systemic level. Boyd noted it’s important to examine how data is being used in the backend, how it’s being used by Amazon, and how it’s being used by police departments.
Reached for comment by email, a Ring spokesperson pointed to an October blog post from the company’s founder Jamie Siminoff detailing “how we work with law enforcement and how we protect user privacy.”
“Ring users place their trust in us to help protect their homes and communities, and we take that responsibility very seriously,” a spokesperson for the company told Gizmodo. “Ring does not own or otherwise control users’ videos, and we intentionally designed the Neighbours Portal to ensure that users get to decide whether or not to voluntarily provide their videos to the police.”
Setting aside Amazon’s myriad privacy sins, this year’s report wasn’t all bad news. One of the things that the folks at Mozilla noticed this year was good progress—especially from bigger companies like Apple and Google—on providing concise and consolidated privacy information to their users through portals.
“We find that helpful because consumers find it hard and frustrating to look in a lot of different places for information about the products,” Boyd said. “And that tracks with an overall trend of companies doing a bit better job of having privacy policies that are easier and more explainable to read. We’re not there yet—we still have some distance to go in people fully understanding what’s included, but we see some progress there.”
Boyd said more companies overall are meeting Mozilla’s basic security standards, and some products—like the Parrot Anafi Drone—met those guidelines this year where they hadn’t last year. The downside with that product, however, is that its price has increased. Boyd said that it’s important that privacy does not become a premium, adding it’s a reasonable expectation that privacy is available on products at all price points. Nobody should need to pay extra for peace of mind when using their gadgets.
To check out Mozilla’s full analysis of popular products, head right here.