Every Christmas season the Mozilla Foundation reviews a list of IoT devices that do not protect privacy. It seems like almost anything we buy today that includes electronics also connects to the Internet. We are filling our homes up with devices that provide feedback to the manufacturers or others, often without our knowledge or approval.

The Mozilla Foundation has established a wish list set of security standards that they think all devices sold to the public should meet. The Mozilla standards include:

• Transmissions between the devices and the Internet should be encrypted.
• Devices should be able to receive and implement security updates.
• Devices should allow users to create strong passwords.
• Devices should include a system to allow users to control or disable vulnerabilities.
• Manufacturers should provide a clear and accessible privacy policy.
• Newly added to Mozilla’s list is that manufacturers should disclose when they are deploying AI in the interaction with users or with their data.

The Foundation reviewed 136 devices this year that it thinks are likely presents this Christmas season. This includes a wide range of devices including smart home, home office, toys and games, entertainment, wearables, health and exercise, and devices for pets. Mozilla applies a “Privacy Not Included’ rating for any device that badly fails the Mozilla privacy standards. Mozilla has been rating devices annually since 2017 and says that a number of manufacturers have beefed up security measures on devices in response to a poor rating by Mozilla.

Some of the reviewed devices got a good rating from Mozilla, but even most of the best devices have some security issues. An example is the Nintendo Switch handheld gaming device. Mozilla says that Nintendo does a good job with privacy, security, and parental controls, but the company had a data breach in 2020 where the personal data from 300,000 accounts were compromised and that revealed name, date of birth, email addresses – enough for anybody to then hack individuals. They also note that while Nintendo doesn’t share user data with third parties, there is no guarantee that the gaming companies using the Nintendo device aren’t selling and sharing user data. This review is a good example of the kinds of security risks that the public is taking with devices we routinely bring into our homes. Every device that was reviewed had at least a few security concerns.

Some devices have almost no security features. An example is the Ubtech Jimu Robot Kits. These are coding robot kits where kids can program robots to navigate around the home using infrared sensors and sonar. The robots come in a variety of shapes like a dragon, a truck, or a combat robot. The robots contain almost none of Mozilla’s wish list of protections. The app associated with the robots can track what is seen and heard in the home and can convey user location – not great traits for a kid’s toy. The company provides no privacy policy for users and doesn’t disclose if and how it collects or uses data from the robots. Like many new electronic devices, the robots can only be used when connected to the cloud – so using the device automatically transmits a wide range of data to the company servers.

This annual list provides a good reminder that many of the devices we buy are unsafe. Most of us turn on new electronic devices without reading any instructions or privacy warnings. We type in our personal data into apps to enable the device (or let it gather that data automatically by signing up through Facebook or some other app). Even when there are privacy settings available, we rarely enable them. Device manufacturers largely count on the public not taking even basic precautions. This enables them to say they are safe while still gathering information from most of the users of the devices.