Think Twice Before Giving Gifts With a Microphone or Camera
Credit to Author: Lily Hay Newman| Date: Wed, 27 Nov 2019 12:00:00 +0000
Black Friday is going to be overrun with cheap, internet-connected gifts. Just make sure you know exactly what you’re buying.
As we draw ever-closer to Black Friday, Cyber Monday, and all the shopping days in between, you'll have no shortage of cheap, flashy, internet-connected gadgets to choose from for holiday gifts. But in the frenzy, don't forget that the widgets you buy will live at recipients' houses—or on their wrists—for months or years to come. With that in mind, it's worth considering security and privacy risks involved, so you know what you're getting people into before they unwrap the box.
Connected devices have a problematic track record on security and data privacy, whether they're being used in businesses, industrial control systems, or homes. And sensors like cameras or devices that track your location generate very sensitive data that could be abused. That doesn't mean you have to avoid IoT devices at all costs. But it's worth weighing the potential risks when deciding whether to get someone an internet-connected gadget, and choosing which one specifically to gift.
In the last year alone, companies like Google, Amazon, and Apple were caught using human reviewers to transcribe some user audio recordings from smart speakers—a practice consumers didn't know about and largely couldn't control before the revelations. Google's Nest Guard product turned out to have an undocumented microphone in it that no one knew about. And an army of off-brand—or "white label"—IoT devices has continued to flood the market without accountability.
"I think giving IoT devices as gifts is not necessarily a bad idea, because some of these devices can help improve people's standard of living," says Jatin Kataria, principle scientist at the IoT security firm Red Balloon. "But I would be more careful about which companies you are buying from and what kind of data you are sharing with these devices. For example, I would use a smart thermostat or smart lightbulbs, but I wouldn’t keep them on the same network as my PC."
Most people don't have the time or know-how to take those types of precautions, though. That goes double when it comes to kids, who generally don't have the means or ability to make informed choices about what devices they use, where their data goes, or how it might be used.
"There are some privacy-protecting fitness trackers for kids, but on a larger point that is a sensitive and specific decision to make that might not be the best gift for someone who’s not a parent to buy," says Ashley Boyd, vice president of advocacy at Mozilla. She points out that buying IoT devices for kids can end up "normalizing even this low-level surveillance."
Security and privacy may still be a challenge for manufacturers to prioritize in low-end devices.
Though the stakes are particularly high for children, those same concepts apply universally. For the past few years, Mozilla has put out its Privacy Not Included evaluation of IoT devices like smart speakers, wireless headphones, e-readers, smart home devices, and more. The group lays out minimum security standards and then assesses products and their privacy policies against these benchmarks.
Boyd says that this year 62 out of the 76 gadgets Mozilla assessed passed the standards, up from 33 out of 70 in 2018. This improvement reflects growing industry awareness that IoT devices are more of a liability than a help without the most basic security protections. But as Boyd points out, "it's a minimum." Manufacturers could still do much more. Some devices, like the Sonos One SL speaker, have moved toward simpler and less risky design by removing non-essential sensors like microphones. Mozilla also found that Parrot's Anafi Drone has overhauled its security and privacy features in positive ways. But the drone's price point is now hundreds of dollars higher than last year, indicating that security and privacy may still be a challenge for manufacturers to prioritize in low-end devices.
Additionally, Mozilla found that while security protections may be improving, basic privacy safeguards may have slipped.
"There's more information collected it appears, and not a lot more information about data privacy and the options that users have, so that's a concern," Boyd says. "The other thing that we’re noticing is increasing consolidation—a family of products. So if you’re not happy with one product or how it shares information it’s harder to leave the ecosystem." Google's recent acquisition of FitBit is a good example.
And this point particularly relates to gift-giving. By gifting a device that you think is nifty or useful, you're implicitly also nudging them to make an account with that company, likely download a mobile app, and potentially become ensnared in a digital—or even legal—ecosystem that they didn't choose for themselves.
If you're casting around for gift ideas, researchers say the crucial thing is not to reach for random IoT devices out of desperation. Though the benefits of using them may outweigh the risks much of the time, that's not always the case. So stick to devices you know a friend or family member actually wants, from a manufacturer you trust.
"Such gifts can indeed be unwelcome by people worried about their privacy," says Jean-Philippe Aumasson, CEO of the Swiss IoT encryption company Teserakt AG. "But I don't believe giving such devices should be perceived as intrusive or offensive."
If you can, just give the extra gift of nudging your loved ones toward a more secure and private option—whether that's a vetted IoT device or an analog alternative.