Mozilla's 'Privacy Not Included' Gift Report Highlights Security Concerns

Mozilla has released its second annual "Privacy Not Included" guide that rates 70 products to help give you an idea as to how secure or insecure they are. "We want to provide people information about how to make informed decisions when shopping for gifts that are connected to the internet," says Ashley Boyd, vice president of advocacy at Mozilla. "These products are becoming really popular. And in some cases, it's easy to forget that they're even connected to the internet." Wired reports: Among the important signifiers of a trustworthy stocking stuffer, according to Mozilla's rubric: the use of encryption, pushing automatic software security updates, strong password hygiene, a way to deal with vulnerabilities should they arise, and a privacy policy that doesn't take a PhD to parse. The most surprising result of Mozilla's testing may be how many products actually earned its seal of approval. Thirty-three of the 70 items in the "Privacy Not Included" guide passed muster; fans of the Nintendo Switch, Google Home, and Harry Potter Kano Coding Kit can sleep a little easier.

On the other end of the scale, Mozilla highlighted seven products that may not hit the mark -- yes, including the sous vide wand, the Anova Precision Cooker. Also scoring low marks in Mozilla's accounting: the DJI Spark Selfie Drone (no encryption, does not require users to change the default password), the Parrot Bebop 2 drone (no encryption, complex privacy policy), and unsurprisingly, at least one baby monitor. The remaining 30 items on the list all exist somewhere in the murky middle, usually because Mozilla was unable to confirm at least one attribute. Which may be the real takeaway from the report: Typically, you have no reasonable way to find out if a given internet-connected device is secure. "If you can't tell, that says that there's a problem of communication between manufacturers and consumers," says Boyd. "We would love for makers of these products to be more clear and more transparent about what they're doing and not doing. That's a big place we think change is needed."

Drone FUD

[Powercntrl]

I bought a DJI Spark last year. It does not need an active internet connection to fly. It also does not upload your flight records, photos, or videos to DJI's servers without manual intervention. The pictures/videos are stored on a standard MicroSD card. Mozilla is also incorrect in claiming it has a microphone - it does not (if it had one, all it would record would be the noise from the motors/propellers).

Yes, the drone doesn't require you to change the default WiFi password, but that's because a unique password is already printed on each drone. While people have hacked control of these things under laboratory conditions, the extremely short battery life (approximately 14 minutes of actual time in the air) means you'll have landed and be long gone before anyone could "hack" your drone. All of that is assuming a malicious actor even knows your drone is in the air in the first place. At 400' up, the Spark is incredibly hard to see and nearly inaudible.

The real reasons you wouldn't want to buy one of these things is that they're banned almost everywhere you'd really want to use one, and they're still kind of pricey for what is essentially a flying cell phone camera with extremely short battery life. As far as privacy risks go, again, it's a (flying) camera that geotags your photos/footage, which can lead to exactly the same privacy concerns as the camera which is already built into your smartphone.