There are billions of Internet of Things (IoT) devices out there in the world and this number will only grow. I’ve written before about smart light bulbs and smart security cameras and it’s no secret that I am fascinated by IoT technology. When I came across the Mozilla *privacy not included guide, I knew I had to share this website.

The guide includes several “smart” products for home and office and provides brief summaries of any relevant and available information related to the privacy of a particular product. The purpose of the guide is to share information regarding the privacy and data collection practices for the 136 smart products listed on the website. Clicking on a particular product on the website will provide a summary of the product’s data collection and privacy policies. Users are also able to rate products along a “creepiness” scale.

The standards that the guide uses include: whether a product uses encryption, automatic security updates, requires strong passwords, whether it has a system to manage vulnerabilities, and whether the privacy policy is accessible. According to the website, a new feature of the guide includes warning labels on certain products that consumers should “think twice about before buying.” Items marked with a yellow triangle icon with an exclamation point include the following: “warning: *privacy not included with this product.” The website includes additional information and answers questions about whether a product can snoop on you, whether an email address is required to sign up, and what personal data the device collects; all important things to know before you connect that smart product that you may be buying.

Holiday shopping is in full gear and everything seems to be an Internet of Things (IoT) device. It continues to amaze me how folks will buy IoT gadgets and plop them in their homes and have no idea that they include a speaker or camera, recording every move and word, or that they pose a security risk to the family. 

And don’t just take my word for it. Two warnings were issued this week to that you should pay attention to—one from the Federal Bureau of Investigation (FBI) and one from the Federal Trade Commission (FTC)—both agencies that seek to protect consumers.

The FBI issued a warning on “drive-by hacking” of IoT devices, stating that “hackers can use those innocent devices to do a virtual drive-by of your digital life.” This happens when consumers don’t secure the devices when they set them up in their homes. According to the FBI, “Unsecured devices can allow hackers a path into your router, giving the bad guy access to everything else on your home network that you thought was secure. Are private pictures and passwords safely stored on your computer? Don’t be so sure.”

According to the FBI, when people set up IoT devices in their home or download the app from the manufacturer to set up the device, they click through all the set-up screens, giving the app permissions, but then fail to secure the device. In the excitement of getting the new gadget up and running, security is forgotten, and data are being sent and received through the device without protecting the data. Hackers know how excited we are with new toys, and take advantage of the excitement by hacking into our lives. Security experts are urging individuals to:

  • Change default passwords on all new devices.
  • Check permissions granted with the mobile apps of these devices to see if they are operating in the background, and limit access to location or other unnecessary access.
  • Apply auto-updates when you can so they use the latest firmware.
  • Keep a list of devices connected to your Wi-Fi and disconnect devices you don’t use or don’t need.
  • Separate IoT devices on your home network—according to the FBI—“your fridge and your laptop should not be on the same network—keep private, sensitive data on a separate system from your other IoT devices.
  • Review and follow the Department of Homeland Security’s “Securing the Internet of Things” advisory notice.

The FTC also issued a consumer alert this week, “What to ask before buying internet-connected toys,” urging consumers to understand the smart toy’s feature before purchasing it. This warning includes:

  • Does the toy come with a camera or microphone? What will it be recording, and will you know when the camera or microphone is on?
  • Does the toy let your child send emails or connect to social media accounts?
  • Can parents control the toy and be involved in its setup and management?

What controls and options does it have? What are the default settings?

When evaluating a new IoT toy, determine what information about your child the toy collects while your child is playing with it. Where are voice recordings and photographs stored and transmitted, and who has access to the recordings and photographs? Is there a way to access and delete that information?

Parents may wish to consider these questions when evaluating a new toy for children, and whether the coolest new toy is worth the transmission of a child’s biometric information to unknown individuals without their or the child’s consent. Consider whether your child will be thankful for that toy, and the disclosure of his or her information, including biometric information, when the child reaches the age that he or she can consent for himself or herself.  Sometimes the coolest gift isn’t the safest gift.

Mozilla recently announced that it is adding a new security feature to its Firefox Quantum web browser that will alert users when they visit a website that has reported a data breach in the last 12 months.

Although consumers can visit Have I Been Pwned [view related post] to determine if their email has been compromised, this feature specifically addresses data breaches of websites and not email addresses, which is an important additional piece of information for the privacy and security of personal information.

When a Firefox user lands on a website that has had a breach in its recent past, a pop-up notification informing the user of some basic details of the breach will appear and suggest that the user check to see if their information was compromised.

“We’re bringing this functionality to Firefox users in recognition of the growing interest in these types of privacy- and security-centric features,” Mozilla stated. “This new functionality will gradually roll out to Firefox users over the coming weeks.”

In addition to this new security feature, Mozilla has also rolled out an evaluation of the security of certain popular products for the upcoming holiday shopping season. Called *Privacy Not Included https://blog.mozilla.org/blog/2018/11/14/your-privacy-centric-holiday-shopping-guide/, the Your 2018 Privacy Focused Holiday Shopping Guide is designed to “help you identify which connected devices provide robust privacy and security features — and which ones don’t.”

The guide features “in-depth reviews of 70 products across six categories: Toys & Games; Smart Home; Entertainment; Wearables; Health & Exercise; and Pets” and gives these products badges when the products meet minimum security features. The brands that Mozilla has given badges to include: “Nintendo Switch, Google Home, Harry Potter Kano Coding Kit, Athena Safety Wearable, and the Behmor Brewer Coffee Maker.”

The guide was compiled by asking questions such as “Can this product spy on me?”, “Is it tracking my location?” and “Can I control the data it collects about me?” I would add a question about the microphone and camera features too, but maybe in next year’s guide…

It also includes the Creep-O-Meter, which is “an interactive tool allowing readers to rate how creepy they think a product is using a sliding scale of “Super Creepy” to “Not Creepy,” as well as to share how likely or unlikely they are to buy it.

It is super interesting and helpful, and worthwhile to check out before you hit the mall or online shopping on Black Friday or Cyber Monday.

The Federal Bureau of Investigation (FBI) issued a warning to parents in the past about the concerns with connected toys. Many parents recently bought the newest gadgets for their kids over the holidays, without realizing the capabilities of these toys to collect, maintain, sell and use personal information. As I chat with people about the cool gifts they gave their kids, it is worth mentioning again the risks associated with connected toys.

Toys are Internet of Things devices just like a smartphone, an alarm system or an oven. All of these computers can access, collect, maintain, sell and use the information they have access to in your home, including your child’s face, voice, conversations and location. Creepy—yes.

Prior to purchasing a smart toy for a child, understand its capabilities, whether it has a microphone, location based capabilities or a camera, what data it can collect and what it is doing with the data. Do a little research to see if there are any complaints about the toy or the manufacturer of the toy. Check the manufacturer’s privacy policy to see how they are collecting, protecting, disclosing or using your child’s data. Use secure WI-Fi to connect the toy. If you can create a password on the toy, create and use the password.

Remember that anything connected to the Internet is hackable. Make an educated choice before turning connected devices and toys on in your home. We have pointed out some examples in the past [view related post], but technology is advancing and is more sophisticated, so vigilance is warranted. After speaking with one of my friends about smart toys, she did some research and decided that it was not something she wanted her child to play with or that it be in her home at all.

We previously reported about the microphone and video capabilities of Echo technology [view related post]. The FBI is also concerned about this technology being used in toys that are connected to the Internet.

The FBI is so concerned that yesterday, it issued a Public Service Announcement that warns consumers that Internet-connected toys “could present privacy and contact concerns for children.”

The announcement states “[t]he FBI encourages consumers to consider cyber security prior to introducing smart, interactive, internet-connected toys into their homes or trusted environments.” The reason is that these toys include sensors, microphones, cameras, data storage, speech recognition and GPS features that can “put the privacy and safety of children at risk due to the large amount of personal information that may be unwittingly disclosed.” This raises concerns for the privacy and physical safety of children.

The information disclosed often includes name, date of birth, addresses, pictures, voice messages, recordings of conversations, and past and present locations, which increases the risk of identity fraud and exploitation risks.

The risk is that the information is primarily stored in the cloud or with third party companies, and if their data security is weak, the data can be accessed by or disclosed to an unauthorized third party (i.e., a hacker or criminal).

The FBI gives consumers a long list of recommendations before using Internet-connected toys, including:

  • Research reported security issues online
  • Only use trusted and secured WiFi
  • Research the toy’s connection security measures (i.e., use passwords and encryption)
  • Confirm that the toy can receive security patches and updates
  • Read the Privacy Policy and other documentation to find out where user data is stored and whether a third party is used for storage
  • Carefully read the disclosures and Privacy Policy to determine what the company will do in the event of a cyber-attack
  • Turn off the microphone, camera and recording capabilities when the toy is not in use
  • Use strong and unique passwords when creating user accounts and only provide the minimum amount of information necessary to create the account.

These recommendations are no different than recommendations for online activity, but people are not viewing Internet-connected toys in the same way as using apps or social media sites. The FBI does not send out consumer alerts about all concerns they see, so when it does, it is a red flag to pay attention to.

Parents need to be educated on these risks so they are aware of the capabilities and implications of the toys they are bringing into their homes and should closely consider following the FBI recommendations.

I don’t own an Echo, and Alexa is not listening to all of the conversations in my home. If that were the case, I would have no credibility in writing weekly Privacy Tips.

Echo has evolved, and now I am told and have read that the newest craze is the Echo Show. (Shocker–I don’t have an Echo Show either.) I am told that an Echo Show does everything Echo did, but now it has a camera and can and is recording video of you and your family whenever you use it. (I have tape over the camera of my laptop and smartphone, so that just wouldn’t work for me.)

If you are into the latest crazes and you have purchased an Echo Show, be aware that it is recording video of you and your family every time it is on, whether you are using it or not. Continue Reading Privacy Tip #95 – Echo Show ‘Drop In’ Feature Could Catch You with Your Pants Down