NewsLocal NewsInvestigations


Is your tech gift creepy? Nonprofit's gift guide looks at privacy, security concerns

mozilla privacy.PNG
Posted at 5:44 AM, Dec 21, 2020
and last updated 2020-12-22 15:55:13-05

KANSAS CITY, Mo. — Chances are everyone has a person on their Christmas list who wants a gift with all the jingle bells and whistles.

A recent report by the Consumer Technology Association found that 72% of U.S. adults planned to purchase a tech product as a gift this year.

The options are endless, so it can be difficult to make a decision on the perfect present.

"A lot of the review sites will review for features or reliability, but no one was reviewing for privacy and security," Jen Caltrider, a researcher with the Mozilla Foundation, said, "and we thought, 'Well, that's where we come in.'"

Three years ago Mozilla, a nonprofit, created the *Privacy Not Included gift guide.

Its researchers reviewed more than 130 tech products to determine their levels of creepiness from privacy and security perspectives.

To reach its conclusions, Mozilla staff asked questions like:

  • Does the product have a privacy policy?
  • Is data encrypted?
  • Is a strong password required?
  • What's the company's track record for protecting data?

If red flags were spotted, Mozilla marked those products with a "Privacy Not Included" warning label.

It was a label given to UBTECH JIMU Robot Kits for children.

Mozilla points out the app used to control the bots accesses the camera, microphone and tracks location. Researchers said they found no privacy policy to govern all the data being collected on the app.

UBTECH did not initially respond to questions from the 41 Action News I-Team. However, after the story aired, a company spokesperson reached out and shared that the app does have a privacy policy that has been updated as of April 2020.

According to that privacy policy, UBTECH does not sell personal data to third parties. User consent is required for personal data to be shared with third-party service providers.

The makers of Wickedbone, an interactive toy for dogs, did not respond to the 41 Action News I-Team's inquiry about that product's placement on the list.

Mozilla researchers said the product doesn't appear to have a way to manage security vulnerabilities. Also, they raised concerns about the app for the bone requiring GPS location data.

For Caltrider, the gift on the list that stood out most was Amazon's Halo fitness tracker.

It has a microphone that can track your voice during the day and analyze it for energy and positivity.

To calculate body fat composition, the Halo asks users to upload photos in minimal, tight-fitting clothing.

"I don't know about you all, but I don't want to give Amazon pictures of myself in my underwear," Caltrider said.

The images, according to Amazon, are processed in its cloud and automatically deleted.

Also, data is encrypted both in transit and at rest.

"Privacy is foundational to how we designed and built Amazon Halo," an Amazon spokesperson said. "Body and Tone are both options features that are not required to use the product. Amazon does not have access to Body scan images or Tone speech samples. We do not use Amazon Halo health data for marketing, product recommendations or advertising, and we do not sell customers' data."

Several other Amazon products were marked with the *Privacy Not Included label, including the KidKraft Amazon Alexa-Enabled 2-in-1 Kitchen & Market.

When paired with an Amazon Echo device, the kitchen and market offers interactive play for children through the KidKraft skill. Amazon skills are like apps for Alexa.

"Plop an Alexa smart speaker in the middle of the kitchen and that, along with a bunch of RFID sensors, will play with your kids," the Mozilla guide states.

Researchers pointed out the Amazon skill store does not require links to a privacy policy, so they were unable to determine what data is collected or how voice interactions might be used.

Amazon said kid skills cannot collect personal information. The company's policies also require developers of skills that do collect personal information to provide privacy policies, which are displayed on the skill's detail page.

"Child-directed skills must not include any advertising, collect any personal information or include content not suitable for all ages," an Amazon spokesperson wrote. "Parents can review and delete voice recordings associated with their account at any time through the Alexa app or through the Alexa Privacy Hub."

Overall, Caltrider said she hopes the guide will prompt shoppers to do their research and ask more questions before adding items to their carts.

"What we want is less to have consumers be afraid and more to have consumers make smart decisions when they're buying and buy from a company that's putting an emphasis on privacy versus one that's sucking up as much data as they can to sell and market and make money off of you," she said.

Editor's note: This story was updated with a response from UBTECH, which reached out with comment after the piece was published.