Overview
‘Tis the season to spend lavishly on gifts for friends and family, and no doubt many of the year’s hottest purchases will include so-called “smart” devices or ‘internet of things”-enabled products including toys, drones, robots, wearables, fitness trackers, gaming systems, smart everything (home gadgets, TVs, watches, pet feeders, thermostats, crock pots, headphones) and the like.
While connected devices offer many benefits to consumers, the downside of these internet of things (IoT) purchases is that many such devices carry security vulnerabilities. Even as they collect and analyze tremendous amounts of consumer data (and personal information), connected devices have traditionally had notoriously lax security standards, possessing wide open default settings, limited to no security protocols or secure update mechanisms, non-universal IoT security standards, weak, easily guessable, or hard-coded passwords and un-patchable firmware/operating systems and software.
Vendors of smart devices sometimes fail to adequately harden their physical devices or deploy encryption when uploading data collected from users to the cloud/Internet, leaving the products vulnerable to malware and other hacker attacks. Adequate security remains an afterthought for some IoT manufacturers.
Of course not all smart devices pose the same level of security risks, and savvy consumers would do well to perform due diligence before purchasing any such products. In addition to reading privacy policies and consumer guides, “smart” purchasers may take advantage of the analysis of concerned third parties, including the not-for-profit Mozilla Foundation, creator of the Firefox browser whose mandate includes leading the open source Mozilla project and fuelling a “healthy open Internet.”
On November 20, 2019 Mozilla issued its third annual *privacy not included buyer’s guide "to help consumers shop smart — and safe — for products that connect to the Internet.” In collaboration with Consumers International and the Internet Society, Mozilla has developed five minimum security guidelines that companies making connected devices should be expected to satisfy before their products are sold to consumers. These minimum standards are:
Encryption: The connected product must use encryption in transit and at rest for all of its network communications functions and capabilities, to ensure that all communications are not eavesdropped or modified in transit. The product must also use encryption at rest (where applicable) to ensure that customer data is protected in storage. User data should be encrypted when it is stored.
Security updates: The connected product must support automatic updates for a reasonable period after sale, and be enabled by default, to ensure that when a vulnerability is known the vendor can make security updates available for consumers; these are verified using a form of cryptography and then installed seamlessly. Updates must not make the product unavailable for an extended period.
Strong passwords: If the connected product uses passwords for remote authentication it must require that strong passwords are used meeting password strength requirements. Any non-unique default passwords must also be reset as part of the device’s initial setup in order to help protect the device from vulnerability to guessable password attacks, which could result in a compromised device.
Vulnerability management: The vendor must also have a system in place to manage vulnerabilities in the connected product. This system must also include a point of contact for reporting vulnerabilities or an equivalent bug bounty program, to ensure that vendors are actively managing vulnerabilities throughout the product’s lifecycle; and
Privacy Practices: Given that connected devices typically collect vast amounts of personal information/data that may be used for secondary purposes by the manufacturer/seller, the connected product must have privacy information (a privacy policy and/or a privacy page) that specifically applies to the device, app or service that Mozilla is evaluating, not just a generic privacy policy that is written to cover the company’s web properties.
Mozilla also reviewed each vendor’s privacy documentation, including its privacy policies, privacy pages, FAQs, etc. in order to determine (1) how data collected by the vendor is shared with third parties (i.e. to data brokers that will resell it for targeted advertising or for other commercial purposes, including aggregated, de-identified data); (2) whether or not users could ask the vendor to delete their data; and (3) the user-friendliness/accessibility/readability of the vendor’s privacy information. Where relevant, Mozilla also looked at whether the vendor collected (4) biometric data; and (5) whether parental controls are in place.
In addition to rating and identifying which connected devices meet their minimum security standards, whether the IoT device can snoop on users, and how it handles privacy, Mozilla (amusingly) included in its Guide a so-called Creep-O-Meter, complete with an interactive emoji that allows consumers to identify, rate and provide feedback on which products feel “a bit creepy,” and vote on whether they would be likely to buy them (the scale ranges from “not creepy” to “super creepy”).
This year Mozilla evaluated a total of 76 connected products that encompassed six distinct categories — Toys & Games, Smart Home, Entertainment, Wearables, Health & Exercise, and Pets — against the security and privacy requirements and considerations described above.
Significantly, not all of the reviewed products passed Mozilla’s critical scrutiny. Some products lost points because of their “snooping” capabilities (i.e., consumers could be spied on either through a microphone, camera, or via location tracking), or because it was impossible to confirm whether the vendors would actually delete users’ data if requested.
Other companies suffered from murky privacy and security policies, seemingly failed to deploy encryption, and sell devices that remain vulnerable to intrusion. For example, one smart cat litter-box manufacturer does not have any privacy policy despite the fact that its Bluetooth-enabled product connects to WiFi and continually allows customers to monitor their cat's health, product performance, maintenance and litter-box usage by means of a smartphone app.
On the plus side, in a NPR interview on December 2nd, Ashley Boyd, vice-president of advocacy and engagement for the Mozilla Foundation, confirmed that the basic security of these connected devices is steadily improving as last year, only about a half of the products reviewed met Mozilla’s minimum security guidelines, whereas “this year it's up to about 75%.”
Since publication of the Guide, some companies whose products or privacy/security practices failed to pass have publicly quibbled with their ratings (and in at least one instance following the provision of additional information persuaded Mozilla to improve them), while others have stayed (ominously) silent.
While not perfect, the Guide nonetheless offers considerable useful information, reminding potential purchasers that even some very popular connected devices are still failing to meet arguably reasonable minimum security and privacy standards. The Guide most certainly can assist those consumers that prefer to buy products from companies that seemingly value privacy and security.
Happy shopping, and I wish you all a joyous (and secure) holiday season!
This article was originally published in Canadian Lawyer magazine.