Mozilla’s holiday device list is a welcome signal for IoT

Mozilla’s annual list of connected consumer devices that have poor security practices or the potential to royally invade your privacy is out, and this time I’m fully on board with the way the organization has designed its study. Based on user feedback, the list drops devices into five broad categories, ranging from “not creepy” to “super creepy,” depending on both their security features and the types of information they can access.

In the “not creepy” category, you will find devices such as the Ecobee Thermostat and the Whistle Pet Tracker, while in the “super creepy” category you’ll find the camera-enabled smart displays from Google and Amazon. In the middle, there are devices such as the Apple AirPods, which have the potential to listen in but whose maker has good security practices. With the middle tranche of devices, the concern is that if someone hacked into them, they could listen in on your conversations or your ambient environment.

I like this framing. For each device, Mozilla has a five-point security checklist: the strength of its encryption, how it handles over-the-air security updates, whether or not it requires a strong password, how the company handles vulnerabilities, and the strength of its privacy policy. Mozilla wants to see products that provide encryption when data is in motion and at rest. It also likes companies that have bug bounty programs and patching plans, and it really wants to see easily understood privacy policies.

I’ve been calling for those five items as a minimum standard for years, and have been actively asking companies about all of them whenever I try out and/or review products. Having more organizations like Mozilla asking is clearly having an impact, because in the last year or so I’ve noticed that when I interview device makers, they can easily speak to these issues, as opposed to before, when they could not. I’d like to think they then go back to their teams and say that those security features are important, because of projects like Mozilla’s and questions like mine.

The second aspect of Mozilla’s list is a focus on the potential harms that could result from a device based on its features, its data-sharing policies, and its history with security. A device that tracks your location but doesn’t have a microphone or camera may be considered low-risk, for example. And by highlighting how a company uses the data its devices collect, consumers can get a feel for what companies can figure out about them and if that information is shared. Many of the “somewhat creepy” devices also feature some kind of location tracking or microphone and have data policies that allow others to see anonymized information.

I also like the spectrum Mozilla has created. In past years, it has taken more of a black-and-white stance where if a company broke any of its rules it was added to the Mozilla naughty list. The commentary associated with this list comes closer to the nuanced decision making that consumers have to do in order to evaluate these products. For example, I have the super creepy Google Nest Max Hub, and while I’m aware of the data that gets gleaned from this device, the convenience it offers me is worth the risk. That said, I unplug it entirely when I’m having a sensitive conversation. And none of my smart speaker/camera devices are in the bedroom or bathroom.

Other people will have different levels of tolerance when it comes to the privacy and security risk these devices pose. For example, an executive at a Fortune 100 corporation might not want to have any cameras in his home office. (To better understand the reasons why, check out the story below.) A soldier deployed to a foreign country, meanwhile, might not want her activity data tracked or shared.

We’re finally getting to a place where people are aware of the risks associated with IoT devices, and companies are doing a better job of explaining them. It’s a sign that the industry is maturing. In the next phase of its maturity, I expect laws around data privacy and device security. But we’ll talk about that next week.