Americans are expected to spend $3.8 billion on Amazon's Echo Dot, Google's Home and other smart home devices this holiday season. And that figure doesn't include the even wider market of other Internet-connected devices.
But as consumers develop an increasing appetite for the convenience and connectivity attached to these smart devices, cybersecurity experts are warning about the costs that can come with staying plugged in. They caution that many of the companies that make smart devices often carry convoluted privacy policies — if they prioritize user privacy at all.
The Mozilla Foundation, the nonprofit behind the Firefox search browser, is encouraging consumers to consider security and privacy in their purchases as much as performance or price. Mozilla just rolled out its second annual "Privacy Not Included" guide, which now includes reviews for 70 Internet-connected devices.
"Mozilla developed this gift guide to help people make informed decisions about privacy and security this holiday season," Mozilla's vice president of advocacy, Ashley Boyd, tells NPR's Scott Simon.
From baby monitors to drones, the guide invites consumers to score products on a privacy scale that slides from "Not Creepy!" to "Super Creepy!"
"It's not just an issue of being creepy," Boyd says. "There's a real safety concern that we're wanting to address and make folks aware of."
To name one example, some people may not be aware that their location is being shared from their devices. "There are some real significant safety concerns for many populations about revealing location," Boyd says. Domestic abusers, for example, have used spyware and internal GPS to stalk their victims through their smartphones or their data-grabbing apps.
Boyd says there is a growing need for the kind of transparency Mozilla hopes to offer. She said this year's Cambridge Analytica scandal, when up to 87 million Facebook users had their data compromised, was "a good example of people doing one thing online and it turning into something entirely what they did not expect and something entirely different."
That high-profile unmasking of online vulnerabilities has driven more people to examine their digital footprint and seek transparency, she says. "We're seeing people change their behavior online and wanting more information."
Some 55 percent of consumers surveyed by PricewaterhouseCoopers this year consider the Internet of Things and AI devices, including smart homes, a threat to their personal privacy.
In order to meet what Mozilla says should be a set of minimum security standards, products should have safeguards that include encryption, automatic security updates, a strong password requirement, a system to manage vulnerabilities and an accessible privacy policy.
As part of the guide's grading rubric, Mozilla answered questions such as: "Can it spy on me?" and "What does it know about me?" The foundation added two new questions this year: "Can I control it?" and "Does the company show it cares about consumers?"
The FREDI Baby Monitor, for one, doesn't fit Mozilla's security bill. Mozilla couldn't locate a privacy policy for the camera, and according to Mozilla, the product comes with a weak preset password of "123." This brand of baby monitor, in fact, appears to have been hacked before. As NPR's Camila Domonoske previously reported about the baby monitor, "The risk is not just to privacy and peace of mind: A hacker could use a baby monitor to gain access to a home's network to get information off computers, possibly for financial gain."
As demand for consumer security information swells, Boyd hopes companies take note. "Wouldn't it be great if we have something like a nutrition label? What information it collects and what security features it has?" she asks.
"We think that's possible. And we're showing that consumers care about this information. We think companies can do better."
NPR's Sarah Handel and Caitlyn Kim produced and edited this story for broadcast.
Copyright 2021 NPR. To see more, visit https://www.npr.org.