Wednesday, 27 November 2019

Mozilla updates its "Privacy Not Included" gift guide for 2019

As with last year, the Mozilla Foundation's privacy researchers have produced a guide to electronic gifts called "Privacy Not Included," which rates gadgets on a "creepiness" scale, with devices like the Sonos One SL dumb "smart speaker" (Sonos ripped out all the junk that isn't about playing music) getting top marks, and Ring Security Cams, Nest Cams, Amazon Echos, and other cam/mic-equipped gadgets coming in as "Super Creepy!" (the exclamation point is part of the rating).

These rankings are purely about privacy, so there's plenty of stuff that's extremely proprietary and hooked into app stores and other ecosystems that allow the manufacturers to control how you use your property after you buy it, as well as giving them the ability to censor the kinds of information you can receive. Many of these devices contain copyright locks (DRM) and onerous terms of service that would make it a potential felony to have them independently repaired, too, so the manufacturer gets to decide what can and can't be fixed, and unilaterally declare that it's time for your device to become e-waste in some distant landfill (Apple is notorious for this, and they led the charge that killed 20 state-level Right to Repair bills last year, and CEO Tim Cook started 2019 with an investor call last January that warned investors that Apple was facing a crisis because people were not replacing their devices as often as they used to, opting instead to repair them).

And this kind of thing also matters for privacy! If not for the independent repair sector, we'd have never found out that Google had made a "smart speaker" with a secret, hidden microphone, so if you were relying on the manufacturer's specifications to evaluate the privacy dimension of a product, you could land in trouble. Likewise DRM: because security researchers face felony prosecution and massive civil liability if they reveal information that weakens a DRM system, devices with DRM (to ensure that you only use approved apps, parts or consumables) are less likely to be independently audited, and when they are, there's a greater likelihood that the researchers will delay or bury their assessments. That means that security defects in DRM-equipped devices (many of which get top marks on privacy) can fester for longer and do more damage before coming to light.

Sonos did something interesting this year. They took their Sonos One smart speaker and made it dumb. Seems there is a market for privacy-minded people who just want a speaker for playing music, not with a built-in microphone that could be spying on you. This Sonos One SL is just like the Sonos One minus the microphone listening for Amazon Alexa or Google Assistant commands. Control it with the Sonos app over WiFi, not Bluetooth, or use Apple Airplay to stream your music. To think, a speaker simply built to play music and not listen to you all day long. Crazy!

Privacy Not Included [Mozilla]