Watch CBS News

Creepy gifts: Toys that spy on kids and coffee makers that track your habits

Some holiday gifts are more festive than others, while those that snoop on their users could be seen as decidedly less so.

So says the Mozilla Foundation, the nonprofit behind the FireFox browser, which recently posted its annual "privacy not included" holiday gift guide to highlight potential security and privacy concerns on a slew of internet-connected products.

Take, for example, a smart coffee maker that Mozilla says is capable of eavesdropping, or a fitness tracker that measures the tone of its user's voice while requesting scantily clad photos. Both are among the 37 connected products branded with a "privacy not included warning label" of the 136 reviewed by the group. 

"In the four years we've published the guide, companies have gotten the message that consumers really care about privacy," Ashley Boyd, Mozilla's vice president of advocacy and engagement, told CBS MoneyWatch.

The guide identifies products that fall short of Mozilla's minimum security standards, which include encryption, automatic security updates, strong passwords, a system to manage vulnerabilities and an accessible privacy policy. It also notes which products use artificial intelligence to make decisions about consumers, which Boyd said people should be aware is happening.

Following are some internet-connected products that Mozilla says could threaten people's privacy, as well as company responses to the group's specific privacy concerns and criticisms.

Hamilton Beach smart coffee maker

The WiFi coffee maker, which is integrated with Amazon's Alexa assistant, will start brewing cups of java when given a vocal command. Less clear if if users can delete their personal data, or even how many cups of joe one drinks might be worth tracking by marketers. 

"We had a hard time even finding a privacy policy for them at all," according to Mozilla. The product also doesn't meet Mozilla's baseline security standards, "which is surprising from a big company like Hamilton," according to Boyd. 

Hamilton Beach does not "collect personally identifiable information through the Alexa enabled coffee maker," emailed a spokesperson for the company, which listed consumer names, addresses and phone numbers as among the data it does not compile. "Since we do not collect this information, we cannot offer to delete it." 

Further, Hamilton refuted Mozilla's contention regarding its privacy policy, stating each "consumer must read it during set up and it remains available through the settings in the app." 

121619434-3314600495293127-1764529524691260035-o.jpg
Hamilton Beach

KidKraft Amazon 2-in-1 kitchen and market

Made for youngsters as young as 3, the $300 wood kitchen-and-market set comes with self-checkout, a working smart scanner, fridge, freezer and smart faucet. Buyers can also add an Alexa smart speaker (sold separately), along with RFID sensors.

Amazon states that Alexa doesn't promote products, content or services to kids or collect information about children. That may be true, but Mozilla expressed concern that Amazon doesn't explicitly state that as part of its policies. The group also couldn't confirm whether the KidKraft product met its minimum security standards. 

Amazon took issue with Mozilla's concerns, saying parents have control over enabling Alexa, and can "review and delete voice recordings associated with their account at any time through the Alexa app or through the Alexa privacy hub," a spokesperson said in an email. .

KidKraft also weighed in. "The goal behind this product is to make the experience with Alexa as robust as possible, while keeping the child's safety in mind by limiting the ability to search the internet or outside sources using Alexa. Not only is the Alexa 2-in-1 Kitchen & Market Alexa skill child-directed (meaning a parent needs to approve and enable it), but it also follows strict content guidelines set by Amazon which are different than regular skills," Susan Russo, KidKraft's vice president, brand & product marketing, stated.

q.jpg
KidKraft Amazon Alexa Enabled 2-and-1 Kitchen & Market. Amazon.com

Ubtech Jimu Robot kits

The programmable robots come in all shapes and sizes, including a Unicornbot with light-up horn. As cool as the robots look, red flags around them include an app that accesses its camera, microphone and tracks a user's location, as well as a privacy policy that applies only to the website and not to the Jimu device or app. 

"If your child is playing with the Unicornbot and the camera is on and records the kid playing, we have no idea how Ubtech handles these recordings," Mozilla stated.

Ubtech did not respond to a request for comment.

meebot-day-01-boys-room-0091-1200x800-84d8981.jpg
JIMU Robot: MeeBot Kit. Ubtech

Amazon Halo

A fitness band packed with sensors and microphones to track steps, heart rate, sleep, calories and more, the Amazon Halo listens to you and uses machine learning to measure the tone, energy and positivity of your voice to "help strengthen communication." It also asks for photos of you in your skivvies to assess your body fat, according to Mozilla. 

Amazon says the photos are automatically deleted from the cloud after they are processed. But given the general lack of security for personal data on the web, "giving Amazon a picture of yourself in your underwear sounds like a truly terrible idea," according to the guide. Added Boyd: "We were particularly alarmed by this one."  

Amazon's response to Mozilla's concerns was lengthy: "Privacy is foundational to how we designed and built Amazon Halo. Tone is an opt-in feature. The mics on Halo Band are off and remain off until and unless a customer chooses to opt-in to use Tone. If a customer opts-in, the mics can easily be turned off any time simply by pressing the button on the band. If a customer opts-in, Tone speech samples are processed locally on the customer's phone and deleted automatically after processing, so they never go to the cloud and no one ever hears them. Body scan images are processed in the secure Amazon cloud and automatically deleted, so no one but the customer ever sees them. Amazon Halo health data is not used for marketing, product recommendations or advertising. We do not sell customers' Amazon Halo health data."

nzvlmjmzzdgt-cb415321707.jpg
Amazon

Dogness iPet smart robot

A roving robot toy for your pet, the Dogness iPet Robot puts a mobile, internet-connected camera and microphone in your house — seemingly without using encryption, according to Mozilla.

"We couldn't determine if the bot meets our minimum security standards, and it appears it doesn't encrypt your data," according to the annual gift guide. "And the only privacy policy we found applied to the website, not the device, so we don't know what data it's collecting on you or how it plans to use that information." 

Dogness did not respond to a request for comment.

dogness-smart-pet-robot-reveiw.jpg
Dogness iPet Smart Robot. Best Buy blog

Schlage Sense Smart deadbolt

The smart lock from Schlage uses a Bluetooth connection to unlock your door, meaning you and your phone need to be within about 30 feet of the entrance for it work. Bluetooth technology has shown to have some well-known security vulnerabilities, according to Mozilla, which also said Schlage didn't respond to its request for information on how it protects users.

"Schlage may disclose your personal information for marketing purposes, which isn't great but also isn't uncommon," Mozilla added.

A spokesperson for Schlage responded in an email: "Whether using BLE- or WiFi-enabled communication for our Schlage Sense Smart Deadbolt or Schlage Encode Smart Wifi Deadbolt, we've applied additional encryption above and beyond what is standard. We do not sell consumer data to third parties, and our connected products do offer privacy policies to our customers."

The Schlage spokesman also said: "We empower the consumer to choose what to do with the rights to their data. They choose how to use our products: either working with partners and ecosystems via a mesh network or simply by connecting a lock to their home Wi-Fi. If a user authorizes third-party apps to connect to their Schlage Sense or Schlage Encode smart locks, they would then also need to refer to that third party's privacy policy."

View CBS News In
CBS News App Open
Chrome Safari Continue
Be the first to know
Get browser notifications for breaking news, live events, and exclusive reporting.