If you want to give the gift of privacy this holiday season, you may want to check out the 2022 edition of Mozilla’s Privacy Not Included buyer’s guide, released Wednesday. The annual guide contains privacy reviews of more than 75 popular consumer electronics gifts and will be continuously updated throughout the giving season.
Among the potential gifts in the guide thus far are the Apple Watch, Nintendo Switch, Amazon Echo, Garmin fitness trackers, Google Chromecast, Steam Deck, and the Meta Quest Pro.
According to Mozilla researchers, the Meta Quest Pro can be particularly challenging for privacy seekers. To get the full scoop on privacy for the gadget, a buyer would need to open at least 14 browser tabs to make sense of privacy documents totaling 37,700 words — which is about 6,747 words longer than Dickens’ “A Christmas Carol” and a lot less interesting to read.
“[T]he question comes down to, does Meta/Facebook have your best interests at heart when it collects all the data the Quest Pro is capable of collecting?” Mozilla asks in its guide. “From Cambridge Analytica to where we are today with Mark Zuckerberg’s hopes for the metaverse, the answer to that question is a resounding NO.”
Image Credit: Mozilla
Meta isn’t alone in formulating prolix privacy policies. The researchers noted that products like the Amazon Echo Dot and the Google Pixel Watch also come with multiple privacy policies for the hardware, apps, and companies they share data with.
“It feels like a Rube Goldberg experiment trying to navigate the privacy documentation companies throw at consumers,” lead researcher for the guide Jen Caltrider said in a statement.
“If I’m struggling to understand this as a privacy researcher, consumers are far worse off. That’s not right,” she added.
Caveats and Hairsplitting
The purpose of privacy policies is to inform users on how their information will be used and for what purposes so they can make informed decisions, asserted Javvad Malik, security awareness advocate at KnowBe4, a security awareness training provider in Clearwater, Fla.
“When policies are so complex and prohibitive to read, the majority of people will simply click through in order to use the app or service they need,” Malik told TechNewsWorld. “This puts them at risk as they may be consenting to having their information used in ways they are not aware of or comfortable with.”
“Complex privacy policies make it more difficult than necessary for end users to fully grasp the privacy they should expect from a company and their rights as a user,” added Paul Bischoff, privacy advocate at Comparitech, a reviews, advice, and information website for consumer security products.
However, Daniel Castro, vice president of the Information Technology & Innovation Foundation, a research and public policy organization in Washington, D.C., pointed out that privacy policies are often complex because digital products and services are complex.
Moreover, he continued, the companies making these products face regulators not only in 50 states but all over the world. “Given the enormous penalties these companies can face for any errors or omissions, it is not surprising that the lawyers have taken over writing these terms,” Castro told TechNewsWorld.
“Many of these privacy policies are often ‘for lawyers, by lawyers’ instead of for consumers,” he said. “These companies are not trying to deceive consumers — they are trying to avoid fines. But if they oversimplify or generalize, they will be hit with penalties like the nearly $400 million Google settlement.”
Save the Jargon for the TOS
Malik countered that while privacy policies are important to legally protect organizations that use customer data, they should be done in a transparent and easy-to-understand manner so that people can make the decisions that are right for them.
“While complex policies may provide some protection from litigation, they can open up a whole new set of challenges for organizations if they are found to be deliberately obscuring how they operate from customers,” he said.
Because tech companies are so concerned about privacy-related litigation with their products or services, they are inclined to write complex privacy documents that often protect their own interests at the expense of the consumer, added Mark N. Vena, president and principal analyst at SmartTech Research in San Jose, Calif.
“Tech companies should be required to write more simplistic privacy documents that consumers can understand,” Vena told TechNewsWorld. “Apple, in particular, is very good about this in their privacy policies which are often written in easy-to-understand language.”
“Privacy policies should be simple and human-readable. Save the legal jargon for the terms of service,” added Bischoff.
Too Many Connections
The Mozilla researchers noted putting together their privacy guide has become harder than ever due to the increase in connected devices in the market.
“We’re living through an unprecedented explosion of connected products,” researcher Misha Rykov said in a statement. “There are now children’s toys, litter boxes, sunglasses, and vacuums that connect to the internet — and then scoop up and share precious personal information.”
What many consumers don’t realize is that every connection from a device to the internet opens an entry point into their homes, Caltrider noted. “Couple that with the apps you need to control these devices — apps that control microphones and cameras and can access contacts and location information — and it raises a lot of questions about privacy,” she told TechNewsWorld.
“If you tried to read the privacy policies of everything you bring into your house, it’s almost impossible,” she added. “I do this for a living, and it makes my head spin trying to understand the vast networks of privacy policies of Amazon, Meta, or Verizon.”
For people who want to protect their privacy and not read privacy policies, there are measures they can take, although they often require trade-offs.
“It’s possible to prevent unwanted tracking by disabling Wi-Fi connections on devices that don’t require it for core functionality, such as a smart TV,” explained Chris Clements, vice president of solutions architecture at Cerberus Sentinel, a cybersecurity consulting and penetration testing company in Scottsdale, Ariz.
“Not connecting the TV to the network can prevent the manufacturer from collecting tracking data or from injecting ads into the interface, but the trade-off is you might not get any firmware updates that may introduce additional features or fix known issues,” Clements told TechNewsWorld.
“Consumers should be especially wary of cheap no-name devices equipped with microphones or cameras,” he warned. “There have been numerous instances of manufacturers recording and sending all sensor data back to foreign servers without the user’s consent or knowledge.”
He acknowledged, however, that in practice, it can be challenging to thoroughly understand the privacy implications for any given product. “There are simply too many legal loopholes that can be built into complex privacy agreements, as well as few good ways for the average person to confirm whether the manufacturer is living up to their end of the agreement,” he said.