Evaluating the Products in *privacy not included

Understanding privacy in today’s world of connected devices and the Internet of Things — especially the risks and implications to you personally — can be difficult. How will your data be used by the company? What options do you have around what they collect or how long they keep your information? It can be very unclear.

For this guide, I evaluated each product, its app, and its privacy policy, if available. (Not having a privacy policy at all is a pretty big red flag in and of itself.) As a starting point for my analysis, I used the criteria labeled “well understood with a developed testing approach in place” set forth by the Digital Standard created by Consumer Reports and its partners, and the Fair Information Practice Principles (FIPPs).

Product Selection

Our *privacy not included guide is not a comprehensive evaluation of all of the connected devices available for purchase, but rather serves as a sampling of the general categories of items available. The products in this guide were selected due to their inclusion in the Target Open House. I visited the Open House in San Francisco (July 2017, Sept. 2017) to view the products and their apps. A couple of products were added to the guide due to their popularity or ubiquity, such as the game systems, Hello Barbie, and a couple of the Home Hubs.

Methodology

Reviews were conducted of of each products via a variety of methods, including the following:

• A visual inspection of the device and its corresponding app at the Target Open House (if available).
• A review of the first run/install experience of the iOS app downloaded in Oct. 2017 onto my iPhone.
• A review of the app permissions for the Android version of the app in the Google Play Store. (The Google Play store allows you to view the permissions or capabilities that are used by each app. The Apple App store does not list permissions, and we did not look for differences between the versions of the app available on Google vs. Apple.)
• A review of each app’s or company’s privacy policy, the product website, videos, and FAQs.

I evaluated all the products and their apps based on three criteria:

1. Can it spy on me? Does the device or the app have the potential to spy on people — using the camera, microphone, or by tracking location — at some point if something went wrong?
2. What does it know about me? Data is the currency of the connected world. Yet most products don’t make it clear what data is being collected and how that data is used.
3. What could happen if something went wrong? This is just an example of what could happen to help people consider the dangers as they are making their own decision to buy a product.

Can it spy on me

Connected “things” are complicated. Having a product or company request data or access certain permissions does not implicitly make it good or bad, but rather, each individual should consider if that data use provides you with any value. For these products, you’ll need to think about the functionality of the actual physical device, along with the app that needs to be downloaded so that you can use your product.

For this category, we reviewed the permissions required by each app, privacy policies, product websites and FAQs, and product videos. If the device or the app required access to the camera, microphone, or GPS location information, a “Yes” was marked in the corresponding category. (Note: many apps access “approximate” or “network” based location. “Can it track me” was only marked as “Yes” if an app requests GPS (or precise) location permission.)

For example:

The MOCACuff is a connected blood pressure monitor. It’s app is MOCACare. The MOCACare app accesses the following permissions:

Location

• approximate location (network-based)
• precise location (GPS and network-based)

Camera

• take pictures and videos

Microphone

• record audio

The actual cuff itself does not have a camera or microphone, but since its app accesses GPS, the camera, and the microphone on the phone, those categories are marked “Yes” in our guide.

What does it know about me?

When purchasing a product, it’s almost impossible to know if it requires you to create a new online account, permanent Internet access, or even if it will be sending data all the time, even if you aren’t using it. We selected the categories below based on what we could easily find out without having to set up sophisticated network analysis tools.

Does the app require me to create an account?

The iOS version of each product’s app was downloaded to evaluate whether or not a user needed to create an account to use the product.
Note: While some items have functionality on their own (e.g. the Adidas miCoach Smart Soccer Ball), we included a review of the product app because it is required to utilize the full functionality of the product.

Does it have privacy controls?

This question was answered based on a review of the product apps at the Target Open House. I looked through all of the menu items in each app, and if an app had any options related to privacy, data transmission, or data deletion, it received a “Yes” for this category.

Can I delete my data by contacting the company?

Any privacy policy that mentioned the ability to delete data (no matter how difficult the procedure) earned a “Yes.”

Does the company share data with a third party for unexpected reasons?

Any privacy policy that mentioned sharing data with 3rd party analytics services or ad networks earned an “Advertising” rating in the “Does the company share data with a third party for unexpected reasons” question.

What could happen if something went wrong?

We included this section to help people understand risk scenarios related to their privacy and each particular product. We aimed to identify risks that would feel relevant to consumers, and we avoided anything that felt sensational or, at the other end of the spectrum, dismissive of valid concerns. Understanding that scope is very difficult, especially when you are trying to weigh the value or benefit of the product.