It’s the season to go a little overboard on gift giving. But this year, give the gift of good security (and privacy) and eschew tech that can have untoward risks or repercussions. We’re not talking about things that go boom in the night or abruptly break, but rather the gifts that can have irreversible or ongoing consequences in the future.
This year we’ve seen some of the biggest hacks involving healthcare and genetic data, a growing ubiquity of consumer surveillance tech snooping on unsuspecting everyone and ongoing unscrupulous data practices that sell your private information to anyone who wants to buy it. The best remedy for some of this is to never engage to begin with.
We have a bunch of gift ideas for you to consider. As for what you should avoid…
Genetic testing is forever. Once you spit in a tube and send it on its way, there’s no way of getting it back. And it’s not just your genetics you’re digitizing; you also share your genetics with close family members and relatives. What could possibly go wrong?
This year, the profile and genetic information on millions of 23andMe customers was scraped from the company’s systems, thought to be the biggest spill of genetic data in recent years. But 23andMe is not the first to have data spilled, nor will it be the last.
Even if security weren’t a concern, the fact that these companies store huge troves of highly sensitive information to begin with makes it an attractive target for law enforcement trying to solve crimes. And while companies like 23andMe and Ancestry have — so far, we emphasize — resisted efforts by law enforcement to access its DNA data per their transparency reports, other companies have taken a laissez-faire approach to police access to the genetic data they store.
404 Media’s Jason Koebler couldn’t have said it any better: “Doing 23andMe is an unretractable action that could have unforeseen ramifications not just for yourself but for your family or your possible offspring.”
You might see some utility in seeing who is at the front door before you get there, but the long-term consequences of having a video camera attached to your front door opens up a world of surveillance in your neighborhood that you — and your neighbors — might not feel comfortable with.
Video doorbells record everything they see and hear using their camera and microphone, which then beams recorded footage to the cloud for your later perusal. But that often makes that footage also obtainable by law enforcement, which can be hugely invasive — especially if police obtain footage from inside a home without the owner’s permission.
End-to-end encrypted (E2EE) cameras retain the most privacy (assuming that the company you’ve bought cameras from isn’t lying to you about their encryption claims) because they prevent anyone other than the owner from accessing their own footage, including the companies themselves. That’s a good thing, especially since companies like Ring have been fined in the past for allowing their employees to snoop on customers’ unencrypted videos. After Ring settled charges with federal regulators, Ring now says its staff will only access customer footage in “very limited circumstances,” which, of course, Ring has not specified what those circumstances will be.
If you thought a VPN, or virtual private network, will keep you anonymous on the internet, think again.
Consumer-facing VPNs can claim to hide your IP address (the set of numbers that identifies you to other devices on the internet) and allow you to access otherwise-blocked streaming shows by “appearing” as though you’re in that region. In reality, VPN providers are bad for your privacy and you should avoid them like the plague.
VPNs allow you to funnel all of your internet traffic away from your internet provider and instead through a VPN provider that ostensibly masks your privacy. Your internet traffic can contain information about which websites you visit, and when, and can contain highly sensitive information like passwords and other credentials. But some VPN providers don’t even encrypt the users’ data as it flows over their network, despite claims that they do.
VPN providers need to make money like everyone else. Free VPN providers are by far the worst offenders, since they make money by selling or sharing your internet traffic to advertisers (or other nefarious buyers). Even premium and paid-for services can’t promise anonymity if you’re paying by credit card or otherwise traceable means.
If you want online anonymity, you’ll want to use the Tor Browser. It’s a slower experience than the typical public internet and it’s not ideal for streaming videos, but it’s the compromise you make for the strongest privacy. Otherwise, VPNs run the risk of selling or otherwise spilling your highly sensitive internet traffic. And if a VPN makes sense for your use case, at least consider setting up a VPN that you run yourself.
Anyone can appreciate the stress and fears of having kids in an age of stranger-danger and online harms. It’s no wonder that many parents want to keep track of their kids’ phone location. But kid-tracking apps are a hot mess for security and privacy, and the data these apps collect seldom stays on the device.
Location data is some of the most sensitive data belonging to a person; location apps can determine where someone was at a particular time, which can be highly revealing and invasive. Yet, over the years we have reported on leaky location sharing apps that expose people’s real-time location data, and nefarious and buggy “stalkerware” apps that spill information to anyone on the internet. Even one of the better-known family tracking apps, Life360, was caught selling the precise location data of its users to data brokers.
There’s no reason why you shouldn’t discuss the benefits and pitfalls of tracking your kids with your kids. Trust is key, not stealthy tracking. If your kids agree to sharing their location, consider using the family and parental control apps built into most modern phones. Google also has Family Link, and Apple devices let you share your end-to-end encrypted location with other Apple users so that nobody else can access it.
Cheaper (often) isn’t better and Android devices are no exception. Case in point: This year, EFF’s Alexis Hancock found that a low-cost Android tablet given to her daughter landed preloaded with software considered malware. The tablet was also running Android software released five years ago, and had an app store designed for kids that was also out-of-date. Hancock contacted the company that makes the tablet, but never heard back.
As tempting as it can be to buy the cheaper devices, it’s not uncommon for manufacturers to include software for monetary kickbacks to offset the price of the device itself. Sometimes that preloaded software can send back data about the device or its user, or worse, have security bugs that could put the device’s data at risk.
Before you throw out that knock-off tablet, it might be salvageable. Hancock has a great guide on how you can secure your kid’s Android device.
Lastly, but certainly not least. There’s a general belief in cybersecurity that any device or gadget that you add an internet connection to will vastly increase the chances of that device being remotely hacked, compromised or tampered with. One kind of device that should never have an internet connection is anything that goes inside of you.
We’ve seen our fair share of horror stories involving internet-connected sex toys. In 2020, we reported on a smart chastity lock with a security bug that risked permanent lock-in. And this year, another smart sex-toy maker exposed the user and location data of its customers thanks to its leaky servers, which the company has yet to fix.
If your sex toy has a phone app, there’s a good chance the toy (or the app itself) could leak your personal data, either accidentally or by way of sharing data with advertisers. It’s fine to be kinky, no judgment here! But if you absolutely must use a remotely controlled sex toy, consider a device with a Bluetooth remote only, as this reduces the wireless range in which someone could maliciously intervene.