Google, Amazon, Microsoft make the Mozilla naughty list for Christmas shopping

Big Tech's toys have privacy problems. Why not buy utterly unconnected dead-tree books instead?

Mozilla has slapped its "Privacy Not Included" labels on several products from Google, Amazon and Microsoft – just in time for Christmas shopping.

This marks the first time that the Firefox maker has put the warning on Google devices, and it's a depressing sign that tech giants are getting even worse with their data collection and security practices, lead researcher Jen Caltrider told The Register.

This year's report covers more than 100 connected products, which the Mozilla team considered over 1,000-plus hours of testing for privacy, security and related policies.

Spoiler alert: some of the products didn't have any.

"I feel like a broken record, but things just keep getting worse," Caltrider lamented. "Amazon is horrible, and they've never been great, but this year with all the various fines and judgments issued against them, it validated the feelings that we've had in the past."

Microsoft managed to get worse

Past Amazonian privacy indiscretions saw the e-tail giant face allegations that Alexa violated the Children's Online Privacy Protection Act (COPPA) by, among other things, retaining voice recordings of kids under 13 – resulting in a $25 million payment to the US Department of Justice. And who could forget the $30.8 million fine levied by the US Federal Trade Commission for massive IoT security fails after employees at Amazon-owned electro-doorbell outfit Ring and third-party contractors were accused of spying on customers in their bathrooms and bedrooms?

There's a ton of Amazon products on the 2023 list, and all of them earned Mozilla's warning label. The risky gadgets include the Echo Dot smart speaker and Echo Dot Kids edition, the Kindle e-reader, and Kindle for Kids, plus the Fire TV.

There's also the Ring doorbell, which is still vulnerable to Wi-Fi deauthentication attacks, according to Mozilla. Plus, Ring's cozy relationship with law enforcement and warrantless surveillance remain worrisome for data privacy and civil liberties advocates.

"All in all, these security cameras raise too many questions about privacy, transparency, data protection, public safety and racism in our opinion," according to Mozilla's 2023 Ring review.

When asked about the Privacy Not Included warning label, an Amazon spokesperson told The Register that Mozilla's research doesn't paint an accurate picture of the online souk's products and privacy practices.

"Our customers are at the center of everything we do, and we create products that they love," the spokesperson rebutted. "We value our customers' trust in us – we never sell their personal data, and we design our products to protect their privacy and security and to put them in control of their experience. Mozilla's opinions do not accurately represent our products' many privacy and security features and controls."

Google on the naughty list

Google products made Mozilla's list for the first time this year, along with Google-owned Fitbit and Tile trackers.

"Google, in the past, has always walked that line for us," Caltrider explained. "We know they're bad at privacy." But until this year the Chocolate Factory didn't meet Mozilla's criteria to receive the warning label.

"They aren't selling data, they don't have a ton of serious security vulnerabilities, they're actually decent at security because they're trying to protect all that data, they allow people to delete their data," Caltrider added. "So in the past, they've walked right up to that edge, and we've debated a lot whether to give them the warning label."

Google crossed over the edge this year, earning the Privacy Not Included sticker for a couple of reasons.

First, there's the massive amount of personal information that Google collects from Google Assistant voice requests, as well as location tracking, searches, cookies, and app tracking technologies.

The search giant then shares that info with third parties for advertising purposes and allows "specific partners to collect information from your browser or device for advertising and measurement purposes using their own cookies or similar technologies."

In other words: tracking.

The Google privacy policy also now declares that it can "use publicly available information to help train Google's AI models."

"That raises red flags for other researchers like us, because Google doesn't describe what they mean by publicly available information," Caltrider warned. "If I work for a nonprofit, and I put together a list of donors and accidentally make the Google doc public, is that considered publicly available information?"

Plus, Mozilla's team can't tell if anyone is given the option not to let Google to use this data to train its Bard AI.

Do not buy the Angel Watch for your child or vulnerable person in your life

Then, there's the lawsuits against Google for alleged privacy violations. This includes a $93 million settlement with California for reportedly collecting and storing location data after users turned off this feature. Also this year, a judge refused to dismiss a $5 billion lawsuit claiming Google secretly tracked users.

"We design and build our products with strong security and privacy protections, including easy-to-use controls for managing data," a Google spokesperson told The Register. "Mozilla's labeling of our products is largely based on hypothetical scenarios and outdated product policies that we changed years ago."

Plus, not much has changed, AI-wise, we're told. Google says it's been open about using publicly available info to train its AI models for things like Google Translate. The latest policy update just specifies newer services like Bard.

Microsoft data privacy 'gets worse'

Microsoft, which made Moziila's 2022 naughty list, "managed to get worse," according to the org, which reviewed Redmond's Xbox gaming consoles.

The good news: according to Microsoft's privacy policy, it does not sell users' personal information.

However, Redmond can collect details about your gaming habits, use that info to serve up targeted ads, share data with partners like Yahoo! and Facebook, and collect more data on users from these and other sources – like data brokers. Mozilla also cites the $20 million FTC fine imposed on Microsoft for illegally gathering kids' personal information and retaining it without parental consent.

Microsoft did not respond to The Register's request for comment.

The creepiest product ever is …

The "creepiest product ever," according to Mozilla, is the Angel Watch, which Caltrider noted doesn't even have a privacy policy. "All we found is, in their terms and conditions, down at the very bottom: section 8."

The watch, along with the rest of the AngelSense connected devices, includes GPS tracking, video and audio monitoring, remote body vitals tracking, and phone calling features. On its website, the biz bills the device as a smart watch for kids, teens, and individuals with autism, special needs, Alzheimer's and dementia. Its tagline is "peace of mind for parents."

However, as Mozilla notes: "There is just one HUGE problem — we could find no privacy policy for this surveillance device, so there is no way to know anything about how this company handles all the very sensitive, personal information this device and the Angel Watch app can collect on you and your vulnerable loved ones."

"Do not buy the Angel Watch for your child or vulnerable person in your life," the researchers urge.

AngelSense did not respond to The Register's inquiries.

There's a hundred or so more products included in the 2023 wrap-up – including a creepy AI-powered robot that talks to your kids.

The Mozilla team plans to keep updating the list until at least Thanksgiving.

And in case these privacy and security nightmares aren't enough to keep you awake at night, there's also the burning question: what should you buy those on your list as the holidays get closer?

"Books," Caltrider recommended. "Buy books." ®

More about


Send us news

Other stories you might like