Mozilla's holiday guide rates tech gifts for privacy practices

Santa isn't alone in keeping an eye on you this holiday season.

Nearly a third of the 151 popular connected gifts analyzed by the Mozilla Foundation as part of its annual "Privacy Not Included" shopping guide didn't meet basic standards for digital security and privacy , the digital rights group said Tuesday. 

Among the 47 worst offenders on Mozilla's list: Facebook Portal, Amazon Echo and NordicTrack Treadmill.

In reaching their conclusions, Mozilla researchers analyzed product and app features, and combed through privacy policies. The team also asked manufacturers about their use of location tracking, data collection and other potentially privacy-infringing technologies. The researchers also accounted for each company's track record in protecting consumer privacy.

"While gadgets may be getting smarter, they are also getting creepier and way more prone to security lapses and data leaks," Jen Caltrider, lead researcher for the project, said in a statement.

Mozilla's fifth annual report comes amid continued growth in consumer demand for connected devices ranging from smart speakers and video doorbells to data-tracking fitness equipment and robots, destined to become popular holiday gifts.

But those devices and services often collect their users' personally identifiable information, which is often later sold to data brokers who use it for targeted advertising.

Not all of the products reviewed by the Mozilla team were privacy violators. A total of 22 products made Mozilla's "Best Of" list for exceptional privacy and security practices. Apple took the title of "least creepy" of the big tech companies, because it promises not to share or sell consumer data. Garmin got props for protecting privacy in its smartwatches .

Consumers are still being asked to shoulder too much responsibility for protecting their privacy and security, Caltrider said, pointing to some companies that require people to track down complicated documents across several websites to even start getting an idea of how their data is used.

Mozilla singled out Facebook , which now calls itself Meta, as the "creepiest of the big tech companies." The organization called out Facebook's AI-powered Portal chat device as a particularly bad offender because it regularly sends data back to the company.

Facebook declined comment on the report.

Meanwhile, Amazon's Alexa digital assistant is seemingly everywhere, embedded in numerous products made not just by Amazon, but also by third-party companies. According to Mozilla, data is often collected by the Alexa-powered devices even if you ask them not to collect data, say, on your kids. Mozilla says there's less oversight over Alexa Skills, which are voice-controlled apps and features created by third-party companies.

In response, Amazon noted that its Alexa FAQ states that users can chose to not have their Alexa recordings retained. If they do, the transcripts of those recordings will be automatically deleted after 30 days, though users can manually delete them earlier. The company also said in relation to kids, it complies with the Children's Online Privacy Protection Act (COPPA), which requires parental consent for data collection.

In addition, Amazon said that all Alexa Skills are vetted for security as part of their certification process, as well as continually monitored for potentially malicious behavior. All Skills that collect data must also provide a privacy policy that's displayed on their detail page.

Smart home exercise equipment, which is designed to let consumers work out in the privacy of their homes rather than in a gym, also collects oodles of personal data that could be sold or shared.

Mozilla singled out the NordicTrack Treadmill. The company behind it reserves the right to sell your data and may collect data from brokers to target you with ads, Mozilla said. It may also call or text your phone number even if you're on a do-not-call list. 

Officials for NordicTrack didn't return an email seeking comment.