Finding safe tech gifts is tougher than it ought to be

I just bought a new toaster. It works great, and I’m reasonably sure it won’t burn down the house. That’s because it has a big “UL” stamped on the bottom. It’s a simple indication that the toaster meets safety standards set byUL, a century-old product testing service.

But when I do my holiday shopping, there isn’t a UL seal for high-tech products. There isn’t a widely accepted symbol to tell me whether that talking digital assistant or remote-controlled flying drone won’t spy on me, or is not vulnerable to hackers. I’d welcome an easy way to know these gadgets are safe.


Now, the Mozilla Foundation is working on it. The nonprofit foundation, best known for its popular Internet browser, has launched “Privacy Not Included,” a holiday shopping guide that ranks the privacy and security features of 70 popular tech devices that might end up under somebody’s tree.

That’s not a lot of hardware, yet — given the sheer number of gadgets on offer. The Mozilla effort is just the first step in a plan to create a “trustmark” — a UL-like symbol that may one day be stamped on millions of gadgets, providing assurances to buyers that they are designed for online safety.

Jen Caltrider, cocreator of “Privacy Not Included,” likens the new privacy-check movement to the early days of consumer safety for the auto industry. “We didn’t ask them to install their own seat belts,” Caltrider said. “We asked the carmakers to install seat belts.”

In the same way, Mozilla expects device makers to do the heavy lifting. As we connect so many devices to the Internet — from home security systems to thermostats to lawn sprinklers — consumers need help managing them all. How much data does each device collect, and what is it used for? And how secure is each gadget against online criminals? And why should I have to read 20 pages of legalese to get the answer?


It’s not just about protecting the device owner. A hacked baby monitor can spy on a family. But it can also be connected to thousands of other hacked machines to form a “botnet,” which can be used to carry out attacks on still other computers. Several years ago several major Internet sites were taken down in such an attack. So buying secure gadgets makes the network safer for everybody.

The Mozilla site features about 30 devices that meet the foundation’s minimum standards for privacy and security. These devices encrypt all the data they transmit over the Internet. They require the user to set a new password — not the default password, which is known to every online crook. Some cheap Internet devices cannot be updated, leaving them permanently vulnerable. Devices that meet Mozilla’s approval have software that can be easily patched and upgraded. Finally, approved devices have an easy-to-understand privacy policy, so users know exactly what happens with any data they share.

None of this guarantees that a device is foolproof; every day, criminals find new ways to break in. But you can say the same about seat belts. They’re not perfect, but they’ve saved a lot of lives.

Mozilla concluded that about half the items on this year’s list fall short in one way or another. The Spark selfie-shooting camera drone from DJI, for instance. The Mozilla crew found that it doesn’t encrypt its video feed and doesn’t require the user to set up a strong password.


Mozilla also singled out a baby monitor from a company called FREDI, saying it lacks encryption, doesn’t require a strong password, and doesn’t run software security updates.

DJI disputed some of Mozilla’s criticisms, but confirmed the lack of encryption and acknowledged its drone doesn’t require a unique password. FREDI didn’t respond to requests for comment.

Mozilla isn’t the only nonprofit looking to set basic consumer tech standards. Consumer Reports has developed its own set of criteria, called the Digital Standard, and plans to use it to evaluate tech gadgets going forward. But neither Mozilla nor Consumer Reports have the wherewithal to review every Internet-connected device on their own.

So Mozilla and a consortium of organizations including the New York University School of Law, is backing a program called Trustable Technology. It’s a voluntary trustmark system that lets approved companies slap a futuristic logo on their boxes that will signify the product has a high standards of digital security and privacy.

Unlike UL, Trustable Technology doesn’t actually test each device. Rather it asks companies to provide information about each product’s security and privacy features. Trustable Tech evaluates the answers against a set of security and privacy standards. If the company promises to toe the line, it gets to wear the trustmark.

In theory, a company could lie. But Trustable Tech says it will publicly shame violators and revoke their trustmarks. Besides, trying to fudge something like that invites an investigation by the Federal Trade Commission lawsuit over deceptive trade practices.


The bigger problem, though, is the chicken-and-egg kind. Companies will be eager to display the trustmark if consumers look for it, the way we look for the UL symbol. But consumers probably don’t know to look for the mark until their favorite brands start to display it.

Trustable Tech launched last week in Rotterdam, and for now, it’s only been embraced by a couple of obscure European gadget makers. The symbol will have to turn up on hundreds of big-name tech products if it’s to have any chance of catching on.

It could happen. Auto makers eventually figured out that driver safety mattered to their customers. If Apple or Amazon or Google decide we’re just as interested in safe computing, Trustable Technology could begin to make its mark.

Hiawatha Bray can be reached at Follow him on Twitter @GlobeTechLab.