The holiday shopping season is once again upon us! And that means it’s time to update my annual gift guide. Unlike other guides, I’m not here to tell you about the hottest Black Friday deals or how to get free overnight shipping on Dec 23rd. My naughty and nice list is laser focused on the cyber security and privacy aspects of popular gifts (or some that should be). When you give gifts to your loved ones this year, let’s make sure we’re not also giving gifts to the hackers and data miners!
[Some of these recommendations are repeats from previous years… because apparently people didn’t get the memo… this memo! Spread the word!]
Worst Gifts for Privacy & Security
Let’s start with the stuff you should immediately cross off your list. If you’re considering any of these, you should think again.
Worst Gift: DNA Analysis Kit
Look, I get it. How cool is it to send off a little spit and get back a full report on your heritage? I mean, DNA analysis is just so high tech and fun! And you’re tired of giving all the tired, typical Christmas gifts – this one is so unique! Am I related to someone famous in history? Where did my family come from? Could I discover a detailed family tree that someone else painstakingly created already? Do I have lurking health issues that I should know about?
We’re just beginning to discover how to unlock the secrets in our genes and these services may analyze your DNA forever. The privacy policies seem to allow them to share your data with others, as well. Even if they claim to share your data anonymously, it’s your DNA… it is you. I wouldn’t count on it remaining anonymous.
Some of the coolest, most futuristic gadgets these days are digital assistants like Google Home, Amazon Echo, and Apple’s Siri-based products. These products are internet-connected audio devices that allow you to access streaming music, home automation, and many other cool features. When they hear you say the “wake word(s)” it cues them to listen for your commands or queries. You can check the weather, get sports scores, set a timer, lookup the cast of a movie, or answer just about any question you might put in a search engine. It’s very cool – and makes a fun gift.
But many people are freaked out by the fact that these devices are always listening – and that your queries are sent to some mysterious cloud service for processing. While most of these queries are processed by a computer, we have learned recently that some recordings are checked by humans, as well. It raised quite the stink a few months ago, causing all three vendors to issue statements, and Apple to explicitly require an opt-in to allow this.
So you might be surprised to know that I have several of these devices in my home right now: three Echo’s and one Homepod. Why would any self-respecting “privacy guy” do this? Mostly because, as a software engineer who has worked on a digital assistant project, I understand how they work. While it’s true that the microphone is constantly listening, until you utter the magic words (“Hey Siri”, “OK Google”, or “Alexa”), nothing is sent outside your house. And even then, at least in my house, it’s innocuous stuff like “what’s the weather today” or “what’s the Purdue score”. While it’s true that you can sometimes accidentally trigger these devices, I find it doesn’t happen often.
That said, I’m on a mission to move to all Apple products, replacing my Echo devices. I trust Apple to respect my privacy way more than Amazon or Google. Apple does need to put out a “Homepod mini” or something that’s a lot smaller and cheaper, which I’m hoping will happen soon.
So, bottom line, I wouldn’t worry too much about the digital assistants that just have microphones. I would, however, avoid ones with cameras. Here is a great article that compares the relative privacy of these devices and tells you how to maximize the privacy settings. Just be very careful what helpers you install. And watch out for stray lasers.
I don’t want to spend a ton of time focusing on the negative, but I need to call out a few.
Anything from Facebook. Facebook has shown time and time again that they do not care about your privacy. Their big money-making product is you. Last year, I warned against the Facebook Portal. While I would be wary of any product that points an internet-connected camera into my home, there’s no way I would consider letting a Facebook camera anywhere near me. This year, Facebook came out with a matchmaking service and Facebook Pay. Just say no.
Health trackers. While I definitely see the value of apps and devices that help you monitor exercise, sleep patterns, diet and even menstrual cycles, you have to be extremely careful about who you trust with this information. It can be really hard to interpret privacy policies and they change constantly. And then there’s always the prospect of a buyout. For example, Google just bought FitBit (and all its data) for $2 billion – and they have been making a serious, creepy push into medical data that should worry anyone.
Cheap Android devices. Cheaply-made Android products are infamous for having poor security and even come with pre-installed spyware or even malware. Spend the money on brand name devices. It doesn’t guarantee privacy or security, but it greatly increases your odds. Honestly, Android as a platform and ecosystem is just riddled with problems. If you can, go for Apple iOS-based devices.
Mitigating Your Risks
Here are some quick tips to mitigate the risks for all the fun “smart” devices we like to give for gifts.
Keep your TV dumb. Just because you can connect something to the internet doesn’t mean you have to. While it’s almost impossible to buy anything but a “smart” TV today, you can keep it dumb by just not connecting to the internet. Instead of using the Netflix and Amazon Prime Video apps built into the TV, use a more privacy-respecting device like Apple TV. TV’s are supposed to be watched; they’re not supposed to watch you back.
Keep device software up to date. All software has bugs. As these bugs are found, fixes are made available. But if you’re not installing those updates, they don’t do you any good. In the era of the Internet of Things (IoT), that means upgrading your smart thermostat, light bulbs, doorbells, toasters, etc. One item in particular that you want to keep up to date that most people don’t consider: your WiFi router.
Now that we’ve covered what not to give someone, let’s talk about some products and services that can actually enhance your privacy and security!
Best Gifts for Security
When most people thing about cybersecurity, they think about antivirus software. Malware, including the very popular new ransomware variants, are the most publicized threats for the average person today. So let’s address this first and get it out of the way.
I have a somewhat controversial viewpoint on the overall net benefit of antivirus software. In my view, most people are better off using the free malware protection that comes with most computers. For PC’s, Microsoft Defender does a great job. Macs do have some rudimentary security software built in, particularly in the latest “Catalina” release (ie, macOS 10.15). If you’d like to supplement that, it’s hard to recommend a specific free product – reviewers I respect rarely agree and the rankings change every year. But if I had to pick something simple that works for most people, I would go with Sophos Home or Avira Home.
Your best defense is really just practicing good internet hygiene:
Don’t open attachments in emails unless you specifically requested them or were expecting them, regardless of who sent the email.
If you get a scary email about one of your accounts, log into your account by manually typing the web address or use a favorite/bookmark (do NOT use any links provided!) and look for alerts there.
Download your software from the original, official site only.
Never install software just because a web page tells you that you need to.
Beyond malware prevention, there are several standard security measures everyone should take:
Use a password manager. You really do need to use unique, strong passwords for every website. A password manager like LastPass can help you generate crazy passwords, remember them, and even fill them in for you. You can buy a subscription to LastPass Family and share it with up to 5 more people for just $4/month.
Use Two-Factor Authentication. This is becoming more prevalent and it’s a fantastic way to up your security game for free. Read this article for full info.
Stay up to date. It’s crucial that you keep your operating system and apps up to date. This includes smartphones and tablets.
Back up all your files. Follow the 3-2-1 rule. You should have a local, automated backup to an external hard drive. Use Apple’s wonderful, free Time Machine on Mac; use Windows Backup on PC’s. (You could give someone a nice little USB external hard drive for this.) You should also have an offsite backup, like a cloud service. For that, I would recommend a service like Backblaze ($60/year).
Freeze your credit. Thanks to recent legislation, this is now free throughout the US. It can be a pain, but it’s really a great way to mitigate the damage from identity theft. Click here for more info.
These aren’t exactly fun gifts, though. So here are a couple things you can stuff in a stocking or put under the tree.
Stocking Stuffer: USB Condom
Believe it or not, you can catch a virus (as in malware) from a dirty USB port. By that I mean a public USB port, like at the airport, a coffee shop, a hotel, or even an airplane or car. Bad guys can actually infect your smartphone or tablet by abusing the data connection part of the USB connection. It’s even got a name now: juice jacking. This has been possible for a long time, but only recently seems to have become a problem for everyday people.
USB connectors have four wires: two for power, two for data. If you block the data lines, you can then safely charge from the power lines. To do this, you need either a power-only USB cable or a device affectionately called a “USB condom”, like this. But better yet, there are many, many excellent portable battery chargers, which you can use anywhere – big and small.
Did you know that there’s really nothing preventing anyone from sifting through your trash once you put it out at the curb? Not only is there no need for a warrant, but really anyone can legally go through your garbage. How often does this actually happen? I don’t know, but there’s a really simple solution: get a paper shredder. Get in the habit of shredding financial docs, medical and utility bills, insurance stuff, credit card offers, and more.
Best Gifts for Privacy
Privacy is finally starting to become A Thing ™. As in, companies are finally starting to offer products and services that focus specifically on privacy. And it’s about time. The way we make sure that these products survive and even improve is to actually throw some money at them. Since a lot of people might not buy these things for themselves, it makes a great idea for a gift.
The Winston Privacy box is by far the most interesting privacy product I’ve seen in a long time – maybe ever. I interviewed the CEO of Winston last summer on my podcast, which is well worth a listen. But the upshot is that Richard Stokes was in the “adtech” field for many years, until he realized that the tracking and data collection were getting way out of hand. He designed a small, easy-to-use box that sits between your devices and the internet. Because all internet traffic must go through the box, that means that it can protect every single device in your home (computers, laptops, smartphones, tablets, IoT devices, etc). And it couldn’t be simpler: just plug it in and within 60 seconds, it’s online and protecting.
What does it do? A few things. First, it blocks known tracking and malware sites. This not only prevents you from accidentally going to these sites, but also rogue applications. Second, it has artificial intelligence that monitors and automatically blocks tracking cookies. Finally, it even helps to defeat browser fingerprinting, one of the most insidious methods of web tracking.
But that’s not all. The Winston box also has some really interesting “mesh” communications tech that works to hide your IP address from the websites you visit, somewhat like a VPN. Basically, the Winston box bounces your web traffic through other Winston boxes, masking your true IP address.
It’s not cheap – and it requires a subscription – but frankly if you want a truly turn-key product that just works, it’s worth it. You can read some reviewshere. If you want to splurge for someone who really cares about privacy, this is an interesting option.
Sync.com: Private Cloud Storage
I’ve been a DropBox user for many, many years. When it started out, it did one thing and did it well: seamlessly, effortlessly synchronized the contents of one folder across many different devices, anywhere on the internet. As someone who owns many computers and smart devices, it was a lifesaver.
In recent years, there have been many more cloud storage services that also allow you to synchronize files across the internet: Microsoft’s One Drive, Google Drive, Apple’s iCloud, Box.com and many, many more. But from a privacy perspective, all of these services can actually see the files you store with them – which also means that law enforcement, hackers and rogue employees can poke around, too. While these services do encrypt your files, they hold the encryption keys.
I set out to find a cloud service that would let me hold the keys, so that no one could unscramble my files but me. Believe it or not, there several services that do this, too, but I settled firmly on Sync.com. You can read all about my research here, but I encourage you to just give it a try – and maybe gift someone a subscription.
Replacing Google Email, Calendar and Docs
Let’s face it – Google knows a LOT about us. Just think about all the products and services that Google owns: Google Search, Google Chrome browser, Gmail, Gcal, Google Docs, Google Drive, Google Maps, and Google Play… and that’s just the stuff that actually has Google in the name. They also own Waze, Android, and YouTube. And that’s just the tip of the iceberg – check out this exhaustive list. Make no mistake, Google is an ad company. Over 90% of their revenue is from ads. And that, again, makes you their product, not their customer.
Now, I’ve used Google products since forever. They’re really, really useful – and you don’t have to pay (money) for them. But now that I’m a privacy nut, I’m bound and determined to extricate myself from the Googleverse – and trust me, it’s going to take me a while.
But I have discovered one excellent, privacy-focused service to replace four of the top Google services I use: email, calendar, contacts and online docs. That service is Mailbox.org. And guess what… it costs money. That’s a good thing. It doesn’t cost a lot and it’s worth every euro. Check it out for yourself, and consider gifting it to someone you care about.
Virtual Private Network
Whenever you’re on the internet, your traffic can be seen by your internet service provider (ISP). Realize that this is not only your cable company or cellular carrier, but also the hotel, airport and coffee shop if you’re using their WiFi. Even if most of your traffic is encrypted (HTTPS), the metadata (where you go, how long you stay there) is usually still visible to the ISP. A VPN can fix this – though you can’t even trust every VPN with your privacy, believe it or not. My pick is TunnelBear. You can (and should) read about why I chose it here.
Stocking Stuffer: Webcam Cover
This is going to sound truly paranoid, but it’s a real thing: hackers have figured out how to remotely turn on your webcam and spy on you. Why do you think Mark Zuckerberg covers his laptop webcam? Okay, it’s probably not common. But there’s also a really cheap and simple solution: a sliding webcam cover. I really like these because they’re super thin and don’t mess with the closing of my laptop lid. These can also be used on iMacs, which have built-in webcams. (For other webcams, consider a simple sticky note.)
Give the Gift of Knowledge
Last but certainly not least, I personally like to read books when I want to learn about something. Forewarned is forearmed! Here are some great stocking stuffer ideas:
Data and Goliath by Bruce Schneier. Bruce is a world-renowned security expert, but he’s also a very good writer. This book does a very good job at explaining why data privacy is so important and how our corporations and governments are holding way too much power of us. (Full review here.)
Little Brother by Cory Doctorow. This book is short and entertaining fiction, but it’s also a treatise on the importance of security and privacy in the digital age. This book is even free, if you want to download the PDF.
Firewalls Don’t Stop Dragons by me! The entire purpose of my book is to help people protect themselves. The book covers all the tips above – over 150 other tips in all, complete with easy step-by-step instructions and pictures, covering Mac, PC, iOS and Android. If you’re giving someone a new computer, tablet or smartphone, it’s a great companion gift.
We’re finally starting to see independent, third-party reviews of products from a privacy and cybersecurity perspective. It’s a welcome change! Hopefully we’ll see more of this.
Consumer Reports recently reviewed home webcams and included security in its findings, for example.
Mozilla (the fine folks behind the Firefox browser) have a new site called Privacy Not Included, where they attempt to review popular products based on how well they protect your privacy.
[Full disclosure: Some of the Amazon links here might give me a little kickback, but not all of them. And that’s not why I picked them]