[updated: Dec 10, 2020 – also, podcast version – see affiliate stuff at the right]
What a year 2020 has been… I have to say that I’m ready for 2021 at this point. But we’re not quite done yet – we still have to get through the holiday season. With COVID-19 spiking everywhere, the best gift you could give this year is to stay home and stay away from people you don’t already live with; and the worst “gift” would be the coronavirus.
But you can still give gifts as usual – you’ll just need to ship them or drop them off on the porch. (NOTE: if you’re going to ship this year, do it soon. It’s going to be a crazy year for delivering packages.)
With that bummer out of the way, let’s get to my annual guide to the best and worst gifts!
[Some of these recommendations are repeats from previous years… because apparently people didn’t get the memo… this memo! Spread the word!]
Worst Gifts for Privacy & Security
Let’s start with the gifts you should not be giving this year. These are the gifts that are notably bad at preserving your privacy or might leave you open to hacking. Note that there’s often a right way and a wrong way to make a product or service. If you see something on the ‘worst’ list that you wanted to give as a gift, be sure to look for a replacement on the ‘best’ list.
Smart Devices from Google, Amazon & Facebook
This section covers a TON of products. Google and Amazon have made strong moves into the smart device market in recent years. Google bought Nest and Fitbit. Amazon bought Ring video doorbell, Blink webcam, and the Eero wifi mesh router. They also introduced a Fitbit competitor called Halo. Facebook launched its Portal devices and bought VR headset maker Oculus.
Furthermore, these three companies are aggressively partnering with other companies to include the Alexa, Google Home and Facebook digital assistant and home automation features in their products, including the Echo and Google Nest smart speakers. While there is certainly money to be made just selling the hardware, all three of these companies are also using these platforms to monetize your data. While they’ve been trying to add privacy features and opt out capabilities, the goal here is obvious.
From a purely privacy perspective, I would be wary of any of these products and third party devices that include the digital assistants. But I want to call out one product in particular: Ring video doorbells. I bought one of these when it first came out (before Amazon bought Ring) and loved it. I bought one for my mom, too. But after Amazon added several third party trackers to its Android app and established some truly creepy police monitoring contracts, I ripped it out and replaced it (see next section for my new favorite).
(Expect to see Nest’s coming Always Home Cam drone on this list next year.)
DNA Analysis Kits
Cheap or Free Services
Any company who can’t make enough money from its subscribers or users will eventually die. So you need to ask yourself how companies are staying viable. In today’s world, there’s a damn good chance that they’re monetizing you or your data somehow. Some companies offer a free tier of service to entice people to move up to a for-pay tier – this is the “freemium” model. Other companies offer free or cheap services to individuals, but charge hefty prices for businesses. These are viable business models.
However, even this doesn’t guarantee that you are the customer and not the product. Look at cell phone service providers – they charge us a ton of money, and still sell our data to make more. So at the end of the day, you have to do your homework. But I can tell you right now that the following companies and services are selling or otherwise monetizing your data:
- Google (which includes Android, Waze, Nest, YouTube)
- Facebook (which includes WhatsApp, Instagram, Oculus, Onavo)
- Yahoo (which includes Tumblr)
- Just about any free VPN service (which includes Hotspot Shield, Hide My Ass, Onavo, Touch VPN, Hola VPN). Even though it has a for-pay tier, I would still avoid Google’s new VPN service, as well. Also, many of these services/apps have horrible security issues, too. See this list for more info.
Cheap Smart Devices & Cell Phones
The Internet of Things (IoT) is still a fast-growing industry with no signs of slowing down. Connecting something to the internet must make it better, right? Light bulbs, toasters, refrigerators, doorbells, garage door openers, and on and on.
However, security is hard – and it costs time and money to do properly. In the cut-throat world of consumer electronics, price is everything. And security is often the first corner that is cut to keep costs down. Computer chips are in just about all electronics these days. If it has a power button or plugs into the wall, it’s almost surely running software. And when you put these devices on the network, that software is exposed to attack. Your coffee maker could be a beachhead for hackers to attack other devices inside your home network or to attack servers on the broader internet (ie, part of a bot net).
And just like cheap services, these devices are often used to mine your personal information and habits – because why not? This includes the apps that run on these devices (like smart TVs or streaming boxes) or apps that you use to control or configure the devices. In particular, I would avoid the following:
- Cheap Android phones and tablets
- Cheap baby monitors and security cameras
- Anything connected to the internet from brand with no reputation to protect.
Best Gifts for Privacy & Security
While the techie world today is still very much a wild west in terms of security and privacy, there’s reason to hope for a better tomorrow. GDPR in Europe and CCPA in California are helping to rein in rampant data mining. And there’s even a much-needed IoT security bill sitting on the President’s desk right now. But for now, we still need to be careful about the products and services we use.
Mitigating Your Risks
It’s impossible to avoid IoT devices today – they’re everywhere. But here are some tips for improving their security and privacy:
- Change default passwords. If the device has web-based configuration, it should have a password. And until we get better regulations in place, it’s probably a well-known default password. Change this to something strong and unique (and store it in a password manager).
- Disable remote access & uPnP. Many wifi routers allow remote log in (that is, from outside your home). This is begging for trouble and almost never necessary. Many routers also have Universal Plug-n-Play (uPnP) enabled by default. This can leave devices in your network vulnerable to hacking. Disable this feature, too. If you want to test your vulnerability, try the excellent (and free) ShieldsUP! tool from Steve Gibson.
- Update the software. All software has bugs. As these bugs are found, it’s crucial that you apply the fixes in a timely manner. If the device has an auto-update feature, enable it.
- Keep devices dumb. If you aren’t using the “smart” features of a device, then don’t put the device on your network. Unplug the ethernet cable or don’t set up the WiFi connection.
- Quarantine your IoT devices. This is a simple but effect mitigation. Most wifi routers have a “guest network” option. You should enable this for your house guests, but you can also put many of your IoT devices on this network. That way if they are hacked, they won’t be able to attack your important devices that you keep on the main wifi network (computers, smartphones, etc).
You can find more tips and resources here.
General Buying Advice
I’ve told you what you should avoid already. Choosing better products is pretty much doing the opposite:
- Spend money. First of all, “free” and “super-cheap” are usually not the qualities of a product or service with stellar privacy and security. But second, when we, as consumers, pay money for security and privacy features, it supports companies who are doing the right things and supports a vibrant, viable market for these products and services.
- Choose brand names. Companies with a reputation on the line are more likely to fret over bad press and respond quickly to fix problems. When these companies fall short, be vocal about your disappointment. Complain first to customer support, preferably in written form. If that fails, post on social media, write to your state AG’s office, and/or file a complaint with the FTC.
- Choose newer tech. Newer isn’t always better, but on the whole, it’s better than the alternative. Older products may stop being supported with software updates, for example (which is bad). Security protocols and technology get better over time.
- Do your research. There’s a ton of great info out there. Check out my resources page for a list.
Gift Ideas for Better Privacy & Security
Here are some gift ideas for services that will enhance the privacy and security of your loved ones (and yourself).
- Password Manager. This is an absolute must-have today. We have dozens if not hundreds of passwords to remember. You should use strong, unique passwords for each and every one – and the human brain just isn’t up to that task. I personally use LastPass, but 1Password and BitWarden are also very good. (LastPass has a 40% off sale through the end of November.)
- A privacy-respecting VPN service. A virtual private network will protect your web traffic from your internet service provider (ISP). When you’re in a hotel, coffee shop, hotel, airplane, or some other place with free wifi, that business is your ISP. (And on mobile devices, your carrier is your ISP.) Wirecutter has a very good write-up on the best VPNs, though I don’t agree 100% with their criteria. Restore Privacy also has an excellent guide. I would recommend ExpressVPN for most people (it’s what I use most of the time), though Mullvad looks interesting. These services work on both computers and smartphones. (Also, see the Winston box below as a VPN alternative.)
- Cloud storage. DropBox, Google Drive, Microsoft OneDrive and Apple iCloud are all very popular. But despite using strong encryption, they’re not truly private – because they hold the encryption keys. To store and share files, you should choose a service that lets you create and control the key. I strongly prefer Sync.com. (If you insist on using something else, then at least consider using Cryptomator to guard the private stuff.)
- Private email. Gmail, Yahoo Mail, Outlook, and most of the other popular “free” email providers are horrible about privacy. You are their product, not their customer. There are many degrees of privacy when it comes to email providers. For most people, Fastmail is a great option. Not only does it have excellent email features, it also has a calendar, contact manager, notes and file storage. If you want to go for a super-private service, you should look at providers like ProtonMail or Tutanota. I’ve tried many of the top super-private services, and I find these to be the easiest to use.
- Secure messaging. This is a tough one because messaging services are all proprietary – unlike with email, to message someone else, they have to have an account with the same provider. But the good news here is that best option is an easy choice: Signal. (NOTE: Signal is a rare exception to the “free service” issue. You can trust them.) You might also check out Threema or Wire. See this review for full details.
- Use DNS over HTTPS (DoH). While much of our internet traffic is encrypted via HTTPS, our DNS queries – for some inexplicable reason – are not. DNS is the phone book of the internet. It converts domain names (like eff.org or mozilla.org) to IP addresses. If you don’t hide this, your ISP will know every website you visit. If you use Firefox browser, you can set this up to use one of several DoH providers. I use Cloudflare.
- Apple products. I’m an Apple fanboy, I admit it. Have been for decades. But there’s just no denying that Apple is one of the very few big tech companies that don’t need or want your data. Apple sells hardware and makes a hell of a lot of money doing it. And whether it’s altruism or just capitalism at work here, they’ve made a point of making user privacy a key product differentiator. Apple’s record isn’t perfect, and they have some serious issues to resolve around stifling competition, but they have a huge reputation to protect and they’re trying very hard to get privacy right.
- Gadget prepper. For the person who likes to be prepared for anything (which is a facet of security), you might check out the recommendations on my article on preparing for a power outage.
Here’s a list of some specific products that improve security and privacy, along with some just plain fun stuff! Click the links in bold to see the products. (Note that I don’t make any money endorsing any of these.)
- Apple HomePod mini. This is a nice, private alternative to Amazon Echo or Google Home speakers with a built-in digital assistant (Siri). It’s not portable and the recipient will need an iPhone or iPad to get the most out of it. But it sounds great and will respect your privacy better than Alexa or Google. It can also be used as an Apple Home automation hub.
- Apple M1 MacBook Air. These new Apple Silicon products are amazing. I bought the MacBook Air and love it. It runs very cool (it doesn’t even have a fan), it’s blazing fast, and has awesome all-day battery life. However… there are going to be software compatibility issues for a while, so be prepared for some flakiness. Read some reviews first.
- Webcam cover. Just because the little green light isn’t on doesn’t mean someone isn’t using your webcam. Without a physical off-switch or cover, it could be used to spy on you. Is this likely? Probably not. But the solution is simple and cheap. Note that Apple warns about using these, so there’s one caveat. (You can also just use a little piece of a Post-It Note, too, like Mark Zuckerberg.)
- Shut Your Pi-Hole. This one requires a little work, but it’s worth it. With a cheap Raspberry Pi mini computer, you can create a nifty little ad blocker for your entire house. Basically, it’s a DNS sinkhole that blocks any outbound requests to ad and tracking websites. If you point your home wifi router at this device for DNS, then it will block ads and tracking for every device on your home network, including your IoT devices. Instructions here.
- Winston Privacy. If you really want to kick things up a notch, check out this turnkey, privacy-in-a-box solution. I interviewed the CEO of Winston on my podcast (which is well worth a listen). This box basically sits between your entire home network and the internet. It functions as a pseudo-VPN (and is arguably better than a VPN), an ad blocker, a malware blocker, a DNS hider… what doesn’t it do? You can find out more by reading some reviews or heading to the Winston site, or check out what I wrote last year.
- USB Condom or portable phone charger. When you charge your smartphone or tablet on a USB port that you don’t own, you run the real risk of your device being hacked. This is called juice jacking and it’s getting popular with bad guys. But there are two easy fixes: bring your own portable charger or use a power-only USB cable (aka, a “USB condom”). Or you can also charge from your laptop, if you have one.
- Paper shredder. Did you know that there’s really nothing preventing anyone from sifting through your trash once you put it out at the curb? Not only is there no need for a warrant, but really anyone can legally go through your garbage. How often does this actually happen? I don’t know, but there’s a really simple solution: get a paper shredder. Alternatively, you could get this obfuscating rolling stamp.
- Eufy video doorbell. This is a much more private product than Ring. I have one and love it. Videos are stored locally on an SD card, but you can still access them from your smartphone anywhere.
- Synology wifi router. These routers can automatically update their own software and have lots of great privacy settings. They also happen to be good at the wifi part, too.
- Password dice. Password managers generate excellent passwords. But if you want to go old school, try using these special dice for generating truly random passwords (or passphrases). And be sure to check out my new website for generating passphrases, too!
- System76 or Purism computers. These two companies are trying hard to create devices that owners actually own, meaning that you can load whatever software you want. This means open source software and hardware whenever possible. They don’t run Windows or macOS – they run Linux. Be prepared for a learning curve here.
- YubiKey. I personally recommend using an authenticator app for two-factor auth, but if you want to kick it up a notch, you can carry around a physical hardware key for this purpose. You always need to have it with you and plugged in, though.
- Firewalls Don’t Stop Dragons. The whole point of my book (and my blog and my newsletter and my podcast) is to improve your security and privacy. The book has 170 tips in it – including many of the ones on this guide, but with step-by-step instructions and pictures. Makes a great gift!
I ran across a fantastic article on buying refurbished products, and was compelled to add this section to the guide. If you care about the planet you live on and general sustainability, then buying used and refurbished products is a great way to go. Apple, in particular, makes wonderful refurbed products (be sure to buy them from the Apple refurb store). I’ve done this many times – they’re as good as new and cheaper.
This is tied very closely to the issue of The Right to Repair, which I would also encourage you to read up on.
Need practical security tips?
Sign up to receive Carey's favorite security tips + the first chapter of his book, Firewalls Don't Stop Dragons.
Don't get caught with your drawbridge down!