[Note: see related podcast and see affiliate stuff at the right]
[UPDATED: Jan 8, 2022]
When I wrote up last year’s list, I didn’t expect we’d still be dealing with a pandemic in 2021. And yet, here we are. But the best gift you could give this year – to yourself and those around you – is to get vaccinated and get your booster shot. Coming up in second place: helping others to get their shots.
But that’s not what this article is about. As the big gift-buying season approaches, I want to help people make good choices when it comes to security and privacy. There are a lot of nifty tech gifts and services out there, but many of them can make you vulnerable to hacking and/or giving away your personal information. After reading this list, you might also want to consider replacing products and services they already have, as well.
One final note before we begin: get your shopping done early this year. With supply chain issues and covid complications, many products will go out of stock quickly and shipping times are going to be a lot longer than normal.
Worst Gifts for Privacy & Security
Let’s start with the gifts you should not be giving this year. These are the gifts that are notably bad at preserving your privacy or might leave you open to hacking. Note that there’s often a right way and a wrong way to make a product or service. If you see something on the ‘worst’ list that you wanted to give as a gift, be sure to look for a possible replacement on the ‘best’ list.
I’ll be honest… the general advice is largely the same, year to year. This is a sad testament to the fact that people keep buying this crap. The more we reject these things in favor of ones that are more secure and private, the more companies will get the message.
Smart Devices from Google, Amazon & Facebook
Companies love to sell us new versions of old products and nothing has provided more opportunities for this than “smart” devices. Take some old, stodgy product that’s been around for decades and connect it to the internet. What could possibly go wrong? Making something “smart” means putting a computer chip in it and connecting it to the internet. And computers can be hacked – especially cheap computers with little or not thought for security. Worse yet, these devices can now tattle on you 24/7, collecting tons of personal information and using that info to sell you more stuff.
Three companies at the forefront of this are Google, Amazon and Facebook. Google bought Nest and Fitbit. Amazon bought Ring video doorbell, Blink webcam, and the Eero wifi mesh router. They also introduced a Fitbit competitor called Halo and an in-home flying spy drone called Ring Always Home Cam. Facebook launched its Portal devices and bought VR headset maker Oculus.
In the last year, Amazon has released not one but two home
spies robots: a flying drone called the Ring Always Home Cam and a little Roomba-like robot called Astro. Not to be outdone, Facebook recently partnered with Rayban to create creepy sunglasses called Stories with a built-in camera to record you and everyone the wearer looks at.
Furthermore, these three companies are aggressively partnering with other companies to include the Alexa, Google Home and Facebook digital assistant and home automation features in their products, including the Echo and Google Nest smart speakers. While there is certainly money to be made just selling the hardware, all three of these companies are also using these platforms to monetize your data. While they’ve been trying to add privacy features and opt out capabilities, the goal here is obvious.
From a purely privacy perspective, I would be wary of any of these products and third party devices that include the digital assistants. But I want to call out three smart products in particular:
- Ring video doorbells. I bought one of these when it first came out (before Amazon bought Ring) and loved it. But after Amazon added several third party trackers to its Android app and established some truly creepy police monitoring contracts, I ripped it out and replaced it (see next section for my new favorite).
- Facebook Stories. There’s a reason why people who wore Google’s video-enabled eyewear were dubbed “glassholes“. Until we can figure out a way to do AR (augmented reality) with privacy and respect for others, we have to say no. Several good articles on this.
- Amazon Astro. Like the Always Home Cam flying in-home drone, this is not going to end well. I’m a technologist and sci-fi fan… I love the idea of home robots… but I’ll wait for privacy regulations to be in place and a company who will make a truly privacy-respecting mechanized servant.
DNA Analysis Kits
This is a perennial favorite on the Naughty List. And there are no shortage of articles about the perils of these DNA ancestry/heritage kits like those from Ancestry.com, 23andme, and My Heritage, including revealing infidelity and drawing attention from law enforcement to your relatives. Recently, it was revealed that 23andme intends to use your DNA for drug research. States are scrambling to enact privacy laws around DNA, but that’s a long ways off.
If you’re still considering this, check out this article (comic?) about the subject.
Cheap or Free Services
Any company who can’t make enough money from its subscribers or users will eventually die. So you need to ask yourself how companies are staying viable. In today’s world, there’s a damn good chance that they’re monetizing you or your data somehow. Some companies offer a free tier of service to entice people to move up to a for-pay tier – this is the “freemium” model. Other companies offer free or cheap services to individuals, but charge hefty prices for businesses. These are viable business models that could allow these companies to offer a free service without necessarily having to support it by selling your data.
However, even this doesn’t guarantee that you are the customer and not the product. Look at cell phone service providers – they charge us a ton of money, and still sell our data to make more. So at the end of the day, you have to do your homework. But I can tell you right now that the following companies and services are selling or otherwise monetizing your data:
- Google (which includes Android, Chrome, Waze, Nest, YouTube)
- Facebook (which includes WhatsApp, Instagram, Oculus, Onavo)
- Yahoo (which includes Tumblr)
- Just about any free VPN service (which includes Hotspot Shield, Hide My Ass, Onavo, Touch VPN, Hola VPN). Also, many of these services/apps have horrible security issues, too. See this list for more info.
Cheap Smart Devices & Cell Phones
As I mentioned above, the Internet of Things (IoT) is a huge money-making industry with no signs of slowing down. Connecting something to the internet must make it better, right? Light bulbs, TVs, toasters, refrigerators, doorbells, garage door openers, coffee makers, and on and on and on.
However, security is hard – and it costs time and money to do properly. In the cut-throat world of consumer electronics, price is everything. And security is often the first corner that is cut to keep costs down. Computer chips are in just about all electronics these days. If it has a power button or plugs into the wall, it’s almost surely running software. And when you put these devices on the network, that software is exposed to attack. Your coffee maker or fish tank thermometer could be a beachhead for hackers to attack other devices inside your home network or to attack servers on the broader internet (ie, part of a bot net).
And just like cheap services, these devices are often used to mine your personal information and habits – because why not? This includes the apps that run on these devices (like smart TVs or streaming boxes) or apps that you use to control or configure the devices. In particular, I would avoid the following:
- Cheap Android phones and tablets
- Cheap baby monitors and security cameras
- Anything connected to the internet from a brand with no reputation to protect
Smart Toys for Kids
This should go without saying at this point, but getting any internet-connected toys for kids can have serious privacy and even security implications. Like Barbies that listen to your kids or smart watches that track them. Even if you somehow trust that the companies that produce these products won’t misuse this data, understand that the security of these products are usually horrible and may be hacked by bad guys.
Best Gifts for Privacy & Security
While the techie world today is still very much a wild west in terms of security and privacy, there’s reason to hope for a better tomorrow. Privacy regulations, like GDPR in Europe and CCPA in California, are helping to rein in rampant data mining – even for those of us who don’t live in their jurisdictions. But we still need to be very careful about the products and services we use.
Mitigating Your Risks
It’s impossible to avoid IoT devices today – they’re everywhere. But here are some tips for improving their security and privacy. If you’re visiting relatives for the holidays, help them implement these things.
- Change default passwords. If the device has web-based configuration, it should have a password. And it’s probably a well-known default password. Change this to something strong and unique (and store it in a password manager).
- Disable remote access & uPnP. Many wifi routers allow remote log in (that is, from outside your home). This is begging for trouble and almost never necessary. Many routers also have Universal Plug-n-Play (uPnP) enabled by default. This can leave devices in your network vulnerable to hacking. Disable this feature, too. If you want to test your vulnerability, try the excellent (and free) ShieldsUP! tool from Steve Gibson.
- Update the software. All software has bugs. As these bugs are found, it’s crucial that you apply the fixes in a timely manner. Look to buy devices that have an auto-update feature for software. And then help your recipient get that enabled.
- Keep devices dumb. Don’t buy someone an internet-connected “smart” device if the “dumb” version will do. And if you or a loved one has received a smart device, but have no use for the smart features, then don’t connect the device to the network.
- Quarantine your IoT devices. This is a simple but effective mitigation. Most wifi routers have a “guest network” option. You should enable this for your house guests, but you can also put many of your IoT devices on this network. That way if they are hacked, they won’t be able to attack your important devices that you keep on the main wifi network (computers, smartphones, etc).
You can find more tips and resources here.
General Buying Advice
I’ve told you what you should avoid. Choosing better products is pretty much doing the opposite:
- Spend money. First of all, “free” and “super-cheap” are usually not the qualities of a product or service with stellar privacy and security. But second, when we, as consumers, pay money for security and privacy features, it supports companies who are doing the right things and supports a vibrant, viable market for these products and services.
- Choose brand names. Companies with a reputation on the line are more likely to fret over bad press and respond quickly to fix problems. When these companies fall short, be vocal about your disappointment. Complain first to customer support, preferably in written form. If that fails, post on social media, write to your state AG’s office, and/or file a complaint with the FTC.
- Choose newer tech. Newer isn’t always better, but older products may stop being supported with software updates (which is bad). Security protocols and technology get better over time, too.
- Do your research. There’s a ton of great info out there. Check out my resources page for a list. You might also check this article from the LA Times, Kim Komando’s recent article, or Mozilla’s wonderful Privacy Not Included site.
Gift Ideas for Better Privacy & Security
Here are some gift ideas for services that will enhance the privacy and security of your loved ones (and yourself). And again, if someone already has one of these – but is using a bad one – you could buy them a better one, and help them switch over.
- Password Manager. This is an absolute must-have today. We have dozens if not hundreds of passwords to remember. You should use strong, unique passwords for each and every one – and the human brain just isn’t up to that task. I personally use LastPass, but 1Password and BitWarden are also very good.
- A privacy-respecting VPN service. A virtual private network will protect your web traffic from your internet service provider (ISP). When you’re in a hotel, coffee shop, hotel, airplane, or some other place with free wifi, that business is your ISP. (And on mobile devices, your carrier is your ISP.) Wirecutter has a very good write-up on the best VPNs, though I don’t agree 100% with their criteria. Restore Privacy also has an excellent guide. I would recommend NordVPN for most people (it’s what I use most of the time), though Mullvad looks interesting. These services work on both computers and smartphones. NOTE: Be careful when reading VPN reviews – many are written by the same companies that own the service.
- Cloud storage. DropBox, Google Drive, Microsoft OneDrive and Apple iCloud are all very popular. But despite using strong encryption, they’re not truly private – because they hold the encryption keys. To store and share files, you should choose a service that lets you create and control the key. I strongly prefer Sync.com. (If you insist on using something else, then at least consider using Cryptomator to guard the private stuff.)
- Private email. Gmail, Yahoo Mail, Outlook, and most of the other popular “free” email providers are horrible about privacy. You are their product, not their customer. There are many degrees of privacy when it comes to email providers. For most people, Fastmail is a great option. Not only does it have excellent email features, it also has a calendar, contact manager, notes and file storage. If you want to go for a super-private service, you should look at providers like ProtonMail or Tutanota. I’ve tried many of the top super-private services, and I find these to be the easiest to use.
- Secure messaging. This is a tough one because messaging services are all proprietary – unlike with email, to message someone else, they have to have an account with the same provider. But the good news here is that best option is an easy choice: Signal. (NOTE: Signal is a rare exception to the “free service” issue. You can trust them.) You might also check out Threema or Wire. Session is new and very interesting, too. See this review for full details. When your visiting friends and family, that could be a good time to get multiple people set up on a new, private messaging service.
- Apple products. Apple is one of the very few big tech companies that don’t need or want your data. Apple sells hardware and makes a hell of a lot of money doing it. And whether it’s altruism or just capitalism at work here, they’ve made a point of making user privacy a key product differentiator. Apple’s record isn’t perfect. Their recent child safety feature was a big misstep, but for now at least, that’s on hold. But they have a huge reputation to protect and they’re trying very hard to get privacy right. Again… not perfect, but way better than Android and Windows.
- Gadget prepper. For the person who likes to be prepared for anything (which is a facet of security), you might check out the recommendations on my article on preparing for a power outage.
Here’s a list of some specific products that improve security and privacy, along with some just plain fun stuff! Click the links in bold to see the products. (Note that I don’t make any money endorsing any of these.)
- Apple HomePod mini. This is a nice, private alternative to Amazon Echo or Google Home speakers with a built-in digital assistant (Siri). It’s not portable and the recipient will need an iPhone or iPad to get the most out of it. But it sounds great and will respect your privacy way better than Alexa or Google. It can also be used as an Apple Home automation hub.
- Webcam cover. Just because the little green light isn’t on doesn’t mean someone isn’t using your webcam. Without a physical off-switch or cover, it could be used to spy on you. Is this likely? Probably not. But the solution is simple and cheap. Note that Apple warns about using these, so there’s one caveat. (You can also just use a little piece of a Post-It Note, too, like Mark Zuckerberg.)
- Shut Your Pi-Hole. This one requires a little work, but it’s worth it. With a cheap Raspberry Pi mini computer, you can create a nifty little ad blocker for your entire house. Basically, it’s a DNS sinkhole that blocks any outbound requests to ad and tracking websites. If you point your home wifi router at this device for DNS, then it will block ads and tracking for every device on your home network, including your IoT devices. Instructions here.
- USB Condom or portable phone charger. When you charge your smartphone or tablet on a USB port that you don’t own, you run the real risk of your device being hacked. This is called juice jacking and it’s getting popular with bad guys. But there are two easy fixes: bring your own portable charger or use a power-only USB cable (aka, a “USB condom”). Or you can also charge from your laptop, if you have one.
- Paper shredder. Did you know that there’s really nothing preventing anyone from sifting through your trash once you put it out at the curb? Not only is there no need for a warrant, but really anyone can legally go through your garbage. How often does this actually happen? I don’t know, but there’s a really simple solution: get a paper shredder. Alternatively, you could get this obfuscating rolling stamp.
- Eufy video doorbell. This is a much more private product than Ring. I have one and love it. Videos are stored locally on an SD card, but you can still access them from your smartphone anywhere.
- Password dice. Password managers generate excellent passwords. But if you want to go old school, try using these special dice for generating truly random passwords (or passphrases). And be sure to check out my new website for generating passphrases, too!
- System76 or Purism computers. These two companies are trying hard to create devices that owners actually own, meaning that you can load whatever software you want. This means open source software and hardware whenever possible. They don’t run Windows or macOS – they run Linux. Be prepared for a learning curve here. (If “right to repair” or environmental sustainability is your thing, you might check out the new Framework laptops that are meant to be easy to upgrade.
- YubiKey. I personally recommend using an authenticator app for two-factor auth, but if you want to kick it up a notch, you can carry around a physical hardware key for this purpose. You always need to have it with you and plugged in, though.
- Firewalls Don’t Stop Dragons. The whole point of my book (and my blog and my newsletter and my podcast) is to improve your security and privacy. The book has 170 tips in it – including many of the ones on this guide, but with step-by-step instructions and pictures. Makes a great gift!
Special Mention: Priiv App
The CEO of The Privacy Co. (as in, company) reached out to me several weeks ago. Turns out Craig (the CEO) had been listening to my podcast and he wanted to talk to me about his privacy app, Priiv. Now, I get stuff like this pretty regularly, and honestly most of it is so bad that I generally ignore them. But this one looked really interesting, so I replied. We actually set up a Zoom call so that he and his CTO, Shane, could demo the product for me. And I was quite impressed.
Priiv is an app that aims to do exactly what my book does: help regular, everyday (probably non-technical) people figure out how to be more secure and guard their privacy by giving them comprehensive checklists and complete step-by-step instructions. But the Priiv app takes it a welcome step further – something I can’t really do in my book. By answering a handful of questions, they tailor your checklist to your specific situation. First, they find out which types of devices and services you use. Then they help you determine what your personal risk factors are and how far you really want to go (using the “good, better, best” approach). Then, BOOM: here’s your list of stuff to do. And to inspire you to do them, they also provide you a Privacy Score – sorta like a credit score – that goes up as you check more things off.
I’ve considered trying to do something like this for my book for a long time, but never had the time, honestly. And that’s why I was floored when Craig (the CEO) offered to make a custom Priiv “path” (set of checklists) specifically for Firewalls Don’t Stop Dragons! And I can now say that it’s done! You can find my checklists under the “gurus” tab in the Priiv app! Right now it’s best used on iPhone, but you can run the app on a newer M1-based Mac desktop or an iPad. Versions for Android and Windows are coming soon. The basic stuff is all completely free, too. There’s a for-pay subscription version that adds several interesting features, including automating the setting of many privacy settings, data broker data removal and identity theft insurance. But you can get a lot from the free version. One last caveat: it’s only available in the US and Canada, currently.
Need practical security tips?
Sign up to receive Carey's favorite security tips + the first chapter of his book, Firewalls Don't Stop Dragons.
Don't get caught with your drawbridge down!