[UPDATED 2/25/2023 for Eufy privacy issue and response]
The holiday shopping season is once again upon us, so it’s time to update my annual gift guide! There are lots of great tech toys and fun online services, but many of them can make you vulnerable to hacking attacks or mine your personal data. What you may find is that the best gift you can give is to replace something they already have with something more secure and private. However, this year I’d also like to suggest that you give your loved ones the gift of your time – helping them to beef up their security and protect their data. To that end, I’ve created a great little printable stocking-stuffer. (UPDATE: I have a giveaway going right now celebrating the 300th episode of my podcast where you can win some of these gifts.)
Adding security to products is expensive and harvesting data can be very lucrative. The market incentives are all backwards, rewarding the wrong behavior. But if enough people demand better security and less data mining, we can drive change. That’s going to mean spending more money on products and rewarding the companies that are getting it right.
Worst Gifts for Privacy & Security
Let’s start with the gifts you should not be giving this year. Sadly, this list hasn’t changed much over the years, so I’ll just go through the repeat offenders quickly. If you want to read more, you can check out the list from 2021 or 2020.
Smart Devices from Google, Amazon & Facebook
Adding an internet connection can breathe new life into boring old “dumb” appliances, but it also exposes you to hacking and data mining. Unfortunately, many Big Tech companies today are addicted to data and they are actively building up a suite of products to hoover up as much personal information as they can. In many cases, they’ve done this by buying other companies – not for their products, but for their customers and access to their data. Amazon bought Twitch, Roomba and Ring; Facebook bought Instagram, Onavo VPN, WhatsApp and Oculus; Google bought Nest, Fitbit, Waze, Blink and Eero and many others. Remember that Facebook and Google are ad companies.
Furthermore, these three companies are aggressively partnering with other companies to include the Alexa, Google and Facebook digital assistant and home automation features in their products. While there is certainly money to be made just selling the hardware, all three of these companies are also using these platforms to monetize your data. From a purely privacy perspective, I would be wary of any of these products and third party devices that include the digital assistants, microphones or cameras.
DNA Analysis Kits
This is a perennial resident of the Naughty List. And there are no shortage of articles about the perils of these DNA ancestry/heritage kits like those from Ancestry.com, 23andme, and My Heritage, including revealing infidelity and drawing attention from law enforcement to your relatives. To make matters worse, 23andme intends to use your DNA for drug research.
Cheap Smart Devices & Cell Phones
Security is hard – and it costs time and money to do properly. In the cut-throat world of consumer electronics, price is everything. And security is often the first corner that is cut to keep costs down. Computer chips are in just about all electronics these days. If it has a power button or plugs into the wall, it’s almost surely running software. And when you put these devices on the network, that software is exposed to attack. Your coffee maker or fish tank thermometer could be a beachhead for hackers to attack other devices inside your home network or to attack servers on the broader internet (ie, part of a bot net).
And just like cheap services, these devices are often used to mine your personal information and habits – because why not? This includes the apps that run on these devices (like smart TVs or streaming boxes) or apps that you use to control or configure the devices. In particular, I would avoid cheap Android phones and tablets, cheap baby monitors and security cameras, and anything connected to the internet from a brand with no reputation to protect.
Smart Toys for Kids
This should go without saying at this point, but getting any internet-connected toys for kids can have serious privacy and even security implications. Like Barbies that listen to your kids or smart watches that track them. Even if you somehow trust that the companies that produce these products won’t misuse this data, understand that the security of these products are usually horrible and may be hacked by bad guys.
Best Gifts for Privacy & Security
Let’s get to the good stuff! Here are some tips for selecting better gifts, with some specific suggestions for products and services that are better than most.
General Buying Advice
I’ve told you what you should avoid. Choosing better products is pretty much doing the opposite:
- Spend money. First of all, “free” and “super-cheap” are usually not the qualities of a product or service with stellar privacy and security. But second, when we, as consumers, pay money for security and privacy features, it supports companies who are doing the right things and supports a vibrant, viable market for these products and services.
- Choose brand names. Companies with a reputation on the line are more likely to fret over bad press and respond quickly to fix problems. When these companies fall short, be vocal about your disappointment. Complain first to customer support, preferably in written form. If that fails, post on social media, write to your state AG’s office, and/or file a complaint with the FTC.
- Choose newer tech. Newer isn’t always better, but older products may stop being supported with software updates (which is bad). Security protocols and technology get better over time, too.
- Do your research. There’s a ton of great info out there. Check out my resources page for a list. You might also check this article from the LA Times, Kim Komando’s recent article, or Mozilla’s wonderful Privacy Not Included site.
Gift Ideas for Better Privacy & Security
Here are some gift ideas for services that will enhance the privacy and security of your loved ones (and yourself). And again, if someone already has one of these – but is using a bad one – you could buy them a better one, and help them switch over.
- Password Manager. This is an absolute must-have today. We have dozens if not hundreds of passwords to remember. You should use strong, unique passwords for each and every one – and the human brain just isn’t up to that task. I would recommend 1Password or BitWarden. (I can’t recommend LastPass right now, but that may change if they fix their issues.)
- A privacy-respecting VPN service. A virtual private network will protect your web traffic from your internet service provider (ISP). When you’re in a hotel, coffee shop, hotel, airplane, or some other place with free WiFi, then they are your ISP. (And on mobile devices, your carrier is your ISP.) Wirecutter has a very good write-up on the best VPNs. I would recommend Proton VPN, IVPN or Mullvad. NOTE: Be careful when reading VPN reviews – many are written by the same companies that own the service.
- Cloud storage. DropBox, Google Drive, Microsoft OneDrive and Apple iCloud are all very popular. But despite using strong encryption, they’re not truly private – because they hold the encryption keys. To store and share files, you should choose a service that lets you create and control the key. I prefer Sync.com. (If you insist on using something else, then at least consider using Cryptomator to guard the private stuff.)
- Private email. Gmail, Yahoo Mail, Outlook, and most of the other popular “free” email providers are horrible about privacy. You are their product, not their customer. There are many degrees of privacy when it comes to email providers. For most people, Fastmail is a great option. Not only does it have excellent email features, it also has a calendar, contact manager, notes and file storage. If you want to go for a super-private service, you should look at providers like Proton Mail, StartMail or Tutanota. You might also check out newcomer Skiff.
- Secure messaging. This is a tough one because messaging services are all proprietary – unlike with email, to message someone else, they have to have an account with the same provider. But the good news here is that best option is an easy choice: Signal. (NOTE: Signal is a rare exception to the “free service” issue. You can trust them.) You might also check out Threema or Wire. Session is new and very interesting, too. See this review for full details. When your visiting friends and family, that could be a good time to get multiple people set up on a new, private messaging service.
- Apple products. Apple is one of the very few big tech companies that don’t need your data. Apple sells hardware and makes a hell of a lot of money doing it. And whether it’s altruism or just capitalism at work here, they’ve made a point of making user privacy a key product differentiator. Apple’s record isn’t perfect. But they have a huge reputation to protect and they’re trying very hard to get privacy right. Again… not perfect, but way better than Android and Windows.
Here’s a list of some specific products that improve security and privacy, along with some just plain fun stuff! Click the links in bold to see the products. (Note that I don’t make any money endorsing any of these.)
- Apple HomePod mini. This is a nice, private alternative to Amazon Echo or Google Home speakers with a built-in digital assistant (Siri). It’s not portable and the recipient will need an iPhone or iPad to get the most out of it. But it sounds great and will respect your privacy way better than Alexa or Google. It can also be used as an Apple Home automation hub.
- Apple TV. Smart TV’s are watching what you watch – many of them include some flavor of Automatic Content Recognition. I recommend disconnecting your smart TV from the internet and using an external streaming box like Apple TV to watch Netflix, Amazon Prime Video, Disney+ and other streaming services.
- Webcam cover. Just because the little green light isn’t on doesn’t mean someone isn’t using your webcam. Without a physical off-switch or cover, it could be used to spy on you. Is this likely? Probably not. But the solution is simple and cheap. Note that Apple warns about using these, so there’s one caveat. (You can also just use a little piece of a Post-It Note, too, like Mark Zuckerberg.)
- Shut Your Pi-Hole. This one requires a little work, but it’s worth it. With a cheap Raspberry Pi mini computer, you can create a nifty little ad blocker for your entire house. Basically, it’s a DNS sinkhole that blocks any outbound requests to ad and tracking websites. If you point your home wifi router at this device for DNS, then it will block ads and tracking for every device on your home network, including your IoT devices. Instructions here.
- NextDNS. Another solution for blocking tracking and avoiding malicious websites is a privacy-oriented DNS service. This is similar to the Pi-Hole idea, but it’s an external service. The basic plan is free, which will work for most people. But if you have a ton of smart devices like me, you’ll probably need to pay for a plan.
- USB Condom or portable phone charger. When you charge your smartphone or tablet on a USB port that you don’t own, you run the real risk of your device being hacked. This is called juice jacking and it’s getting popular with bad guys. But there are two easy fixes: bring your own portable charger or use a power-only USB cable (aka, a “data blocker” or “USB condom”).
- Paper shredder. Did you know that there’s really nothing preventing anyone from sifting through your trash once you put it out at the curb? Not only is there no need for a warrant, but really anyone can legally go through your garbage. How often does this actually happen? I don’t know, but there’s a really simple solution: get a paper shredder. Alternatively, you could get this obfuscating rolling stamp.
- Eufy video doorbell. In light of a recent development regarding privacy issues, I hesitate to recommend Eufy products. They have since come clean, for the most part, and promised to fix the bugs and generally do better. I still believe Eufy’s cameras are a lot more private than anything Amazon or Google has, but I’ll let you decide if what they’d doing is good enough for you. One possible mitigating factor: doorbell cameras point away from, not into, your home.
- Password dice. Password managers generate excellent passwords. But if you want to go old school, try using these special dice for generating truly random passwords (or passphrases). And be sure to check out my website for generating passphrases, too!
- YubiKey. I personally recommend using an authenticator app for two-factor auth, but if you want to kick it up a notch, you can carry around a physical hardware key for this purpose. You always need to have it with you and plugged in, though.
- Firewalls Don’t Stop Dragons. The whole point of my book (and my blog and my newsletter and my podcast) is to improve your security and privacy. I just released a massive update, too! And if you really dig my cool dragon-and-castle logo (or just want to support the cause), you can even buy some merch at the Firewalls Don’t Stop Dragons Swag Shop.
- Other resources. I ran across this list recently, which is enormous. It contains a lot of the same things I have here, but some more obscure items, as well.
Give the Gift of Your Time
After several years of talking about stuff made by other people, I figured this year I’d create something myself. Helping others to improve their security and privacy is great – I do my best. But what if I could help my tribe to help their tribes? Sorta like that old 80’s shampoo commercial… and they told two friends, and they told two friends.
So I’ve put together some security and privacy coupons that you can give to your loved ones this holiday season (or really, at any time). I’ve chosen some top tips for defending your devices and data, and turned them into printable, giftable coupons. An example is shown below.
So… there is my gift to you, and hopefully your gift to your loved ones! Get out there and help others to secure their stuff!
Need practical security tips?
Sign up to receive Carey's favorite security tips + the first chapter of his book, Firewalls Don't Stop Dragons.
Don't get caught with your drawbridge down!