
Privacy Not Included - gullyfur
https://foundation.mozilla.org/en/privacynotincluded/
======
oehpr
I wanted to give everyone a heads up here, this is genuinely a _terrible_
site. I like the things mozilla does more generally. But this site...

These product listings are USER RATED! And they're sorted based on users
ratings.

General users will vote for anything positive to indicate they _like it_ , and
anything negative to indicate they hate it. "Is this product good value?"
"Yes." "Is this a luxury product?" "Yes." "Is this product affordable?" "Yes."
All stand in's for good. So if you ask a general user if something is creepy,
the answer you will get back is either "It's good" or "It's bad".

These aren't products that meet rigorous privacy guidelines, or are open
source, or products from companies that go out of their way to keep their
services zero-knowledge. This is a popularity contest page. This is not the
place to get advice on privacy respecting products.

Take note on what guidelines Mozilla here seems to establish, one of them is
hilariously: "Privacy Policy. Yes they have one"

~~~
guevara
There's some potential here. Not every Joe Shmoe knows or even cares about
privacy so dumbing it down to "Product A: Good" and "Product B: Bad" is a
start at least.

~~~
Paianni
It could backfire, people might perceive the complexity of the content is a
reflection of how dumb a company thinks its viewers are.

------
henriquez
This is a good resource, but the presentation needs work. The big emoji smiley
face on top implies that all the products listed below are "good," but you
have to actually click through on the product to see the actual rating (like
Amazon's Ring Doorbell is rated by users as "Super Creepy").

The explanation of their Minimum Security Standards is pretty helpful and
reasonable though:
[https://foundation.mozilla.org/en/privacynotincluded/about/m...](https://foundation.mozilla.org/en/privacynotincluded/about/meets-
minimum-security-standards)

This reminds me of Mozilla's Observatory project
([https://observatory.mozilla.org/](https://observatory.mozilla.org/)) in a
more consumer-focused package. I just wish they'd make it less confusing.

~~~
read_if_gay_
The smiley face actually changes as you scroll down. It’s kind of confusing

~~~
mrob
Only if you have JavaScript enabled, which people who care about privacy are
less likely to do. And even then it's not clear which products it applies to.

------
skybrian
The UI is quite bizarre. The "not creepy" face changes based on _scroll
position_ , not what you point at. It's unclear which products it's even
referring to.

I don't understand why they didn't display an ordinary table with checkboxes
for each security feature.

~~~
thewebcount
Not only that, but several of the "Very Creepy" items have a star with a
laurel wreath around it, like it's won some sort of award for being not creepy
on the site. WTF?

~~~
morsch
That's exactly what it means. The award is _Meets Our Minimum Security
Standards_ : Encryption, Security updates, Strong password, Manages
vulnerabilities, Privacy policy

[https://assets.mofoprod.net/static/_images/buyers-
guide/badg...](https://assets.mofoprod.net/static/_images/buyers-guide/badge-
star.af4c56a350e1.svg)

------
skissane
Am I the only person who dislikes the word "creepy"? It is of unclear meaning,
and is based on emotion (even prejudice) rather than reasoned judgement.

My concerns for my own privacy are not grounded in some emotional dislike of
"creepiness", they are grounded in reasonable apprehension of the potential
negative real world consequences.

------
Wowfunhappy
Security ≠ Privacy. Several of their "minimum standards" seem odd to me.

> Does it have a privacy policy?

I don't really care about a product's privacy policy; I care about what's _in_
the policy!

> Do you have to create a strong password?

It makes little sense to avoid a product because they _let_ you set a four
character password. Just use a longer password! (If they have a maximum length
or some such, that's of course a different story.)

> Does it get regular software/firmware updates?

Updates can be a good sign, I guess, but as with the privacy policy, doesn't
it matter more what's _in_ those updates? Zoom gets regular updates, but that
doesn't make more confident in the software—at all.

------
strict9
This is great and helpful, thank you Mozilla!

If anyone that worked on this reads this, a suggestion: Please rank products
based on Mozilla's rating and not user supplied sentiment.

For example, it's hard to make sense of products that are "very creepy" or
"somewhat creepy" yet have 4/5 or 5/5 overall security rating from Mozilla.

It's not clear unless you really look that creepiness rating is not from
Mozilla.

~~~
mrspeaker
Also, the "creepy-ness" face only works with JavaScript enabled... I scrolled
down the page and thought all these devices were "Not creepy!" because the
face was smiling at me. It was only when seeing Ring Doorbell endorsed by
Mozilla as "not creepy" did I twig that something was wrong.

------
mtthwn
This page wasn't immediately clear to me. I have a lot of third party requests
blocked when most pages load. Looking at this a first the fact they're
organized from less creepy to most creepy was lost. The page just appeared to
be seals of mozila approval and a smiling face above products. see
[https://imgur.com/a/48a8QmX](https://imgur.com/a/48a8QmX)

I had to enable a script hosted on mofoprod.com to get the smiling face to
indicate that products were voted as creepy. Also voiting options did show.

Text explaining that users are rating products and they are ordered by creppy
rating could be helpful.

------
_jal
I'm feeling this is well-meaning but really misguided, in multiple ways.

Mostly context-free. I'm guessing they're targeting mostly non-technical,
retail consumers. Which is fine, but raises a number of other questions. Like,
why is Mozilla especially well-positioned to review consumer electronics? And
why are random consumers going to trust Mozilla?

Related, but this reinforces several bad messages about security:

\- That it is an objective, scalar property of a thing,

\- That "one size fits all",

\- That infosec is a shopping exercise, not a process the user has to
participate in.

Also, just, why? Who really thinks there's a Mozilla-shaped hole in the
shopping-guide world?

------
sub7
Facebook Portal meets your "strict" privacy standards? GTFO Mozilla, stick to
web browsers

~~~
tcd
HAHA! What an absolutely trash service, in that page it says:

> Facebook says that it does not listen to, view or keep the contents of any
> video or audio calls on your Portal.

No mentions about on their servers though, which we know they do!

How do I report articles on HN for misleading trash? This needs to be deleted
from the internet.

How dare they give 5* to a fucking FB property.

------
aschatten
Maybe a good start, but I don't think it's too useful. Creepiness is not just
security, it's both: privacy and security.

A while ago I got Tile, though it was a good idea. Returned the same day,
because in order to add a device I needed to create an account. The device is
in my hand, the phone is in my hand, Bluetooth is the protocol. I don't need a
server to arbiter a pretty straight-forward interactions between them. There
is absolutely no need to require account creation, until I request cloud
dependent features. Should be functional offline without any data sent to
server.

Same with GoPro, they app required you to signup before you can use it.

On the other hand, I can pair and update my Bose headphones without having an
account. I can do it without an app by plugging in a cable. I don't need to
bother about their cloud security or privacy policy, because they simply don't
have PI they can loose or misuse. I only need to be concerned about security
of Bluetooth and Updates delivery.

Because it is hard not to use various services and you can't possibly asses
security and privacy policies easily, the first question is: What information
it collects and does it really need it to function or merely for marketing et
al? If it does need, then you need to worry about security and privacy.

~~~
m463
I thought with Tile they could use your bluetooth to find other people's
tiles. So its all cloud-based.

~~~
aschatten
This is a secondary function, as far as I remember you would need to
explicitly mark you item as lost and it can only connect to app running, not
really a mesh network of tiles. In any case, I think I should be able to use
it locally, if I want to opt in for network, then signing up makes sense.

~~~
m463
Your proposed use-case won't overcome their business model. Their business
model (theoretically) makes their company more valuable the more users they
get (users that cave).

------
smbullet
As a technical user I like the emoji and think it's creative. Just wanted to
add some positivity to a sea of negative comments.

------
morsch
I opted out of the Firefox/Android data collection setting. Then I was
recently updated to the new Firefox Beta:
[https://snipboard.io/139WEH.jpg](https://snipboard.io/139WEH.jpg) Privacy not
included.

~~~
jml7c5
Looks like you were one of the unlucky 10%: [https://firefox-source-
docs.mozilla.org/mobile/android/mma.h...](https://firefox-source-
docs.mozilla.org/mobile/android/mma.html)

It seems they've been using Leanplum for some time; I'm surprised I hadn't
heard anything about it. It looks like they're not using it for advertising
purposes, at least.

I'm surprised they wouldn't at least restrict it to only users who had enabled
usage data (i.e., not enable it for users who had clearly already expressed a
preference for privacy).

I'm also surprised they didn't do this in-house. Sending data to a third
party, no matter how trustworthy that party seems, is not good a good look for
a product that is advertised as privacy preserving.

~~~
morsch
Lovely. Thanks.

------
afarviral
This page is a real bummer. Of all the products I looked at they all collect
your data by default. Thats creepy, and yet merely having a privacy policy,
not having a good one, earns the product a little award wreath. This is utter
nonsense and has not highlighted privacy-respecting products. It's simply
false. So dissapointed that this is mozilla.

------
Animats
Right.

Automatic updates would seem to be a negative for privacy. They imply a
backdoor to force changes on a device. Automatic update features have often
been used to reduce consumer rights.

It's not even clear they're a win for security. If you shipped some simple
device with so much attack surface it needs security fixes, you're doing it
wrong.

~~~
solidasparagus
Wait what? You think security fixes are a sign that software was built
'wrong'? Every piece of software has security bugs - it's the ones that never
have any security fixes that I would be scared of.

~~~
Animats
_You think security fixes are a sign that software was built 'wrong'?_

Of course. If it needs a fix, it was built wrong. We've become too accepting
of low-security software. There's no excuse for this in embedded devices that
don't do much.

------
dang
A thread from 2018:
[https://news.ycombinator.com/item?id=18453550](https://news.ycombinator.com/item?id=18453550)

------
saagarjha
Is this based on votes?

~~~
simongr3dal
I've seen many submission reach front page that had roughly 1 vote/min in the
first 2 hours.

~~~
saagarjha
I'm talking about the "creepiness rating". It seems like it might be based on
what other people have voted.

~~~
lucb1e
If you open one of the product pages, you'll see that yes, and you can vote
too.

------
tcd
Is Mozilla's new browser on Android not included on that list?

It contains 3 trackers [1]:

Adjust

Google Firebase Analytics

LeanPlum

It also has telemetry selected by default and is NOT opt-in. So yeah, whether
it's hardware or software, you're being spied on any time you use an internet
connected device.

[1]: [https://reports.exodus-
privacy.eu.org/en/reports/org.mozilla...](https://reports.exodus-
privacy.eu.org/en/reports/org.mozilla.fenix/latest/)

~~~
Teever
Yeah it seems incredibly hypocritical to not put their own products on here.

------
ptrenko
I think I'll go live in a cave if I hear privacy debated once more!

I'm too inundated with this stuff!

------
ngold
An updated list of minimum security iot things is a good start. Those get
shady fast.

------
jchiu1106
It would be a much shorter list if they just do "privacy included"

------
softfalcon
At the very bottom is the Facebook Portal. How did that get on this list?

------
kgraves
It's worth noting that Mozilla is not a very good privacy advocate since they
are a puppet to Google, a surveillance capitalist.

This fancy looking site is pretty unhelpful, and also has sinister tracking
analytics which does not help their 'privacy cause'.

My assessment is that I would highly not recommend this site.

------
kotrunga
What is Mozilla doing? They are _endorsing_ the 'Google Home'? The 'Ring
Doorbell'? Products from Nest? I guess it makes sense, with the amount of
money they get from Google- they have to.

While these devices _might_ have encryption, security updates, etc, many of
the devices listed __ABUSE __user privacy. _Many_ of the devices here ARE
creepy!

I could provide 10 links as proof, but it's not even worth the time. You can
go ahead and 'Google' the proof.

This is horrible.

Edit- want some proof? Listen to these:
[https://www.wfmu.org/playlists/TD](https://www.wfmu.org/playlists/TD)

~~~
scrollaway
You didn't look very closely at the website and just jumped to conclusions,
didn't you?

They rank all the ones you mentioned as "Super creepy".

~~~
kotrunga
To a normal internet user, they make it look like they endorse the product.

The 'meets our minimum security standards' seal is still next to the product.

~~~
saagarjha
To _you_ , who may be a normal internet user, it makes it seem like they
endorse the product. I didn't see that at all. (Plus, a "normal internet user"
has no idea how Mozilla makes money.)

~~~
tick_tock_tick
But they are endorsing the products the creepy is the user rating not
Mozilla's.

