I suggest to add a guide to help people navigate the household appliances and consumer electronics market. Including in particular the IoT side of the topic. Perhaps there could be two separate guides?
The reason why I think Privacy Guides should have a page about this is that many companies produce common household devices that have baked-in remote network capabilities (impacting security by adding unnecessary attack surface), and they often also invade privacy by including tracking or requiring online accounts for offline functionality. Average consumers are the most affected because they are unaware of such practices (or the implications of such practices), and often do not realise that certain products require unnecessary integrations until after they have made the purchase. Even worse, they could instead be attracted to “smart”/network features, perceiving them as “more technologically advanced”.
Moreover, even tech-savvy people may not know that they should watch out for these kinds of practices: see this recent blog post / video by Jeff Geerling regarding the network and account registration requirements of a new dishwasher he acquired.
An important topic that this guide could cover is the security and privacy aspects of connected devices. And for example the guide should recommend that consumers avoid acquiring devices that unnecessarily connect to the Internet.
Household appliances should never have any kind of remote connectivity capability: a fridge, a microwave, a dishwasher, a washing machine, etc. should never be designed to connect to the Internet (or to require Internet connection even for non-network-related functionality), as this introduces unnecessary attack surface, and can end up preventing people from making use of their devices when network outages occur or if the manufacturer goes out of business and their servers are shut down. And even more so, household appliances should not require an online account.
I think a guide on these points wouldn’t be out of place on Privacy Guides, even if it inevitably bleeds into the broader topic of consumer protection and anti-consumer practices, since there are some valid points to be made from a privacy/security perspective.
On the hardware page there is already a brief mention:
All untrusted devices can go [on a separate VLAN], including IoT devices like your smart fridge, thermostat, TV, etc.
The fewer devices you have connected to your network, the less potential attack surface you’ll have
Another source of poor security practices in consumer electronics to talk about is the market of smart cameras / indoor monitoring cameras / doorbell cameras, that if not properly configured can give anyone access to the video streams. Such cameras also bring up privacy concerns from the manufacturers; see this discussion.
Then there is the market of TVs, for which there is already a proposal and a community wiki entry.
And then there is the automotive industry: vehicles are now filled with invasive “smart features”, built-in tracking, remote capabilities, account requirements, …
(A guide on this has already been requested here and here.)
One resource I know is the Mozilla analysis of privacy policies of 25 brands of cars, though I don’t know how reliable it is, as some of the data collection policies analysed were actually from the section of the privacy policy that concerns conversations with employees/tech support (and Mozilla didn’t make this clear). Links to this Mozilla analysis:
- Cars are a Privacy Nightmare: Here’s Why That Matters
- What Data Does My Car Collect About Me and Where Does It Go?
- It’s Official: Cars Are Terrible at Privacy and Security
- https://foundation.mozilla.org/en/privacynotincluded/categories/cars/
And I likely left out many other types of products that have been infected with the IoT/“smartification” disease.