How Safe Are Kids’ GPS Trackers and Smartwatches?

Intro 0:00

Welcome to the She Said Privacy/He Said Security Podcast, like any good marriage, we will debate, evaluate, and sometimes quarrel about how privacy and security impact business in the 21st Century.

Jodi Daniels 0:21

Hi. Jodi Daniels, here. I’m the founder and CEO of Red Clover Advisors, a certified women’s privacy consultancy. I’m a privacy consultant and certified informational privacy professional providing practical privacy advice to overwhelmed companies.

Justin Daniels 0:36

Hi, I am Justin Daniels, I am a shareholder and corporate M and A and tech transaction lawyer at the law firm, Baker Donelson, advising companies in the deployment and scaling of technology. Since data is critical to every transaction, I help clients make informed business decisions while managing data privacy and cyber security risk. And when needed, I lead the legal cyber data breach response brigade.

Jodi Daniels 1:03

And this episode is brought to you by Red Clover Advisors. We help you won’t get one beep. We help companies to comply with data privacy laws and establish customer trust so that they can grow and nurture integrity. We work with companies in a variety of fields, including technology e-commerce, professional services and digital media. In short, we use data privacy to transform the way companies do business. Together. We’re creating a future where there is greater trust between companies and consumers to learn more and to check out our best selling book, Data Reimagined: Building Trust One Byte at a Time. Visit redcloveradvisors.com. Today we have a special guest for one of our special parenting protecting children’s episodes, and today seems kind of a fun, appropriate day to have this, because the day we’re recording is sort of a fun and special day. Justin, do you remember why it’s a fun and special day? Why don’t you tell us? No, I want to know if you remember. No, I want it. No, your turn. You did two beeps.

Justin Daniels 2:08

Your turn. Yes, I have to throw you off because it’s fun. Your turn. I guess it’s what today, 18 years ago today, the two of us got married.

Jodi Daniels 2:19

It’s our 18th wedding anniversary, and we love you all so much we are recording a podcast. So with that being said, let’s get started, because we have Steve Blair, who is the Senior privacy and security test program leader at Consumer Reports, here to talk about how safe are kids GPS trackers and smartwatches. Justin, you want to get us started,

Justin Daniels 2:48

of course, Sue Steve. Oh, why don’t you tell us about your career journey and how you came to focus on digital security and privacy at Consumer Reports.

Steve Blair 3:03

Oh, well, first of all, happy anniversary. But yeah, thank you. I first started out being a literal dig Ditcher. I was just interested in technology through like the AOL days of dial up and chat rooms and what have you, and getting kicked out of those through various pieces of software. And rather than get infuriated by it, I was a little bit like intrigued by it. And so that led me down the path of getting involved in, you know, general technology and networking and what have you. I worked for various smaller, you know, IT companies, and then eventually to Motorola, where I was doing their mobile computer division, you know, types of things that you see at, you know, Home Depot and that type of stuff, and the scanners and what have you. And what was interesting about that is, as I, as I went through that in the testing validation section of that of that particular division was, there’s a lot of different sensors, right? A lot of different technologies that were built into those, those products, right? So, yeah, GPS, Bluetooth, infrared, NFC, you know, lasers, bar codes. So I had quite a bit of knowledge, you know, to be able to determine what was working, what wasn’t working, what wasn’t working, how things should be working, with all of those different things. And so this rolled on and on, and basically Motorola split to motor oil solutions, and then zebra acquired them. And I basically didn’t change my seat. I came with the building, so to speak, but I was there for a long time, and eventually I was doing their security for that, for those types of products. And then I heard that Consumer Reports was doing, you know, working in a similar field, and looking to, you know, expand into consumer products and what have you. And it’s very interesting, because in the security world, it’s very cloak and daggery, right? It’s very hush hushy, and, you know, NDAs and what have you. And Consumer Reports very interesting in that. When you find a problem for and then it’s fixed, right? If you find a problem, you get to yell about it, and that’s that’s new, right? And so I like that, and I like the fact that, you know, there’s a, there’s a wide berth of folks that you’re helping when you’re finding these types of things in these consumer products. So I made the move over here, and I’ve been to at Consumer Reports for a little over five years now, and it’s been going great.

Jodi Daniels 5:23

Well, that’s amazing. We have, you know, as a parent, I’m concerned about all these different trackers all over the place, and I know we have a lot of parents in our audience, so Consumer Reports recently looked at, as I mentioned before, GPS trackers and wearables that are designed for kids. What were the most surprising findings when it came to privacy and data collection practices in these devices?

Steve Blair 5:49

Well, I’m a little jaded in that area. Surprise, I’ve we test IoT products constantly, and as you may or may not know, the s in IoT stands for security, so there’s not much surprising as far as like practices concerned that I see these days. But the thing I thought was interesting was, during the course of the testing, we found that specific devices were storing direct messages between the parents and the kids in an unencrypted database on the phone itself. To be fair, that database wasn’t a protected protected area of the phone, but with root access, we’re able to see that it was stored in unencrypted manner. And that type of behaviors, you know, kind of raise our eyebrows, you know, like, why not just encrypt? Why not just encrypt? And we find that we ask that question a lot, why not just equip? Just equip so, so that that’s the type of stuff that that, you know, we found, and we spoke to the companies about it, and, you know, we’ve always, whenever we find a problem or unusual behavior or poor behavior, or whatever, not the best practices, we reach out to those companies and we try to work with them in order for them to raise the bar and get the products and services to be better.

Jodi Daniels 7:05

I’m curious you were saying that kind of rhetorical question back to companies, why not encrypt what is some of the reasons you get back?

Steve Blair 7:14

Well, some of the reasons make sense, right? So for example, let’s use, I don’t know, security cameras is a good example, right? So end to end encryption on a security camera sounds like a great idea, right? Obviously, you’re in a secure area. It could be sensitive, you know, whatever the case may be. So yeah, ideally, you don’t want anyone getting access to those feeds. So end to end encryption would be ideal, right? Meaning, no one can access it, right? It’s a server to client connection. However, if you do things like that, you can start to lose functionality that you might want, right? So motion detection or facial recognition or something to that effect, that mean you might get an alert. Someone just came in, right? It’s like a motion detection Well, if it’s anti encrypted, it’s just a stream of gobbledygook, and nobody knows what a detection or whatever is, so it can’t give you a lot of the features, or some things, any of the features that you might want. So in some cases, perfect or not really perfect, but like, end to end, encryption isn’t, isn’t an option that the consumer would want, right? But in a lot of cases, we, I found that there’s really no need to not encrypt some of this data. But there are situations like I just described, in which, you know, it’s understandable if you don’t want to go all the way out, but, you know, we, we’re always concerned that that, you know, perfect is the enemy of good or better, right? So we’re trying to, we’re trying to push that. We’re trying to push the ball closer to the overall goal.

Jodi Daniels 8:44

That makes sense. Thanks for explaining.

Justin Daniels 8:48

Well, in your research, when you look at these devices like I know there’s an app once the kids start driving, that the parents like to have so when they’re driving around, I mean, it tells you, not only where they’re going, how fast the car is going. What happens with a lot of that data? Is any of that data sold? Is it going to places that the parents don’t expect? I mean, where my kid is going on Saturday night? I don’t know that. I want that information out in the

Steve Blair 9:18

public domain. Yeah, as a father of two teams myself, one who is starting to drive terrifyingly anyway, but yeah, it’s hard to determine it, and it depends on the service that you’re utilizing, right So, and the manner in which the service is accessed, example. You have an app on a smartphone, it may have access to other files on your phone, or have access to be able to determine what other apps are running on your phone, and things of that nature you may not want that. That’s the type of information that something like a web interface would not have access to, right? Right? And again, it’s a lot of and it’s hard, right? So, so that type of information is difficult to determine, because it varies from company to company, and in some cases, situation, depending on the age of the kid, right? The child is under the age of 13. The data, data, laws or practices, Altar, based on laws and what have you, right? So, but generally speaking, it’s a matter of looking through the privacy policies, and that can be brutal, right, trying to dig through that data. You know, nowadays we have AI, which is llms are good at looking at large pieces of text and answering a question, but we do look through that type of data, and we look to see if data sales are occurring and what have you, and we check all of that at Consumer Reports with our testing framework. It’s called the Digital standard, and it’s a little unique from this and other frameworks that that are tested against, because we do look for policies for stuff like data control, data retention, if the company has a vulnerability disclosure program, things of that nature. But really the only way to determine if it’s being sold or not is to look through those pieces of you know information that are available on the on the web that the company is explaining to you, or looking at the interface itself and seeing if there’s some form of like a post installation privacy controls of some way, right? So, a quick way to determine if they’re selling it or they’re not selling it, or if you can control if they’re selling it or not selling it, is to see if the app or the system that you’re using has a feature to control that, right? Or to see if the company has a feature or means of contacting them or otherwise into, you know, interfacing with the service, to control your data, delete your data, you know, correct your data, things of that nature. So, long story short, definitely, maybe it depends, right? It’s a very liquid area.

Jodi Daniels 12:00

Were there situations where you found, perhaps the manufacturers stating, we do, we’re only going to use the data for the service, we’re not going to collect certain types of information. But then, actually, they were doing those things. So it was the opposite of what was stated,

Steve Blair 12:21

We have found things similar to that, not necessarily outright, you know, lying, so to speak, but like, for example, when we were talking about the location data earlier, right? We found that those messages stored on the phone in an unencrypted way. So we reached out to the company. The company comes back and says, chat messages are not backed up or stored by Google. Cool, that’s not what we’re talking about, right? So, no, no, we’re saying it was here in this area. And they say, well, it’s encrypted, you know, in transit and at rest. We’re like, we’re not out rest here, right? So, like, there are times where that happens. A lot of times it seems like there’s a little bit of talk around the scenario, rather than directly to it. But yes, to answer your question, we have found there have been cases of companies saying they’re doing one thing, and we find direct evidence that they’re not we usually, I mean that usually, we call them out every time on it, we bring receipts, right? But like, from a consumer perspective, it’s, it’s very, it’s very difficult in this space to to know what’s good and what’s bad and what’s happening. That’s why we’re doing so much work in this area, you know. But basically, you know, as a consumer, I’m always in karate stance. You know, it’s always something’s gonna happen. So it’s hard to, it’s hard to just relax in this, in this ecosystem,

Jodi Daniels 13:48

unfortunately, and it sounds like as a consumer and as a parent, I I can read, I then also need to download and likely go through all the different settings to figure out is there more happening before I feel really, if I’m a parent who doesn’t want that information shared elsewhere, it sounds like I’d have to sign up for the service and then test it to really validate what I’m reading.

Steve Blair 14:15

So sometimes you don’t have to sign up. And yes, that’s why we when we speak to manufacturers about these different policies and different policies and different things like that that we’re working at. We ask that they put it on their website so that you can see what those policies are before you actually purchase the product. Which makes sense, right? Obviously, there’s no point in buying something and then saying, Well, I don’t want this when it’s in your hand already. So that’s something that we’re really Yeah, so that’s something we’re really pushing for. But to your to your earlier point, there’s downloading the app and stuff like that. That is a good methodology, because generally speaking, when you’re loading the app, it’ll start to ask for permissions. And so if you have a GPS, you know, device for your child, for example, and the and it starts saying, like, well, I need access to the cat. Camera, and I need access to, like, some unusual sensors that you don’t really need in order to do what you want the application to do. Now, to be fair, the application might also say like, well, it needs that. It needs access to the camera so that you can have a picture of your child and that, well, maybe you don’t want that either, right? So to go through those types of things and only agree to the you know, permissions that make sense for your use of that product is helpful. And then also, like I said earlier, to like, take a look at the settings if you can, and determine if there’s some means of privacy controls within the app. And generally speaking, if that happens, and again, is it very general, right? But at least, at least points to the company having at least thought a little bit about privacy and security and that kind of the thing. So another good tell, if we were playing poker, would be, are the data collection features right? Like whatever, whatever those might be, right? Are they off by default, or are they on by default? Right? If there’s an automatic update setting, is it enabled by default? So things of that nature can can be a little bit of insight into if the company has, like even given a thought to privacy and security in general in their

Justin Daniels 16:20

products, as a person who obviously has two teenage teenagers, and then you test these products. How accessible do you find to go into the settings and toggle on or toggle off what you want? Well, we do, or do you find different manufacturers make it more difficult or easy. Like I find Apple, it’s fairly straightforward, but then you have other ones where you have to go through like seven menus, and they you can do it. They just make it as insanely inconvenient as possible to do it.

Steve Blair 16:55

Yeah, I agree with that assessment as well. Some are easier, some are harder. Like I mentioned earlier, I worked for Motorola. I didn’t make Motorola. I didn’t work for Motorola for so I was actively involved with, like, the beginning of Android. So I’m, like, an Android guy, because I can, like, make a dance if I need to, right? But, like, I’m an unusual scenario in which the systems administrator, network administrator, you know, I can block this and do that, and so a lot of people don’t have that type of setup. And a lot of people aren’t quite to be, you know, be blunt, not as, like, severely paranoid as I am in this area. So like, you know what happens I find with my kids especially, and my poor kids have to deal with this constantly because I’m their dad, and this is what I do, right? But like, I’ll say, hey, look, you know, don’t do this because of this, and you know, they get it. But what I’m saying is, like some of the different products they use, like you said, some of them make it where you have to do some ridiculous situation to control that type of data, right, to control your own data, whereas others don’t. So what we end up doing as a household, you know, here, the household of the privacy expert, is we tend to buy the products that give us the better options and the better permissions and the ability to control our stuff. So, you know, it might be the most popular thing in the world, but we’re trying to use the best thing in the world. You know, for that, for those purposes, and so, yeah, like, ultimately, like, the cream rises to the top, you know, so we’re trying to use and to support the companies and the services and whatever that are doing the right thing in that area.

Jodi Daniels 18:37

For those parents who are not as tech savvy as you are sorry. What would you recommend they do to help them evaluate so if we sort of wrapped up and summarized there’s there’s all these different devices, you know, they’re tracking, there’s safety, privacy, security concerns, what two to three tips might you recommend to a parent to pick the ones that they’re going to find are best seated for for them?

Steve Blair 19:07

No, that is a phenomenal question that is asked about a million times to anyone in my seat, right? And I would say it’s the best what you want to do is you want to find the best options based on what you’re concerned about with the items that you have right? Like, meaning you have a smartphone. You’re worried about this, you have app trackers, you’re worried about that. You have whatever. There’s actually consumer ports has a tool for that. It’s free and it’s online. It’s called Security planner, and it’s a step by step kind of a situation where you say, Hi, I I’m worried about these things. I have these devices. Please tell me what to do in order to take care of that. My you know, my concerns in that area. Like I said, it’s a free tool, doesn’t track it’s very nice, has a long UU ID, which anyone doesn’t want to know what that means. It’s like a unique string of characters. The so that you can save your progress without, like, logging in, right? And then it’s unique to you, and you can go back and finish it as needed. That’s a nice tool. But generally speaking, you know, it’s gonna, I think the device that the advice that we were giving out earlier of looking through the privacy policies, trying to see if there’s some manner of contacting the company for security concerns to edit or correct or delete or access your data. That’s nice. Looking for things that have letter for children. Specifically look for terms like Copa, the CEO PPA, which is the Child Online Privacy Protection Act. Is that right? Think that’s right. Yeah, thank you. So many acronyms, but yeah, things of that nature, or CCPA, which is the California Privacy Act as well. So, like, things of that nature, are a baseline, at least, of privacy and security protections. And then, you know, you know, you can, you can start looking from there, like we’re saying earlier, seeing if they have some sort of features, post setup, or things of that nature. Or, you know, take a look at again, and not to like, you know, it’s, we’re not selling a product, it’s a free service. You could utilize security planner at Consumer Reports and and that may be very helpful to you as well. I’ve had several people comment. I thought that would help them quite a bit

Jodi Daniels 21:23

in that area. Yeah, it’s a really interesting tool. I did not know about it, so thanks for sharing. Oh, good.

Justin Daniels 21:34

I had another question, please. Maybe this is from a personal parent perspective. Okay, sometimes your kids will go to conferences or go to social events, maybe out of town, and in order for them to communicate, you have to download an app. And if you don’t download the app, then your child is kind of stymied from communicating with people at this event, but then, if you download the app, some of these apps don’t have very good security, and it really puts a parent in a, really a no win situation,

Steve Blair 22:13

yeah, That sounds like it. That’s an interesting question. I I mean, I suppose, right off the top of my head, right? I would suggest you have to ask yourself, is the juice worth the squeeze, as my father would say, right? So do you really need this? Like? Do you really need this? And if you do, you have to make a determination of like, is it worth doing to you, you know, if you, if you utilize the app during these particular circumstances and then delete it right away? Is that an option? Is it an option to, you know, sandbox the application if you have that type of knowledge or a device that can do that type of a thing? Can you do that? Not everybody has, not everybody has a stack of phones that they can choose from to do whatever they want. Again, I’m in an unusual position, right? But like, so there’s, there’s colors there, well, yeah, well, I had to start differentiating. Is a little confusing after a while, but in any case, yeah. So, so that type of behavior, I can’t hurt. Look, I’m a child of the 80s, right? I It kills me that you need an app for everything. I remember when you needed an app for nothing and you could still do stuff. It was crazy. But, you know, nowadays, it’s a brave new world, I suppose. So. I guess my best suggestions to that is, again, like make a determination if it’s absolutely 100% needed, and if it is, you know, see if you can stymie it in any ways. Like I said, if you find that it’s it’s, if it’s a messaging app and it’s asking for location, try to disable a location, you know, try to bring it in as much as you can if you absolutely need to use it. And you know, when you’re done using it, you can remove it. And then you know, potentially too, you could make a note and see if that company has some sort of form of being able to contact them in the future and say, Hey, I used your app, and I would like you to delete all my data please. Thank you very much. That might be an option.

Jodi Daniels 24:17

You’ve shared a lot of great tips now imagine and you’re at a party and people figure out what you do, yep. What is your favorite privacy tip to share with them that you didn’t

Steve Blair 24:31

already say privacy tip? Ah, privacy tip. Favorite privacy tip, man, I was hoping you didn’t say security

Jodi Daniels 24:41

tip, because that’s easy. You can have a security but, okay, yeah,

Steve Blair 24:45

security tip, super simple. It’s if you can do nothing else, keep everything updated. That’s, that’s all you can, like, that’s if you have to do one thing update. Right. From a privacy perspective, I think one of the more interesting ones is. Like, Oh, maybe, let me think maybe, plus addressing you familiar with that, this is an unusual little bit that you can do sometimes, and it doesn’t really help you. I don’t know if it really helps you, helps you, but like it at least gives you a little bit of information and like into who might be sharing your data and what have you. But usually, I always suggest using security planner, and I suggest, you know, opting out of everything you can opt out of from a privacy perspective, you know, as as best you can. But there’s something called plus addressing you can do with your email as well. And I don’t know if it’s really a privacy thing in general, but it’s a neat little tip that helps you understand, in some cases, who might be selling your data. What that does is, you have your email address right and then, so let’s say it’s my name at email com, so you can say my name and then put a-plus sign, and then whatever text you want at email com, and that works as an email so for example, if you sign up with a, you know, some sort of meet up, or something like that. You could say Steve plus meetup at email com, right? And then that’s the email that they have. So when you get emails from them, it comes in as Steve plus meetup, and you see it, and you know, it’s them, and all of a sudden, you’ve got something from Ikea that comes up with Steve plus meetup. Well, you know that meetup has now sold your data to IKEA to send you that information. So things of that nature, you know that it’s an interesting little tip. It doesn’t really help specifically, I don’t know, but it kind of like raises awareness a little bit better. And it may it may it may help a bit more, but generally speaking, just try to opt out of everything. If you can unsubscribe to emails, a lot of those things do work. They’ll take you off the list, and eventually it may keep selling a list, but eventually your name won’t be on it, right? So if this the privacy world is so many moving parts. It’s very, very difficult to to give like one piece of advice, right? But just generally speaking, find alternatives, right? Makes sense.

Justin Daniels 27:12

So when you’re not out testing these devices and trying to help consumers make informed decisions, what do you like to do for fun?

Steve Blair 27:21

That’s kind of funny. I’m an outdoors kind of a person. My family and I very outdoorsy, you know, hunting, fishing, camping. We have a large camper that we pulled around the country and and, you know, it’s, I don’t know if it’s really called camping anymore. It’s basically a hotel room behind us, but, you know, we do that kind of thing. We’re engaged in that type of behavior, basically anything that doesn’t involve looking at a screen anymore. I think that’s become, like, the the hill that you roll down, right? It’s, you know, IT systems, Administrator, network administrator, chicken farmer, like, you just, like, I don’t want to see it anymore. So that’s kind of the types of type of stuff that we do is, like, outdoorsy stuff. I’m also a purple belt in Brazilian Jiu Jitsu, and I’ve been, I’ve been training that for about eight years now. So that’s another thing I like to do that. I mean, I’m an older guy. I’m not competing or anything. But like, good to you know, stay on the match, stay active.

Jodi Daniels 28:18

I think you have a lot of people who share your I want nothing to do with the screen and their fun activities is becoming even more and more common. Steve, we’re so glad that you came to join us today. If people would like to connect or learn more, where should they go? Like for a security planner, for example, where? Where should they go to find that?

Steve Blair 28:36

Oh, they can just go to Consumer Reports the website, and on the website, they have a digital a digital link, digital security link. So if you, if you just go to Consumer Reports that org, click on the digital security link right on the top there, and it’ll bring you to all these different tools, different questions that we answer, for example, proactive steps to keep the data safe. And, you know, how do we set up our connected products in a safe manner? And how do I stop companies from selling my data things of that nature. There’s a video of me hacking a bunch of video doorbells. I just had a shout out to myself. You’ll notice I’m wearing a Hawaiian shirt, because I’m always wearing a Hawaiian shirt. And, yeah, it has links to that tool, that security planner, tool that I mentioned earlier. So that’s the spot consumer reports.org and just click on the digital security on the top.

Jodi Daniels 29:36

Amazing. Well, Steve, thank you again. So much. We really appreciate it.

Steve Blair 29:39

Oh, thank you so much. It’s a pleasure talking with you.

Outro 29:46

Thanks for listening to the She Said Privacy/He Said Security Podcast. If you haven’t already, be sure to click Subscribe to get future episodes and check us out on LinkedIn. See you next time.