Why you can trust us

Engadget has been testing and reviewing consumer tech since 2004. Our stories may include affiliate links; if you buy something through a link, we may earn a commission. Read more about how we evaluate products.

Consumer Reports now rates product privacy and security

Good design won't matter if a device leaks your data like a sieve.

Getty Images/Blend Images

When you read a review for a product, you're usually looking for tangible qualities like battery life and performance. As we've seen lately, though, the company's respect for your data matters -- a seemingly perfect gift may turn out to be a privacy nightmare. And Consumer Reports, at least, wants to do something about it. The publication has announced that it will start rating products' privacy and security, and it's working with several partners to create a standard by which products are judged. If a baby monitor or smart TV plays fast and loose with security, you'll know.

Just what is the standard, though? From a cursory glimpse, the privacy standard mostly amounts to a few logical rules. An internet-connected device should ask you to sign in and transmit encrypted data, for example. Companies should also be clear about how they share your data, delete that info on request and behave in an ethical manner (say, not compromising for the sake of advertisers or authoritarian governments). And security? For the most part, it amounts to asking the Cyber Independent Testing Lab to use automated testing tools to look for commonly accepted security practices. CR may also ask experts to hack devices, but it says this is "impractical" for reviewing many products.

The company stresses that this is a "first draft" of its takes on privacy and security, and that it hopes outsiders will help improve its policies. At least for now, it's setting expectations accordingly. These methods definitely won't guarantee that a product is airtight, as automated checks and basic precautions can't account for every possible vulnerability or dodgy privacy practice. Our columnist Violet Blue adds that having just one company involved in security screening could be a problem, since it'll be responsible for everything regardless of whether or not it has expertise in a given area. However, it's being fairly "aggressive" by counting deletion of user data as a positive, Violet says -- companies like Facebook might still fight that expectation.

The biggest challenge may be getting companies to treat these ratings as baselines, rather than as gold standards. The whole point is to have manufacturers thinking about privacy and security when they design a product, not to pat them on the back for accomplishing the bare minimum.