Security Assessment Process
Privacy and security are intertwined, and security is the foundation of effective individual privacy. When evaluating whether to use a smart device at home or in the classroom, parents and teachers need a comprehensive understanding of both the privacy and security practices of a smart device. To create a truly comprehensive evaluation process, the Common Sense Privacy Program combines a full, in-depth, 150-point inspection of the privacy policies of a product with a hands-on security assessment. The result is the most comprehensive privacy and security evaluation of a smart device aimed at children and students currently available.
The Privacy Program conducts a hands-on basic security assessment of the five most critical security practices around the collection of information from a smart device and from a mobile application, and the transmission of information between the device and the app. In addition to a basic security assessment of the five most critical security practices of a smart device, the program created a full, 80-point inspection of the security practices of a smart device and mobile application.
The following criteria and indicators of both a smart device and a mobile application are used to complete a basic security assessment:
1. Category: Data Collection
- Personal information
- Camera access
- Video access
- Microphone access
- Location access
- Assess whether personal information, audio information, photographic information, and/or video information is collected by the device or application running on a mobile device.
2. Category: Privacy Controls
- App permissions
- Data sharing
- First- or third-party marketing
- Assess whether the default for privacy controls or preferences on the mobile application are strong privacy protections for the user.
3. Category: Account Protection
- Strong passwords used
- Age gate in place
- Parental controls available
- Assess whether there is a strong password or complex pass-phrase requirement to create an account, and no default username or password is used.
- Assess whether there are restrictions on children creating accounts and methods for a parent or guardian to provide consent.
4. Category: Network Security
- Secure Wi-Fi
- Secure Bluetooth
- Assess whether the application or device's network traffic over Wi-Fi is encrypted.
- Assess whether any Bluetooth connection between the device and mobile application is secured with pin pairing.
5. Category: Software Updates
- Automatic software and/or firmware updates
- Encrypted software updates
- Assess whether the application or device receives firmware (software on the device used for operation) or update files using encryption.
- Assess whether software or firmware updates are easy to install or automatic.