Some holiday gifts sparkle. Others listen, record, and upload the details of your life to Big Tech servers. This year’s hottest gadgets promise friendship, fitness, and futuristic flair, but a growing number of them come with privacy and cybersecurity risks baked right into the design.

Before you wrap that shiny new wearable or smart device, take a closer look. They track conversations, movements, and moments that were never meant to be shared. Here’s our short list of holiday gifts you’ll want to return, recycle, or leave out in the cold.

🐵 Your New AI Friend Is an Annoying Narc

The Friend AI necklace is a terrible idea, but that didn’t stop 200,000 people from buying it. It’s a wearable “smart” pendant you hang around your neck that responds to your voice and the world around you, chiming in with AI-generated encouragement and commentary. Marketing at the company’s $1.8 million domain calls it an “always available companion.” In practice, it’s a personal wiretap you’re encouraged to wear to parties, in school, and at work.

If you’ve ever had an obnoxious friend who gossips and complains constantly, now you can pay for the experience. A WIRED review of the device underscored Friend AI’s “tendency toward snark and confrontation”:

“In testing, the AI companion routinely delivered condescending responses, calling users “whiners” and questioning their life choices… The device’s mood indicator, which glows red during intense or angry responses, became a frequent sight during testing. Users on social media reported similar experiences, with one person documenting a two-hour argument with their AI necklace.”

What really grabbed our attention, however, was a security report posted to Twitter X by Binh Pham, who shared his research with us. In a single afternoon of tinkering, Pham was able to reverse engineer the AI-powered pendant, capturing log data from the device and decoding the microphone audio. Not only is Friend AI an always-on Bluetooth BLE beacon, it has extremely poor security for its communications protocol.

If you’ve got an AI pendant at the office party’s Yankee Swap, resist the urge to throw it in the fireplace and mail it to your worst enemy instead. 😉

🚽 A Livestream From Your Toilet Bowl

It may sound like a comedy sketch, but sometimes reality is stranger than fiction. Kohler has a bold new vision for your bathroom: strap a camera to your toilet for the low, low price of 600 bucks. Even better, “The Dakoda” uploads images to “the cloud.” But that’s not all — customers can access the camera’s insights into their gut health from “optical sensors and validated machine-learning algorithms” with a $7 per month subscription.

Kohler goes to great lengths to describe these “valuable insights into your health and wellness” as high-tech healthcare:

“Data flows to the personalized Kohler Health app, giving users continuous, private awareness of key health and wellness indicators—right on their phone.”

Maybe we’re just old-fashioned, but pairing bowel movements with smartphone-connected analytics sounds like a bad idea. Not to worry, though, because the app uses “end-to-end encryption" to talk to the company’s cloud servers. Or does it?

Security researcher Simon Fondrie Teitler pointed out that Kohler is using the phrase incorrectly. The Dekoda doesn’t use “E2EE” in the sense that users expect, which should mean that even the company running the service can’t access your data. Instead, Kohler can actually decrypt the photos on their end. That only means a promise that you can trust them with your toilet pictures, and is definitely not E2EE, as Zoom found out the hard way in a class-action lawsuit.

Needless to say, our team at Ivy Cyber is horrified by this bathroom surveillance. We only roll out true E2EE in our PrivacySafe apps but, more importantly, we won’t connect our products to your toilet. 🤢

🛏️ Don’t Get Burned By Your Bed When the Internet Goes Down

Welcome to the future of sleep: Internet-of-Things startup Orion now wants to sell you an AI-powered mattress cover that monitors your body all night long. Sensors in the fabric track your temperature, breathing, heart rate, and sleep stages, then send that data to the cloud so algorithms can decide how warm or cool your bed should be. All of this is framed as personalized sleep optimization that helps you “sleep smarter, not harder”:

“We can tell, for example, if your body temperature is heating up, your heart rate’s starting to increase, and you’re getting into a lighter and lighter phase of sleep where you might wake up…”

Sure, the bed learns about your body, with rich metrics about your tossing and turning. But is that all that mattresses are used for? 😉

Even if our most intimate bedroom moments aren’t exposed by the app, other aspects of reproductive health like menstrual cycles are easy targets for “health and wellness trackers.” That could mean personal and legal consequences, a surveillance frontier that is being pioneered by smart rings and fitness trackers.

Not to worry though, because the cloud will take care of it! Or will it?

The past few months have seen multiple cloud outages and, unfortunately, we already know what happens when a “smart mattress” is connected to the Internet. When Amazon’s AWS cloud services went down, the Eight Sleep company’s “Pod” started to go haywire. That left customers in beds that were overheating while they slept and even stuck in an upright position. Who wants to pay thousands of dollars for that?

At Ivy Cyber, we try to warn users about the centralized, cloud-connected world and the perils we’re facing. Sean O’Brien gave this warning in Digital Trends back in October, and it’s proving very true:

“I expect a waterfall effect over the course of the next few months, and we could be in [for] a very long Q4 in an already volatile economy, perhaps with the most pain in cryptocurrency markets…

Most organizations have traded local resilience for global convenience and, by the way, usually sell the privacy of their users down the river with centralized cloud computing as well.”

It’s unfortunate that it has to be said, but it’s a good idea to keep Big Tech out of your bedroom. 🐑

🎁 Give a Smarter Kind of Gift. Enroll in Our Jan 4 Class!

As the year winds down and people take stock of 2025, we want to say thank you. Building Ivy Cyber and our PrivacySafe products this year has been intense, energizing, and occasionally chaotic. Our team now spans four continents, and we’re grateful to everyone who’s shared and stress-tested our work. We’ve rolled out PrivacySafe deployments behind both the Big Tech curtain of the USA and the Great Firewall of China, and we’ve proven the value of our products.

But, we couldn’t have done it without you, our supporters and customers. 💪

If you’re looking for a holiday gift that flips the script on spying and empowers you instead, consider signing up for our Masterclass on Surveillance & Terrorism. For the holiday season, this extensive online course is 50% off.

Learn in online classes led by our surveillance detection expert and CIA whistleblower John Kiriakou as well as Sean O’Brien, digital self-defense guru and founder of Yale Privacy Lab. The class starts January 4 and features three live sessions as well as a ton of material focused on real-world privacy and security strategies you won’t get from social media influencers.

It’s a gift that still works when the cloud goes down, because we run everything on our own privacy-respecting apps and services. Let us help you break free from surveillance this winter. ☃️

🙏 Thank You For Reading!

Join PrivacySafe Social to keep up with our latest news and releases. We’ve got more products fresh out of the oven and you’ll be the first folks who get a taste as we announce them in the new year!

🌍 Find Us Around the Web

We’re getting our message out on:
🌞 PrivacySafe Social: @bitsontape
• Telegram: Bits On Tape
• Blue Sky: @bitsontape.com
• Twitter X: @BitsOnTape
• LinkedIn: Bits On Tape

© Ivy Cyber Consulting LLC. This project is dedicated to ethical Free and Open Source Software and Open Source Hardware. Ivy Cyber™ and Bits On Tape™ are pending trademarks and PrivacySafe® is a registered trademark. All content, unless otherwise noted, is licensed Creative Commons BY-SA 4.0 International.