Browse all articles

Privacy and Security Evaluation of the Facebook Portal smart speaker

Learn about Facebook Portal's privacy and security features

Girard Kelly | November 26, 2019

The Common Sense Privacy Program evaluates the privacy policies of popular consumer and education technology applications and services that are currently used by millions of children at home and in the classroom. The Privacy Program evaluated the privacy practices of a popular smart tech device called Facebook Portal, which contains a virtual assistant from Amazon called Alexa.

In addition, we also performed a hands-on basic security test of the device for parents and teachers to learn more about its security practices and how they compare to other popular smart speakers that have virtual assistants. When evaluating whether to use smart tech paired with a mobile app at home or in the classroom, parents and teachers need a comprehensive understanding of both the privacy and security practices of a smart device. Our approach lets us compare what the smart tech company says they do with data with what our limited testing can observe about what they actually do with data. We can observe what data goes to and from the device, but we can't necessarily see what happens with the data when it reaches the external destination. Our findings are intended to help parents and teachers make better informed decisions about whether to buy this device or similar smart devices for use with their children at home or with students at school.

What is smart tech? 

The category of smart devices, or the Internet of Things (IoT), covers all the objects or devices used in your home, office, or school that are connected to the internet. More and more of these smart devices are being used by children as toys at home and with students as learning tools in the classroom every day. Smart tech companies claim their devices provide greater convenience and new learning opportunities for children and students, but they also collect and share more information than ever. Connected devices and household gadgets can collect all kinds of sensitive information -- anything from audio and visual recordings of your home to the names of shows you watch, the number of steps you've taken, your child's precise location, how and when you sleep, and even the foods you eat.

Product Details

Company:

Facebook

Name: 

Facebook Portal

Link:

https://portal.facebook.com/

Price:

$179

Category:

Smart Speakers and Virtual Assistants

Description: 

Facebook Portal is a smart speaker video calling device that integrates Amazon's virtual assistant, Alexa.

Intended Audience

 

Home

School

Consumers (over 18)

Consumers can set up and control their Facebook Portal to use smart video calling with Alexa built in, check their front door, and play music.

None.

Kids (under 13)

Kids can use Facebook Portal at home to listen to music, display their favorite photos, and share photos and videos instantly on Facebook, Instagram, and Messenger.

Kids can use Facebook Portal in the classroom to ask questions, play music, tell jokes, make video calls, and play games.

Students (K-12)

Students can use Facebook Portal at home to help answer homework questions, hear the news, set timers, or play study music.

Students can use Facebook Portal in the classroom to answer questions during a lesson, translate languages, or even learn how to program with the Facebook Portal developers program.

Bottom Line

Best Video Calling: The product offers great smart video calling features with augmented reality effects, but parents and teachers should use with caution because of its potential to collect a large amount of data about children or students through the device and bundled apps.

 

Pros

Cons

1.

Data Secure: User data is encrypted between the device, mobile app, and the cloud.

Ads and Tracking: Facebook states it is not tracking video or audio content on the Portal device to target ads, but it is collecting data from users for ad targeting purposes on the Facebook, Messenger, Alexa, and WhatsApp apps.  

2.

Easy Set-up: Facebook Portal can be set up and activated on the device itself.

Too Many Apps: Facebook Portal requires users to install the Portal, Facebook, Facebook Messenger, and Alexa apps for the best experience to make calls to others on Messenger within the Facebook ecosystem or using WhatsApp.

3.

Story Time: Facebook Portal has stories for kids and brings them to life with music, animation, and augmented reality effects.

Third-party Apps: Facebook Portal allows for the use of third-party apps, which may not meet minimum requirements for privacy or security and could put a child's personal information at risk. 

Software

Facebook Portal is bundled with the following apps:

 Portal (iOS, Google Play)

 Facebook (iOS, Google Play)

 Facebook Messenger (iOS, Google Play)

 Alexa (iOS, Google Play)

 WhatsApp (iOS, Google Play)

 Instagram (iOS, Google Play)

Device Set-up

Facebook Portal requires activation on the device itself, and after connecting to a Wi-Fi network, the device downloads a software update. During the software update, the Portal device gives users a tour of its features, including "Superframe," which displays Facebook and Instagram photos on the device when it is not in use. Other features include notification of the online status of Facebook friends, connecting third-party apps, playing augmented reality games, listening to music together, and special story time with children's characters. The Facebook mobile application launches with a welcome screen. Once logged in, the app asks the user for opt-in consent to receive Facebook app notifications and prompts the user to set up their new Portal device. In addition, the Facebook app connects to the Facebook Portal device via a PIN number and Portal is then associated with that user's Facebook account. Lastly, the Portal device prompts the user to connect their Facebook account to their Amazon account in order to activate Alexa on Portal.

         

Create an Account

A user is asked to enter their existing Facebook username and password to personalize their Portal device. If a user does not have a Facebook account, they can create an new one and enter their birth date to verify they are over 13 years of age. If the user is over 13, they are prompted to enter their full name, email address, and password. Once a user confirms that they have access to the email address registered with their new Facebook account, they are then prompted to set up their Facebook account and their new Portal device.

         

Parental Controls

There is an age-gate, requiring a user to enter a birth date to confirm their age when creating a new Facebook account. A user under 13 years of age cannot create a new Facebook account and use a Portal device without parental consent and the use of an adult's Facebook account. If a user under the age of 13 provides their birth date, the user is prompted to enter a "valid birth date," which is not a strong age-gate feature and likely encourages users under the age of 13 to simply change their birth date to register for an account. Confusingly, depending on the birth year selected during account registration, the process lets users under 13 years of age complete the account registration process by providing their personal information and email address, but instead of a "valid birth date" error, it simply displays an error message on the final step of the account creation process. 

         

Portal Set-up

The Portal app allows the user to customize their Portal experience with their Facebook account. The app prompts the user to display their mobile device camera photos on the Portal device and asks for opt-in consent to transfer photos from the mobile device to Facebook. In addition, the Portal app encourages the user to download the Facebook Messenger app to send and receive calls. 

       

Getting Started

The Portal app home screen allows the user to call thr Portal device, personalize the photos in the Superframe, and select favorite contacts to call. In addition, users can customize which types of photos get displayed on the Portal device from their own photos they posted to Facebook, photos from friends they have been tagged in, and photos from their "favorites" album. 

         

Facebook Messenger

The Messenger app uses the Facebook login information and prompts the user to provide their phone number and sync their mobile device contacts with Facebook and the Portal device so they can make video calls. Once logged in, the user can open the Messenger app to chat with friends on their mobile device or on Facebook Portal between any other Facebook Portal user, Facebook Messenger user, or WhatsApp user.

       

Hardware

Facebook Portal's hardware is packed with new technologies, which also means that the device has data-collection capabilities that raise privacy and security concerns. Learn more about what's inside Facebook Portal and read our tips on privacy and security below.

Device Collection Details

 

Listening Indicator

Personal Information

Camera Access

Video Access

Microphone Access

Location Access

App:

Yes

Yes

Yes

Yes

Yes

Yes

Device:

Yes

Yes

Yes

Yes

Yes

Yes

What can all that hardware do?

Facebook Portal has a "brain" with a ARM-based digital media processor chip that runs a custom Android operating system. That means Portal can hear voice commands over the music playing and can quickly collect and process information within the device itself.

Tip: The more information collected and processed, the more privacy and security risk there is for that information.

Facebook Portal can “feel” with a mute and camera cover button on top of the device and capacitive touch sensors to pinpoint the force of your finger on the screen interface. That means Portal can collect information about which button was pressed on the screen in order to control the device.

Tip: Information collected about a child’s or student's use of a product's features over time is typically called "usage information" or "behavioral information."

Facebook Portal has "ears" with a four-microphone array to listen for voice commands. That means Portal can listen to and process multiple conversations at the same time, filter out music when listening to voice commands, and focus on the direction voices and sounds are coming from. 

Tip: Audio information about the duration, tone, pitch, and content of voice communications, as well as when and where those communications happened, may contain personal or sensitive information. This is a risk to a greater number of people's privacy when Portal is used in a public place, office space, or classroom than when it's used in a private home. For example, houseguests should have the right to know that smart speakers are in use before entering the home, and students should know that smart speakers are in use before entering the classroom.

Facebook Portal has a voice with the help of Alexa that is spoken through its speakers that make synthesized sounds and respond to voice commands. That means Portal knows which sounds it makes and the content of the synthesized conversations it has with users. In addition, Portal has 10W front-porting stereo speakers and a rear woofer.

Tip: Information about the duration and content of spoken responses Portal gives to users, and when and where Portal gives those responses, may contain personal or sensitive information and may be audible to others. This is a risk to a greater number of people's privacy when Portal is used in a public place, office space, or classroom than when it's used in a private home.

Facebook Portal has "eyes" with a 13-megapixel (MP) camera with a wide 114-degree field of view. That means Portal can collect and process images of its surroundings and make decisions on what it sees with real-time computer vision. Also, this means visual images of children or students using the device can be collected and shared with others who may identify specific users in the photos with facial recognition in the Facebook app.

Tip: Visual information collected about users means that photos are created and processed, and they may include personal or sensitive information about children or students. Photos may specifically identify individuals in photos and include metadata such as the identities of all individuals in photos, as well as the times and locations where the photos were taken.

Facebook Portal has a "face" with a 10-inch portrait or landscape HD adaptive touch screen. The Portal device also uses companion iOS and Google Play bundled mobile apps that include Portal, Facebook, Messenger, and Alexa. That means Portal can display images to children and students on the device screen itself or on a mobile device or tablet through the digital screen.

Tip: Information visually displayed to users may contain personal or sensitive information and be visible to others. This is a risk to a greater number of people's privacy when Portal is used in a public place, office space, or classroom than when it's used in a private home.

Facebook Portal has connectivity with 802.11n Wi-Fi and Bluetooth 4.0 for sending and receiving audio. That means Portal can send and receive information it has collected or processed.

Tip: Wi-Fi connections on a smart device or mobile device can send collected information to the cloud for processing and must be encrypted while in transit and while stored in the cloud to remain secure.

Facebook Portal always has energy with an electrical cord that needs to be plugged into a wall outlet at all times. That means Portal is always listening for the wake word "Hey, Portal" to activate and can collect and process information for an unlimited amount of time.

Tip: The longer a device is operational, the more information it can collect and process.

Facebook Portal connects with other apps to provide music, videos, news, games, and more. That means other third-party apps can connect to Portal through Facebook and Alexa in order to collect and use personal information from Portal for a different purpose.

Tip: Devices that allow installing third-party apps can increase the risk that malicious apps are installed that can steal sensitive personal information. Other apps may not have the same privacy and security protections as Facebook and may be able to collect personal data including passwords, or eavesdrop on users even after they think Facebook Portal is no longer listening.

Security Lab Testing

The Privacy Program conducts a hands-on basic security assessment of the 10 most critical security concerns about the collection and sharing of information from a smart device, a mobile application, and the internet. Parents and educators should be aware of the following security risks for this smart device:

Data Sharing

Evaluating data sharing takes into consideration best practices of keeping personal data inside the application or smart device to help protect privacy. Connecting social media accounts could allow people to share personal information with other people and with third-party companies. In addition, installing third-party apps with a smart device could allow the collection and use of personal information for a different purpose.

 

Social Media Accounts

Third-Party App Store

App:

Yes

Yes

Device: Yes Yes
Method: Facebook, Messenger, WhatsApp, and Instagram Portal Apps

Device Safety

Evaluating device safety takes into consideration best practices of using privacy protections by default and limiting potential interactions with others. It’s better to start with the maximum privacy that the app or device can provide, and then give users the choice to change the settings. In addition, users talking to other people through the app or device might permit sharing personal information with strangers.

 

Privacy-Protecting Default Controls

Social Interactions

App:

Yes

Yes

Device:

Yes

Yes

Method: Opt-in Video calls, Messenger, and share to Facebook

Account Protection

Evaluating account protection takes into consideration best practices of using strong passwords and providing accounts for children with parental controls. Strong passwords can help prevent unwanted access to personal information. Children under the age of 13 may not understand when they are sharing personal information, so they should be required to create special accounts with more protection under the law. Lastly, parents can help children under the age of 13 use a device or app with digital well-being protections in mind by using parental controls.

 

Strong Passwords

Child Age Gate

Parental Controls 

App:

Yes

Yes

No

Method: 

Facebook Account

Error Message

None

Device Security

Evaluating device security takes into consideration best practices of securing personal information against unwanted use that is shared between the mobile device, smart tech, and the internet. Keeping personal information encrypted, or masked, protects information while it is on the move. In addition, advertising and tracking requests from the device or app could contain personal information about the user, including what they’re doing with the device or app.

 

Wi-Fi Secure

Bluetooth Secure

Ads

Tracking

App:

Yes

Yes

Yes

Yes

Device:

Yes

Yes

No

Yes

Method:

Encryption

Encryption, but no PIN pairing

Facebook Remarketing

Facebook Custom Audience

Software Updates

Evaluating software updates takes into consideration best practices of keeping a smart device secure with up-to-date software patches and settings. When a company improves its app or device, better privacy and security should be part of the package and should be automatically updated or easy to update.

 

Software updates automatic

Software updates secure

App:

Yes

Yes

Device:

Yes

Yes

Method: Facebook Update Encryption

Privacy Evaluation

In addition to performing a hands-on basic security test, the Privacy Program also evaluates the privacy policies of each smart tech device. We can only evaluate a limited number of privacy and security features with our hands-on testing, so we also need to look at what each company's privacy policy promises it will do. Looking at the policies for a product enables us to see what the company says it will do with the personal information it collects. This allows us to create a truly comprehensive evaluation process with a full, in-depth, 150-point inspection of the privacy policies of a product as well as a basic hands-on security test of its practices. 

Facebook Portal

Summary:

  • Facebook Portal is a device that helps you connect with family and friends, share content and experiences with the people you care about, and discover photos, music, videos, and other content. Facebook is a social media and social networking service that allows users to connect with friends, family and other people they know and share photos and videos, send messages and get updates. The terms state that Facebook allows users to communicate with other users via messages or posts. For example, when users post on Facebook, they select the audience for the post, such as a group, all their friends, the public, or a customized list of people. The terms state that Facebook does not sell users' data to advertisers, including personal information like a user’s name or the content of their Facebook posts. However, the terms state that Facebook may use the information they collect about a user -- including information about their interests, actions and connections -- to select and personalize ads, offers and other sponsored content. The terms state that Facebook is broadly available to everyone, but a child cannot register to use Facebook if they are under 13 years old.

    Facebook Portal can be accessed through its website, and is available for download at the iOS App Store and the Google Play Store. The Privacy Policy and Terms of Use used for this evaluation can be found on Facebook’s websiteiOS App Store, and the Google Play Store. This evaluation only considers policies that have been made publicly available prior to an individual using the application or service.

Privacy Key Findings

Parents and educators should be aware of the following privacy risks for Facebook Portal. The following privacy ratings and evaluation scores come from our privacy evaluations of the policies of Facebook Portal. This product is available on mobile devices and integrated into smart speakers used at home, in businesses, and inside classrooms.

Rating Criteria

The following table illustrates better, worse, and unclear practices with our privacy rating questions. These worse practices can put consumers’ privacy at risk with the use of personal information for third-party marketing, advertising, tracking, or ad-profiling purposes. The color blue means the product's policies disclose better practices, red means they disclose worse practices, and orange means they are unclear as to whether or not the vendor engages in the practice. 

Overall Score (100)

Sell Data

Third-Party Marketing

Behavioral Ads

Third-Party Tracking

Track Users

Ad Profile

59 No No Yes Yes Yes Yes

Concern Scores

In addition to each product's overall score, the more detailed concern category scores in the chart below can help explain a product's rating and can also be helpful in making an informed decision about whether and how to use the product at home, at your company, or in the classroom based on your privacy concerns about the following categories.

Overall Score (100)

Data Collection

Data Sharing

Data Security

Data Rights

Data Sold

Data Safety

Ads & Tracking

Parental Consent

School Purpose

59

50

80

45

85

30

85

55

10

0

If you would like to see how Facebook Portal compares to other popular smart speakers, read our article comparing the Privacy Practices of the Most Popular Smart Speakers with Virtual Assistants.