The Kavalan Device Diligence Checklist

1. What is the intended purpose of the device in your home?
2. Who is the device maker?
3. Have there been prior cyber breaches at this vendor?
4. If there was a breach in the past,
   1. how did the device maker respond to the breach?
   2. did the device maker notify customers about the breach in a timely manner?
   3. how did they compensate or protect customers impacted by the breach?
5. How often does the device maker issue patches/updates?
6. What sensors and extensions does the device need in order to function?
   1. Camera, microphone, Bluetooth, network, storage, social media, contact list, etc?
   2. Always needed or can access be limited to only in use?
   3. Full access or ‘as needed’ access?
7. What functionality do you lose if you do not provide access to different sensors?
8. What information does the device collect?
9. Does the device NEED all of the information collected in order to function?
10. Does the device allow apps to collect information?
11. Does the device require subscription to a cloud service in order for it to function?
    1. If so, does the device encrypt network traffic to the cloud service?
12. Does the device require the install of a remote administration app to manage or access the device from outside the home? If so then:
    1. What security protection is included in the app? Passwords? Two-factor?
    2. Does the device use a non-standard network port to communicate with its app?
    3. Does the device encrypt network traffic to the app?
13. Does the device maker have a privacy policy?
14. Are the terms of service and the privacy policy consistent with each other i.e. no conflicting language?
15. Does the device maker update customers when there are changes to the privacy policy?
16. What are the privacy settings internal to the device?
17. Do privacy settings change or reset to factory settings after updates?
18. What does the device or vendor do with the information collected?
19. Does the device maker share information with third parties?
20. Does the device NEED to share information with third parties in order to function?
21. Does the device sell information to third parties?
22. Does the device expose my information to advertisers? If so :
    1. Which companies does it share with?
    2. Does it allow me to opt out of sharing with advertisers?
23. What rights does the device maker allow me to enforce on the privacy policy?
    1. Do not collect
    2. Do not share
    3. Do not sell
    4. Request data record
    5. Delete my data
24. What is the expected lifetime of the device and will the device maker issue patches/updates for that lifetime?
25. What happens to your data when the device maker announces planned obsolescence?
26. Is there a way to backup and/or wipe all the data from the device before disposing it?
27. Will the device still function if the device maker does not exist any more?
28. Do privacy settings change or reset to factory settings after software or firmware updates?
29. Does the device need to be running on the home network all the time?
30. Does the device need to talk to other devices on the network in order to function?

‍