A good rule of thumb when it comes to internet-connected toys is not to buy them. Security too often sits too low on the priority list of the companies that make them. But in a new report, Mozilla, the nonprofit behind the popular Firefox browser, has a more finely tuned privacy appraisal of not just toys but dozens of popular holiday gifts—some of which may not rate much better than coal.

Mozilla’s “Privacy Not Included” guide, now in its second year, rates 70 products, ranging from toys and smart speakers to a sous vide, across multiple categories. It’s also rolling out—along with advocacy groups Internet Society and Consumers International—new “minimum security requirements,” and awarding badges to items that score high marks.

“We want to provide people information about how to make informed decisions when shopping for gifts that are connected to the internet,” says Ashley Boyd, vice president of advocacy at Mozilla. “These products are becoming really popular. And in some cases, it’s easy to forget that they’re even connected to the internet.”

Among the important signifiers of a trustworthy stocking stuffer, according to Mozilla’s rubric: the use of encryption, pushing automatic software security updates, strong password hygiene, a way to deal with vulnerabilities should they arise, and a privacy policy that doesn’t take a PhD to parse.

"We’re trying to give people essentially a way to look at any product and what to look for, what questions to ask." Ashley Boyd, Mozilla

The most surprising result of Mozilla’s testing may be how many products actually earned its seal of approval. Thirty-three of the 70 items in the “Privacy Not Included” guide passed muster; fans of the Nintendo Switch, Google Home, and Harry Potter Kano Coding Kit can sleep a little easier. On the other end of the scale, Mozilla highlighted seven products that may not hit the mark—yes, including the sous vide wand, the Anova Precision Cooker. Also scoring low marks in Mozilla's accounting: the DJI Spark Selfie Drone (no encryption, does not require users to change the default password), the Parrot Bebop 2 drone (no encryption, complex privacy policy), and unsurprisingly, at least one baby monitor.

DJI says that there's no indication that the Spark has ever been hacked, other than intentionally by enthusiasts looking for a performance boost. And to its credit, the company is also proactive in fixing issues that do arise; just last week, it patched an authentication bug that would have allowed hackers to access user accounts.

Anova CEO Steve Svajian says that the company plans to add encryption to the next generation of its product, and is exploring ways to add it retroactively to those already on the market. "We take privacy and security very seriously," says Svajian. "It's crucially important for the community to trust what we do."

The remaining 30 items on the list all exist somewhere in the murky middle, usually because Mozilla was unable to confirm at least one attribute. Which may be the real takeaway from the report: Typically, you have no reasonable way to find out if a given internet-connected device is secure. “If you can’t tell, that says that there’s a problem of communication between manufacturers and consumers,” says Boyd. “We would love for makers of these products to be more clear and more transparent about what they’re doing and not doing. That’s a big place we think change is needed.”

Mozilla rightly acknowledges that a survey of 70 products shouldn’t be seen as any sort of definitive buying guide. There are thousands of internet-connected presents waiting to be gifted this year, all of them offering a wide range of privacy controls. But that’s not the point. “The number of products is a drop in the bucket,” adds Boyd. “We’re trying to drive a conversation where manufacturers can see that consumers care about this information. We’re trying to give people essentially a way to look at any product and what to look for, what questions to ask.”