There have been reports in the past about security not being up to scratch in some "smart" toys. During the 2015 Christmas season, "Hello Barbie" was scolded for sending data to the cloud in an improperly secured fashion. This earned Hello Barbie's maker, Mattel, the "Big Brother" negative award.
This year, toy maker Genesis Toys who sells its products in many countries all over the world causes concern in parents and privacy advocates. According to research, the toy collects a lot of information such as names, GPS data as well as voice recordings. In a complaint filed with the FTC on December 6th, the collected data is listed:
- Name of the child
- Names of the parents
- Favorite food
- Which school the child goes to
- Favorite TV show
- Favorite Princess
- Favorite toy
The extent of the data collected makes a lot of people feel uneasy. This is very personal data. In the wrong hands this data can spell disaster for families. Nobody wants any of the above information, like the home address and the school's address to be known to predators, much less any information which is normally only accessible to close family members. On top of this, smart toys like those the complaint has been filed for are perfect surveillance devices as they can be hidden in the best place possible: out in plain sight.
The toys are configured using a separate app which is available for iOS and Android. The app requests extensive permissions such as access to the microphone, but does not fully explain the ramifications.
The collected (voice) data is not processed by Genesis Toys. The voice recognition uses technology from an external provider, Nuance Technologies.
Collected data is sent to a server in the USA to be analyzed by the provider. This practice is not uncommon as such: anyone using Siri on an iPhone or iPad is using Apple's equivalent of a similar technology. The analysis of spoken language takes place almost exclusively on a cloud platform because the computing capabilities in a doll or a mobile handset are not sufficient to do al the work.
Things become problematic, though, when dealing with personal data of minors. Another example from the past shows where their problem lies: toy manufacturer VTech faced harsh criticism following the accidental disclosure of thousands of records of children due to a vulnerability in one of their web services. After the incident they modified their terms and conditions and attempted to shift liability for any similar future incidents to the parents.
Welcome to the (legal) Jungle
Let's he honest:
When was the last time you actually read several pages of Terms and Conditions or License Agreements before clicking on that "I accept the Terms and Conditions" button?
Neither Genesis nor Nuance are really hiding what they do with the data collected by the toys. Almost all of it can be found the T&C. Some of it, however, is formulated so vaguely or hidden between the lines that one would be hard-pressed to find those when just skimming over the text. If you want to learn about what Nuance does with the data. the Terms and Conditions direct you to the privacy guidelines of Nuance Communications. In there they explicitly mention that they also use the data for advertising and marketing.
In light of this, it does not come as a surprise that the toys are also used as product placement platform. In the US it was discovered that one of the dolls says that she loves to travel to Disney World and that Epcot Center is her favorite attraction.
Privacy advocates and parents alike are very sensitive when it comes to childrens' private information. Therefore, a major part of the complaint focuses on the fact that children are legally unable to give meaningful consent to the manufacturer's terms and conditions. Minors have limited legal capacity which is also the reason why minors cannot sign or agree to a contract (which. strictly speaking, includes license agreements etc) in a legally binding manner. Also, it cannot be reliably verified if the parents have indeed expressed their consent.
The complaint further states that Nuance claims to comply with all privacy laws. While this might be correct, there are dedicated laws dealing with online privacy of minors with which nuance is not compliant:[...]Nuance represents that it is in compliance with all privacy laws.[...] Nuance's representation is misleading because users may believe that Nuance is complying with COPPA (Child Online Privacy Protection Act, T.B.)).
What parents ca do
Concern is a normal and appropriate reaction to the findings, since some toy manufacturers have a poor record when it comes to privacy. To condemn all electronic toys based on this might be misguided, though. The current reports may serve as a motivation for parents to inform themselves about the topic and then to make a conscious and informed purchase decision.
In any case, parents should be aware of what their kids get to unwrap on boxing day and offer some guidance to their children when they play with their new toys.
Concerns of privacy advocates and legal experts have had an effect, at least for the German market.
According to recent legal opinion (source in German) the "My Friend Cayla" doll can be classified as an "espionage tool" under the German Telecommunications Act (TKG). As such, it can be used to record spoken words in a non-public space and transmit it using radio technology (Bluetooth in this case).
Additionally, its transmitting components are concealed by the body and the clothing of the doll. It is not evident at first glance that the doll is in fact such a transmission device. This qualifies the toy as an "unauthorized concealed transmitting device", according to legal experts as well as the German Bundesnetzagentur.
All sales of the doll in Germany have therefore be halted with immediate effect and any "Cayla" dolls sold must be destroyed. In Germany, both sale and possession of any unauthorized transmission devices constitutes a criminal offense.