Toy manufacturer VTech has defended its stance on security amid allegations that its updated terms of service policies aim to shift the liability of any future data breach directly onto its users.
The Hong Kong-based firm, which produces a wide range of electronic toys aimed at children, was hit with a major data breach in November last year that resulted in more than six million personal accounts of parents and children being compromised. The hackers, who targeted the firm's app store database Learning Lodge, were able to easily gain access to chat logs, audio files and even stored photographs.
Following this, VTech quietly updated its terms of service in December last year with little fanfare. However, upon analysis, the small print has shocked the security industry for explicitly stating that users of its services now do so at their own risk.
"You acknowledge and agree that you assume full responsibility for your use of the site and any software or firmware downloaded therefrom. You acknowledge and agree that any information you send or receive during your use of the site may not be secure and may be intercepted," state the updated T&Cs.
Once exposed, the terms were roundly criticised by a slew of security researchers for putting the entire burden of privacy and security on the end-user – the opposite position of most security-conscious firms.
However, VTech has said it stands by the updated terms.
"Since learning about the hack of its databases, VTech has worked hard to enhance the security of its websites and services and to safeguard customer information," a VTech spokeswoman told the BBC.
"But no company that operates online can provide a 100% guarantee that it won't be hacked. The Learning Lodge terms and conditions, like the T&Cs for many online sites and services, simply recognise that fact by limiting the company's liability for the acts of third parties such as hackers. Such limitations are commonplace on the web."
"Bad business practice"
Pat Clawson, chief executive of the Blancco Technology Group, has slammed VTech for bad business practices. "When a data breach happens, most companies will make modifications to their terms and conditions. But what VTech is doing is a perfect illustration of what companies should not do – putting the burden of responsibility on the users, instead of the company itself," he said.
"It's not only a bad business practice, but it's also taking the implied stance that as a company VTech doesn't understand the importance of managing data.
"Parents are the ones with the income to buy VTech products for their children. What parent would feel even remotely comfortable buying a toy from a company that blatantly and unapologetically tells them they shouldn't have any expectation of privacy? They are going to have a very difficult time scaling their business with these updated terms and conditions."
Meanwhile, Australian security researcher Troy Hunt, who runs the popular HaveIBeenPwned website, publicly criticised VTech's stance for lacking responsibility. "I'm the first person to acknowledge that there are very few absolutes in security and there always remains some sliver of a risk that things will go wrong but even then, you, as the organisation involved, have to take responsibility," he said.
"The bigger picture here is that companies are building grossly negligent software – not just one mistake in otherwise well-written software – and then simply not being held accountable when it all goes wrong."
Paul Farrington, senior solution architect at security firm Veracode, added that strong security should ultimately be the burden of the manufacturer making the product.
"Toy manufacturers have been subject to quality standards for decades. These help keep our children safe. When a toy becomes connected to the internet, a child is exposed to a potentially hostile environment," he said.
"Regulations have not yet caught up with the need for good application security. We need both cute toys and smart developers to keep our kids both happy and safe."