Parents should think twice about buying their children internet-connected toys this Christmas after a report by Norway's Consumer Council (NCC) found that many "failed miserably" at safeguarding children against spying attacks. According to the study, a number of popular toys that can talk and interpret speech lack basic security measures to protect them against snooping attacks, and may be in violation of European laws set up to protect the privacy of children online.
The NCC tested three internet-connected toys for its study, My Friend Cayla and i-Que Intelligent Robot, manufactured by Genesis Toys, and Hello Barbie by Mattel. All three feature voice recognition and talk-back features allowing children to talk to the toys and receive answers via the internet.
The toys work by recording a child's voice and then uploading it to internet servers as an encrypted file. Cayla and i-Que use similar technology and connects to a user by a phone or tablet while Hello Barbie connects directly to the internet through Wi-Fi.
The study revealed "several serious issues" with the products manufactured by Genesis Toys both in terms of device security and how it handles audio files recorded by children. Cayla and i-Que both act as Bluetooth headsets when connected to a device and require no authorisation to access. As such, anyone within range of the toys could easily speak or listen through them without needing physical access.
The NCC pointed out that this lack of security could easily have been prevented by making physical access to the toy required, such as requiring the user to press a button when pairing their phone with it.
Although Mattel's Hello Barbie toy is exposed to the internet via Wi-Fi, the NCC wasn't able to find any loopholes that would allow attackers to intercept the data it sent its servers. And, unlike the toys by Genesis, the microphone on Mattel's doll can only be used by pushing a physical hardware button, making it insusceptible to software attacks.
The report also found questionable terms in Genesis' terms of service, which require users to agree to its policies being changed without notice and consent to their data being shared with third parties. Under the same terms, Nuance Communications, who provides the speech recognition technologies for the toys, reserves the right to share anything a child tells the dolls with third parties.
Child advocacy, consumer rights and privacy groups in Europe and the United States have now called on the Federal Trade Commission (FTC) to investigate and take action against Genesis Toys and Nuance Communications on the grounds that they use "unfair and deceptive practices" to collect personal data from children and put their privacy at risk.
Specifically, the complaint states that the companies "unfairly and deceptively collect, use, and disclose audio files of children's voices without providing adequate notice or obtaining verified parental consent." It also highlights Genesis' failure to properly secure its toys against unauthorised access, thereby allowing anyone to eavesdrop of children's conversations.
"With the growing Internet of Things, American consumers face unprecedented levels of surveillance in their most private spaces, and young children are uniquely vulnerable to these invasive practices," said Claire Gartland, director of the Electronic Privacy Information Center (EPIC). "The FTC has an obligation here to step in and safeguard the privacy of young children against toys that spy and companies that exploit their very voices for corporate gain."
According to the NCC, at least 18 consumer organisations from 15 countries in the EU and the US will take action against the connected toy manufacturers, including the Campaign for a Commercial Free Childhood (CCFC), the Center for Digital Democracy (CDD), Consumers Union, and EPIC.
Kathryn Montgomery, Professor of Communication at American University and consultant to CDD, said: "Children today are growing up immersed in a digital world, where mobile devices, games, apps, and now a new generation of Internet-toys are profoundly shaping their social interactions, personal experiences, and behaviours. Regulators need to ensure that children will be able to reap the benefits of these digital technologies without being subjected to harmful practices that undermine their privacy, safety, and well-being."