Another Lawsuit Highlights How Many 'Smart' Toys Violate Privacy, Aren't Secure

from the Barbie-is-a-rat dept

Thu, Dec 8th 2016 1:05pm — Karl Bode

So we've talked a bit about the privacy implications of smart toys, and the fact that people aren't exactly thrilled that Barbie now tracks your childrens' behavior and then uploads that data to the cloud. Like most internet-of-not-so-smart things, these toys often come with flimsy security and only a passing interest in privacy. As such we've increasingly seen events like the Vtech hack, where hackers obtained the names, email addresses, passwords, and home addresses of 4,833,678 parents, and the first names, genders and birthdays of more than 200,000 kids.

Unsurprisingly, the collection of kids' babbling while in the company of smart toys continues to ruffle feathers. This week, a coalition of consumer advocates including the Consumer's Union filed suit against Genesis Toys, the maker of two such toys, the My Friend Cayla doll and the i-Que Intelligent Robot. According to the full lawsuit (pdf), the toy maker is violating COPPA (the Childrens’ Online Privacy Protection Act of 1998) by failing to adequately inform parents' that their kids conversations and personal data collected by the toys are being shipped off to servers and third-party companies.

Among the problems cited in the complaint is that the privacy policies governing the collection of kids' data aren't clear, aren't prominently displayed, and often change without notice. Parents aren't properly informed that data is being culled from the toys and sent off to companies like Nuance Communications, most commonly known for its Dragon voice recognition software, but a company that also has prominent roles in healthcare dictation and as a defense contractor. Both toys by proxy are governed by Nuance's privacy policy, which among other things says:

"We may use the information that we collect for our internal purposes to develop, tune, enhance, and improve our products and services, and for advertising and marketing consistent with this Privacy Policy." It continues, “If you are under 18 or otherwise would be required to have parent or guardian consent to share information with Nuance, you should not send any information about yourself to us."

With the toys being marketed to "ages 4 and up" and being mostly used by kids under age 18, the lawsuit states the companies selling and collecting this toy data are violating COPPA. Under COPPA, companies gathering kids data have to provide notice to, and obtain consent from parents regarding data collection. They also have to provide parents tools to access, review and delete this data if wanted, as well as the parental ability to dictate that the data can be collected, but not shared with third parties. The complaint suggests neither Nuance or Genesis Toys are doing any of this.

And again, privacy is just part of the equation. There's also the fact that these toys just aren't all that secure. A report by the Norwegian Consumer Council (pdf) found that a lot of the data being transmitted by these toys is done so via vanilla, unencrypted HTTP connections that could be subject to man in the middle attacks. Reconfiguring the devices to create in-home surveillance tools was also "very easy and requires little technical know-how," according to the report.

So again, much like all internet of things devices, companies were so excited to integrate internet connectivity, they effectively forgot about user privacy and security. Are we perhaps noticing a ongoing theme yet?

Epic Ipr Ftc Genesis Complaint (PDF)Epic Ipr Ftc Genesis Complaint (Text)

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: coppa, i-que intelligent robot, iot, my friend cayla, privacy, security, smart toys
Companies: genesis toys, nuance

17 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Anonymous Coward, 8 Dec 2016 @ 1:35pm

I must not get out much...
How are these companies making a profit? I have yet to run into a fried or family member that has purchased this tripe.
[ link to this | view in chronology ]
- View by: Time | Thread, 9 Dec 2016 @ 3:28am
  
  Re: I must not get out much...
  Haha! Fried family member. I'm giving you a funny.
  [ link to this | view in chronology ]
RonKaminsky (profile), 8 Dec 2016 @ 1:41pm

Wrong attack
"unencrypted HTTP connections that could be subject to man in the middle attacks"

Actually, such connections are subject to passive eavesdropping attacks. As in your neighbor simply monitoring the WiFi transmissions.

But still, as highlighted in the post, by far the greatest danger is not using HTTP, it's that the party receiving the information is probably not capable of protecting it properly.
[ link to this | view in chronology ]
- Anonymous Coward, 10 Dec 2016 @ 11:02am
  
  Re: Wrong attack
  The real danger is to spy on children.
  [ link to this | view in chronology ]
Anonymous Coward, 8 Dec 2016 @ 2:14pm

Blame Rule 41
Use the kids' toys to spy on the parents; the kids are just collateral damage.

-- FBI Snitch Barbie
[ link to this | view in chronology ]
Daydream, 8 Dec 2016 @ 2:43pm

Does it count as making terrorist threats if you're playacting with a doll?
"Barbie, Barbie, Michael said his dad doesn't like the [Insert X Event Here], and he's going to blow it up. He already has a big boomy bomb in place and he's just waiting for the group to meet tomorrow and then he'll make tomato chutney. What's tomato chutney?"

...Why is it that while I was reading this post, my first thought was to use it as a means to spread malicious slander?
[ link to this | view in chronology ]
- Vikarti Anatra (profile), 8 Dec 2016 @ 8:32pm
  
  Re: Does it count as making terrorist threats if you're playacting with a doll?
  And after that court will say that children has no reasonably expectation of privacy because data was shared with 3rd party.
  [ link to this | view in chronology ]
Whutevah, 8 Dec 2016 @ 3:22pm

If the kids aren't doing anything wrong then they have nothing to fear.
[ link to this | view in chronology ]
- Anonymous Coward, 8 Dec 2016 @ 4:30pm
  
  Re:
  "If the kids aren't doing anything wrong then they have nothing to fear."
  
  Nothing to fear but fear itself.
  [ link to this | view in chronology ]
Anonymous Coward, 8 Dec 2016 @ 5:07pm

The new must have gift this year is the "If You See Something, Say Something" Barbie.
[ link to this | view in chronology ]
Anonymous Coward, 8 Dec 2016 @ 5:23pm

Barbie is a RAT: A remote access trojan. Only a matter of time until someone hacks a Barbie and uses it to DDoS the internet and/or gain a foothold in a network.
[ link to this | view in chronology ]
Ninja (profile), 9 Dec 2016 @ 2:26am

Do they really need 'smart toys'? I mean, I had a pretty good childhood with pretty dumb toys, some made of plain wood. Why are we inserting 'smart' everywhere when it's not needed?
[ link to this | view in chronology ]
tom (profile), 9 Dec 2016 @ 6:47am

Government officials are mostly clueless about cyber security. Little will be done about these toys until pedophiles hack some to tell little Johnny or Jane to "go to the park to meet Santa". Then there will be a great cry to "Save the Children" and some hasty poorly thought out legislation will happen that will do more harm then good.
[ link to this | view in chronology ]
Anonymous Coward, 9 Dec 2016 @ 6:53am

“If you are under 18 or otherwise would be required to have parent or guardian consent to share information with Nuance, you should not send any information about yourself to us."

But, but... Didn't opening the shrinkwrap on the package mean consent was given?
[ link to this | view in chronology ]
I.T. Guy, 9 Dec 2016 @ 7:32am

It's scary the way everything wants your info to sell off to whoever.
[ link to this | view in chronology ]
Anonymous Coward, 9 Dec 2016 @ 8:28am

Mommy, can I play with your toy?
My Little Pwnie:

https://www.cnet.com/news/internet-connected-vibrator-we-vibe-lawsuit-privacy-data/
[ link to this | view in chronology ]
Anonymous Coward, 9 Dec 2016 @ 2:37pm

"these toys often come with flimsy security and only a passing interest in privacy."

Not even that much attention is paid to security and privacy. These companies don't care because they can get away with it and pocket extra money from selling the information they glean. THey have absolutely no reason to do otherwise and every reason to squeeze as much profit they can "for the shareholders" out of these products. Until these companies can be held financially accountable for these practices, to the tune of sacrificing the entire gross profit (to keep them from arguing net profits are negligible like the film industry thanks to corporate shell games and creative accounting) this isn't going to change.
[ link to this | view in chronology ]