German Regulators Urge Parents To Destroy WiFi Connected Doll Over Surveillance Fears

from the barbie-needs-a-new-firewall dept

For a while now, we've discussed how your children's toys are quickly becoming the latest and greatest privacy threat courtesy of cryptic or half-cooked privacy policies and the treatment of device security as an afterthought; rather part and parcel now for the privacy dumpster fire that is the internet of not-so-smart things era. Numerous privacy groups have complained that smart Barbies and other toys not only now hoover up and monetize childrens' prattle, but leave the door open to the devices' being used nefariously by third parties.

The problems culminated in a lawsuit last December here in the States against Genesis Toys, maker of "smart" toys like the My Friend Cayla doll and the i-Que Intelligent Robot. The lawsuit accuses the company of violating COPPA (the Childrens' Online Privacy Protection Act of 1998) by failing to adequately inform parents that their kids' conversations and personal data collected by the toys are being shipped off to servers and third-party companies. The privacy policy for the toys does warn users that companies like Nuance Communications, also a government defense contractor, will receive this data for analysis:

"We may use the information that we collect for our internal purposes to develop, tune, enhance, and improve our products and services, and for advertising and marketing consistent with this Privacy Policy." It continues, “If you are under 18 or otherwise would be required to have parent or guardian consent to share information with Nuance, you should not send any information about yourself to us."

The lawsuit alleges the toys are violating COPPA because they're marketed to "ages 4 and up" and being mostly used by kids under age 18. Under COPPA, companies gathering kids' data have to provide notice to, and obtain consent from parents regarding data collection. They also have to provide parents tools to access, review and delete this data if wanted, as well as the parental ability to dictate that the data can be collected, but not shared with third parties. The complaint suggests neither Nuance or Genesis Toys are doing any of this.

But Genesis is also under fire for the fact that these toys just aren't all that secure. A report by the Norwegian Consumer Council (pdf) found that a lot of the data being transmitted by these toys is done so via vanilla, unencrypted HTTP connections that could be subject to man-in-the-middle attacks.

While Genesis faces a lawsuit here in the States, the FTC has yet to act against the company. Overseas however, German regulators are taking a different tack and urging parents to destroy the data-collecting dolls entirely:

"An official watchdog in Germany has told parents to destroy a talking doll called Cayla because its smart technology can reveal personal data. The warning was issued by the Federal Network Agency (Bundesnetzagentur), which oversees telecommunications. Researchers say hackers can use an unsecure bluetooth device embedded in the toy to listen and talk to the child playing with it.

As it stands, German regulators say that a bluetooth-enabled device could connect to Cayla's speaker and microphone system within a radius of 33 feet. As a result, the doll is being effectively treated as a "concealed transmitting device," illegal under an article in German telecom law. A spokesman for the Federal Network Agency said it doesn't really matter what shape the device took; "it could be an ashtray or fire alarm" and would still be illegal. While demanding destruction of the dolls may be overkill, it's just another example of how privacy and security apathy continue to haunt the IoT space.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: dolls, germany, iot, privacy, security, surveillance
Companies: genesis toys


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    Roger Strong (profile), 23 Feb 2017 @ 2:53pm

    Up next:

    • DHS demands your My Friend Cayla doll's MAC address at the border.

    • The FBI demands access to the doll's cloud servers because terrorists.

    • Music collecting societies realize that the audio captured by the dolls might include music, and start demanding royalties.

    • Google uses IFTTT to connect the doll to the self-driving car they place it in, to make it appear that the doll is driving. Highway patrol officers declare the doll's behavior "suspicious", and the car is taken via civil asset forfeiture.

    link to this | view in thread ]

  2. icon
    Anonymous Anonymous Coward (profile), 23 Feb 2017 @ 3:06pm

    Re:

    But they leave the doll to walk home because the doll didn't actually commit a chargeable crime. The cops receive accommodations for fair play.

    link to this | view in thread ]

  3. icon
    orbitalinsertion (profile), 23 Feb 2017 @ 3:14pm

    Where is that ISDS court!?

    link to this | view in thread ]

  4. identicon
    Anonymous Coward, 23 Feb 2017 @ 4:47pm

    You can use Bluetooth to connect to the doll's speaker? Coupled with the microphone, you basically have a means of talking directly to a child. You could tell the child all sorts of things and the child would think it's the doll talking.

    That is a really scary thought.

    link to this | view in thread ]

  5. identicon
    Anonymous Coward, 23 Feb 2017 @ 5:20pm

    Smash capitalism

    Now go after Siri and Google Now.

    link to this | view in thread ]

  6. identicon
    Anonymous Coward, 23 Feb 2017 @ 5:28pm

    used to be it was smart owners and dumb things.

    link to this | view in thread ]

  7. identicon
    Tin-Foil-Hat, 23 Feb 2017 @ 6:09pm

    Is that necessary

    Do they really have to destroy the doll? They could probably disable it. It's probably not too hard to remove the batteries,circuit board, block the microphone etc.

    link to this | view in thread ]

  8. identicon
    Anonymous Coward, 23 Feb 2017 @ 6:42pm

    Re: Is that necessary

    Or ... you could have a bit of fun with it, like maybe troll the family pet

    link to this | view in thread ]

  9. identicon
    Anonymous Coward, 24 Feb 2017 @ 1:42am

    Re:

    - Bill Gates demands the doll be taxed as a human.

    link to this | view in thread ]

  10. identicon
    Wendy Cockcroft, 24 Feb 2017 @ 7:16am

    Re:

    Hatching a plan to sue the German govt. for interference with a business model.

    link to this | view in thread ]

  11. identicon
    Anonymous Coward, 24 Feb 2017 @ 7:32am

    Should return to manufacturer, not destroy

    If the purchaser destroys the doll, the manufacturer presumably gets to keep money for the product, even though they knew or reasonably should have known the product was illegal. It would be better to wipe the doll's tiny mind, then return it for a full refund. That leaves the manufacturer with a product they should have known better than to sell, and no money from the early sales to uninformed buyers.

    link to this | view in thread ]

  12. icon
    Roger Strong (profile), 24 Feb 2017 @ 9:02am

    Re: Should return to manufacturer, not destroy

    The manufacturer would almost certainly be in a different country with different laws. It's often an import company further down the supply chain that's responsible for ensuring that the product meets your local country's laws, power requirements, radio frequencies etc. Even the big brand names are often just customers; the product will be sold under other brand names.

    Neither the manufacturer nor the importer sold it to you, so they're under no obligation to take it back. If they did take it back, the per-item amount they sold it to the distributor for will be a fraction of what you paid for it.

    link to this | view in thread ]

  13. icon
    McGyver (profile), 17 Nov 2017 @ 9:07am

    "Highly unlikely" until it's "highly common"...

    "We are aware of the Which? report, but understand the circumstances in which these investigations have taken place rely on a perfect set of circumstances and manipulation of the toys and the software that make the outcome highly unlikely in reality."

    So... "We are not going to do anything about it until something really bad happens and it looks like we are going to be held criminally responsible"...

    Obviously not enough people got pissed off that the "My friend Cayla" doll and her robot counterpart were collecting data from children's conversations and using it without consent.

    And some people think this is all okay or use "whataboutism" to deflect criticism and a cautious approach.

    The point is, if you don't make a BIG stink about it now, it becomes a huge problem later... Regardless of how "highly unlikely" it may or may not be AT THE MOMENT in the opinion of the manufacturers...

    Give these companies an inch and they'll take a mile, if not immediately, very shortly...

    Hey, how long ago were EULAs just a understandable agreement not to redistribute the software and not these current agreements that you own nothing, can repair nothing and have zero rights... Remember all the wise and trusting know-it-alls who insisted "just click agree" and that we would never be where we are today?

    Haven't we seen enough blazing dumpster fires of incompetence, indifference, greed and arrogance lately to at least be mindful that however "unlikely" someone claims something may be, that it often does eventually occur?

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.