German Consumers Face $26,500 Fine If They Don't Destroy Poorly-Secured 'Smart' Doll

from the internet-of-broken-things dept

We've noted repeatedly how modern toys aren't immune to the security and privacy dysfunction the internet-of-broken-things has become famous for. A new WiFi-enabled Barbie, for example, has come under fire for trivial security that lets the toy be modified for use as a surveillance tool. We've also increasingly noted how the data these toys collect isn't secured particularly well either, as made evident by the Vtech incident, where hackers obtained the names, email addresses, passwords, and home addresses of 4,833,678 parents, and the first names, genders and birthdays of more than 200,000 kids.

Last fall a lawsuit was filed against Genesis Toys, maker of the My Friend Cayla doll and the i-Que Intelligent Robot. The lawsuit accuses the company of violating COPPA (the Childrens' Online Privacy Protection Act of 1998) by failing to adequately inform parents that their kids' conversations and personal data collected by the toys are being shipped off to servers and third-party companies for analysis. A report by the Norwegian Consumer Council (pdf) also found that a lot of the data being transmitted by these toys is done so via vanilla, unencrypted HTTP connections that could be subject to man-in-the-middle attacks.

In Germany, where surveillance fears run a little deeper for obvious reasons, regulators last February went so far as to urge German parents to destroy the My Friend Cayla doll, highlighting that hackers can use an unsecure bluetooth device embedded in the toy to listen to and to talk to the child playing with it. Since then, Germany's Federal Network Agency has clarified its position further. It's not only banning the sale, purchase, and ownership of the toy, but it's warning families that they face fines up to $26,500 if they don't comply with demands that the toy be destroyed:

"The agency has now laid out just how parents are to destroy the doll. Parents are asked to fill out a destruction certificate that must be signed by a waste-management company and sent back to the agency for proof. While the agency says it has no plans to take action against those who don’t destroy the doll, it certainly could. Under German telecommunication laws, those who don’t comply with Federal Network Agency directives could face a fine up to $26,500 and two years in prison.

How very...thorough. One mother, amusingly, felt bad destroying the doll -- so she came up with a novel solution:

"One mother tells the WSJ that she was surprised to have had the doll sitting in her daughter’s room for two years. She says she was hesitant to actually destroy the doll, so instead she donated it to the German Spy Museum Berlin."

Germany's decision is certainly unnecessarily excessive, but it's a step up from the outright apathy on many fronts to the problems raised by connecting everything to the internet without prioritizing security and privacy. Researchers continue to argue that the IOT is creating thousands of new attack vectors into every home and business on the planet every day. Given the rise in the use of IOT devices in record-setting DDoS attacks, it's only a matter of time before these devices contribute to an attack on essential infrastructure, potentially at the cost of human lives.

It's obviously not their intent, but these devices continue to function as advertisements for the "dumb" technologies of yesterday. At least until parents collectively realize that Barbie and Ken need a better firewall.

Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: fines, germany, iot, my friend cayla, privacy, security, smart doll


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    aerinai (profile), 18 Apr 2017 @ 5:31am

    Destroy it... or else...

    Criminalizing a 'toy'... I can't wait to see that armed-to-the-hilt SWAT raid...

    *flash bang* "DROP THE BARBIE! GET ON THE GROUND!" *flash bang* *smoke grenade* *taser* "That'll teach you to have contraband toys! It could spy on you! We are doing you a favor!"

    Or... the more sensible option... remove the batteries... *gasp*

    Seems Germany has the Furby-Crazies of China right now.

    link to this | view in thread ]

  2. icon
    Ninja (profile), 18 Apr 2017 @ 6:02am

    I don't really think 'bricking' the toy is a problem at all. What I do think is that the parents are the ones entrusted with the task 'or else'. They should be after the toy maker forcing it to remotely brick the toy and refund every single sale. IoT and other Internet connected devices that fail at basic security should get the same treatment. Unless lousy security starts costing real money to the companies involved this will not stop. Sure we have to clearly define the security needed there (ie: device storage encryption and data transport encryption, data collection must be opt-in etc) but the ones responsible for the screw ups must be punished.

    So the only issue here is the Govt should be hitting the makers, not the parents.

    link to this | view in thread ]

  3. icon
    Lady Gwyneth (profile), 18 Apr 2017 @ 6:35am

    I guess it's easier to fine the parents rather than the company. I thought the US had the more backward government compared to Germany.

    link to this | view in thread ]

  4. identicon
    TripMN, 18 Apr 2017 @ 6:51am

    Alternate uses

    Parents could just remove the batteries and it becomes just a doll... or, they could attach it to their front door and they'd have an internet-connected bluetooth-enabled intercom system.

    Of course it'd be more than a little creepy to walk into a little German town where every door has a doll attached to it.

    link to this | view in thread ]

  5. identicon
    Anonymous Coward, 18 Apr 2017 @ 6:55am

    Re:

    The us has the LEAST backward government of others.

    Sure America 'just like all the rest' have abused its authority, but USA is a super power for a reason!

    That said, it really is more a matter of opinion on which government is the best, because MOST people don't care about liberty, just about which laws they prefer. It's just simple math.

    Christians will naturally enjoy a Nation of Judeo-Christian laws than a Pagan one.
    Secularists will naturally enjoy a Nation secular laws than a Christian one.
    Zee Jur Mans will more enjoy a heavy handed Nation than one where nazi symbolism is allowed, since that symbolism is illegal over there.

    The best way to ensure that your political enemies gain power is to attempt to stifle and marginalize them! But no one ever learns this lesson!

    link to this | view in thread ]

  6. identicon
    Anonymous Coward, 18 Apr 2017 @ 6:57am

    Re:

    Also... the US has banned toys too!
    For your safety, of course, so yea, America is nothing special either, even if they are slightly better than others.

    link to this | view in thread ]

  7. icon
    Frog Legs (profile), 18 Apr 2017 @ 7:02am

    Absurd stuff. First, to remotely brick something I paid for is a violation of my property rights. Second, securing the internet isn't the responsibility of anyone except IT guys who work at companies that want to be secure. Funny that tech guys want to get on the welfare gravy train and have the government do their work for them.

    link to this | view in thread ]

  8. icon
    JoeCool (profile), 18 Apr 2017 @ 7:07am

    Re: Re:

    The US only bans FUN toys! Anywho, even when they do, they don't tell everyone to destroy it themselves and provide proof they did so under threat of prison and fines. Now excuse, me, I gotta a lawn darts game to win - possibly over someone's dead body. :D

    link to this | view in thread ]

  9. identicon
    Anonymous Coward, 18 Apr 2017 @ 7:22am

    Re: Alternate uses

    ..." German town where every door has a doll attached to it."

    That would be creepy! Seems absurd that the govt can allow this doll to be sold then demand that the consumers destroy it (and providing proof).

    link to this | view in thread ]

  10. icon
    JustMe (profile), 18 Apr 2017 @ 7:24am

    I'm confused

    What kind of nanny state BS is this? Why can't an adult be trusted to make a decision here, especially if they elect not to enable the ability to connect to WiFi on the doll?

    link to this | view in thread ]

  11. identicon
    Anonymous Coward, 18 Apr 2017 @ 7:25am

    How consumptionist!

    If it has a defect, destroy it!

    Couldn't you fix it? Firmware updates are nothing new...
    Or if it can't be fixed, disable it? Just take out the batteries / snip a wire here or there...
    Or, you know, keep it as it is?

    In my opinion, it should be up to the producer of these toys to correctly inform the owners of what it does or doesn't do, including possible dangers. But it should be up to the owners to decide what to do with it.

    link to this | view in thread ]

  12. icon
    Phoenix84 (profile), 18 Apr 2017 @ 7:26am

    Obvious?

    "In Germany, where surveillance fears run a little deeper for obvious reasons"
    Say what?
    Maybe I've been living under a rock, but no, why Germany is so weird is not obvious.
    Is it because of some war they didn't fight in the past?
    Japan was in the same war, and isn't freaking out past 11.

    link to this | view in thread ]

  13. identicon
    Anonymous Coward, 18 Apr 2017 @ 7:30am

    Fining people for a toy doll is just silly. They're informed and that should be the end of it. Do these people get their money back when they destroy the doll?

    Germany really takes things way to far on a number of things.

    link to this | view in thread ]

  14. icon
    Roger Strong (profile), 18 Apr 2017 @ 7:35am

    Could Be Worse

    If technology and political trends had unfolded in s slightly different order, parents would be dealing with 50 million Furby dolls suddenly repeating Donald Trump's 3am tweets and chanting "Lock her up!"

    link to this | view in thread ]

  15. icon
    The Wanderer (profile), 18 Apr 2017 @ 7:56am

    Re:

    An insecure Internet is a danger to everyone who uses the Internet (and, arguably, even to those who do not).

    Therefore, securing the Internet is the responsibility of everyone who uses the Internet (and, arguably, even of those who do not).

    link to this | view in thread ]

  16. icon
    Anonymous Anonymous Coward (profile), 18 Apr 2017 @ 7:57am

    Re: Alternate uses

    Of course it'd be more than a little creepy to walk into a little German town where every door has a doll attached to it.

    And curiously, all of them named Chuckie!

    link to this | view in thread ]

  17. identicon
    Anonymous Coward, 18 Apr 2017 @ 8:04am

    Re: Obvious?

    Just read about Stasi (https://en.wikipedia.org/wiki/Stasi)

    "It has been described as one of the most effective and repressive intelligence and secret police agencies to have ever existed."

    "One of its main tasks was spying on the population, mainly through a vast network of citizens turned informants, and fighting any opposition by overt and covert measures, including hidden psychological destruction of dissidents"

    "After German reunification, the surveillance files that the Stasi had maintained on millions of East Germans were laid open, so that any citizen could inspect their personal file on request; these files are now maintained by the Federal Commissioner for the Stasi Records."


    Now we have some laws in place preventing such things.
    There is the firm believe that you should be able to talk freely at home without the fear of being spied upon by someone else.
    So it's prohibited to own, manufacture, use objects that look like objects you use everyday, but are in fact capable of spying on you (audio & pictures) [also a long list of exceptions].

    link to this | view in thread ]

  18. identicon
    Pixelation, 18 Apr 2017 @ 8:12am

    Heil Dolls!

    I, for one, welcome our new doll overlords.

    link to this | view in thread ]

  19. icon
    Ninja (profile), 18 Apr 2017 @ 8:14am

    Re:

    I do agree with you but if it was built with such feature (and anything that has an auto-update option can be 'bricked remotely') then just bring it down. If not, make a recall and get fined for every single item that's not returned.

    link to this | view in thread ]

  20. icon
    Roger Strong (profile), 18 Apr 2017 @ 8:25am

    Re: Heil Dolls!

    Heil Dolls!... Doll Overlords...

    That sounds like the biggest legal battle over girl band trademark violations since the Spice Girls and Salt-N-Pepa went to court.

    link to this | view in thread ]

  21. identicon
    Christenson, 18 Apr 2017 @ 8:43am

    Re: Not a simple problem

    Frog Legs:

    Please consider that in 1918, influenza was "a poor people's problem". Just like IOT security is for IT guys....or clean water for Flynt, Michigan was for the water department.

    What happened next was it became *everyone's* problem and millions of people died of that influenza...because rich people had property rights they didn't want trampled.
    Same here: You won't feel the same when your neighbor's dolls now DDOS attack your internet connection, or his toasters break into your bank account.

    It's a complicated problem that requires action for the common good.

    Destroying the dolls that appear to be illegal under the law seems like a simple first step.

    link to this | view in thread ]

  22. identicon
    Anonymous Coward, 18 Apr 2017 @ 8:57am

    Re: Re: Re:

    lol, lawn darts, yea, those were some fucking fun but damn they were dangerous. But not as dangerous as kids playing with fucking bows and arrows.

    "they don't tell everyone to destroy it themselves and provide proof they did so under threat of prison and fines."

    I did still say that US is slightly better.

    link to this | view in thread ]

  23. identicon
    Anonymous Coward, 18 Apr 2017 @ 9:30am

    Re: I'm confused

    Sounds like they were worried about bluetooth too. Maybe there was no security on it so anyone could pair with an unpaired doll. A bit disturbing but I have a hard time seeing that as to much of a problem unless you lived in an apartment complex. Even then, it would have to be from someone close by.

    link to this | view in thread ]

  24. icon
    timmaguire42 (profile), 18 Apr 2017 @ 9:42am

    Re: Re:

    As Dennis Miller once said, being best in the world at something is a little like being valedictorian of summer school.

    link to this | view in thread ]

  25. icon
    timmaguire42 (profile), 18 Apr 2017 @ 9:44am

    I have a question about the "prove you destroyed it" requirement--does the German government have a list of every person who possesses this doll? If so, then what else are they keeping lists on?

    link to this | view in thread ]

  26. identicon
    Anonymous Coward, 18 Apr 2017 @ 10:56am

    Re:

    That is human nature... to take things too far.

    If you had a history of secretive spying, you might be just as nuts as they have become. Levity and Restraint are not common human characteristics. You usually have vice, apathy, corruption, and then malice to deal with and usually in that order too!

    link to this | view in thread ]

  27. icon
    orbitalinsertion (profile), 18 Apr 2017 @ 11:13am

    Re: I'm confused

    Because the government will be attacked for it when it hits the fan, is why.

    This isn't like it may be an inconvenience for a consumer. It's more like automobiles with a critical dangerous flaw that makes them a danger to the owner and others.

    That being said, they should have forced a recall where the purchasers are compensated or the issues are fixed.

    I know it is a huge infringement. Nanny states: Stopping you from starting huge bonfires in small yards and throwing DDT all over the place since forever. We are adults with god-given rights, damnit.

    link to this | view in thread ]

  28. identicon
    Anonymous Coward, 18 Apr 2017 @ 11:30am

    Yeah, sorry, but it's not excessive. As noted that's the maximum fine one can receive, not that they will receive. European justice systems are fundamentally different than what we have in the US. While ours is based on revenge and harsh punishments, Europe cares about rehabilitation. It's very unlikely anyone would receive the maximum fine just because they were late in destroying a doll unless there are egregious circumstances. The fine is there to show people just how serious the situation is to Germans and is a strong incentive to do away with yet another bad IoT horror story.

    Stop trying to insinuate the US's broken justice mentality into European matters. It doesn't work, and you just look stupid. If anything we should be considering how to integrate Europe's justice concepts and social mores into the US's violence glorifying culture. We'll kill ourselves off long before foreign extremists do it.

    link to this | view in thread ]

  29. icon
    btr1701 (profile), 18 Apr 2017 @ 12:32pm

    Proof

    GOVERNMENT: Here's your fine. You didn't destroy the doll when we told you to.

    CITIZEN: Prove you told me to.

    GOVERNMENT: We announced it on the news.

    CITIZEN: I must have missed that. I don't watch much TV.

    GOVERNMENT: Crap...

    link to this | view in thread ]

  30. icon
    btr1701 (profile), 18 Apr 2017 @ 12:36pm

    Re: Re: Obvious?

    > There is the firm believe that you should be able to talk
    > freely at home without the fear of being spied upon by
    > someone else.

    But if the government has made me aware of the doll's capabilities, and I don't care about it, why isn't that the end of it?

    It's *my* home, after all. If I'm okay with this doll, how is it the government's business to go any further with it?

    link to this | view in thread ]

  31. icon
    btr1701 (profile), 18 Apr 2017 @ 12:39pm

    Re: Re: Not a simple problem

    > Destroying the dolls that appear to be illegal under the
    > law seems like a simple first step.

    Even simpler first step: Take the batteries out of the doll.

    link to this | view in thread ]

  32. identicon
    Anonymous Coward, 18 Apr 2017 @ 2:05pm

    Re: Re: Re: Obvious?

    The same reasons you aren't allowed to own certain guns with appropriate permits. It's not a doll, but an espionage device, and as a normal civillian you have no business with those.

    link to this | view in thread ]

  33. identicon
    Anonymous Coward, 18 Apr 2017 @ 2:11pm

    Re: Re: Re: Not a simple problem

    This doesn't remove it's capability of being an espionage device the same way a gun without bullets can be used to kill people once you find the right bullets.
    The gun doesn't stop being a gun just because the bullets are missing.

    link to this | view in thread ]

  34. icon
    GristleMissile (profile), 18 Apr 2017 @ 2:19pm

    Re:

    Hmmm. While I grant that this is a poorly designed toy, any programmer with a shit's bit of sense is going to do everything they can to make sure their device is not remotely brickable.

    Forcing a company to attempt remote brickings is not much better than fining the toy owners. (It is SOMEWHAT better, but it's still really damned stupid)

    link to this | view in thread ]

  35. icon
    Gwiz (profile), 18 Apr 2017 @ 2:24pm

    Re: Re: Re: Re: Obvious?

    It's not a doll, but an espionage device, and as a normal civillian you have no business with those.

     

    Really? Says who?

    I have no clue what the laws are in Germany concerning this, but here in the US you can legally purchase all the "espionage devices" you wish:

    https://www.thespystore.com/

    link to this | view in thread ]

  36. identicon
    Anonymous Coward, 18 Apr 2017 @ 2:24pm

    Re: Re: Re: Re:

    Kinder Eggs brought across the border garner 2000 dollar fines each, I believe.

    link to this | view in thread ]

  37. identicon
    Anonymous Coward, 18 Apr 2017 @ 3:01pm

    Re: Re: Re: Re: Not a simple problem

    Make the toy maker brick it.

    After they refund you for the doll. Plus maybe compensation for putting you at risk.

    Make others put money on the table and you get the dolls disabled. The toy makers? It was their fault anyway, it's fair that they pay for it.

    link to this | view in thread ]

  38. icon
    Frog Legs (profile), 18 Apr 2017 @ 6:48pm

    Re: Re:

    True, but responsibility for securing the Internet still belongs with tech workers in that field, not regular people or companies making consumer goods. If a doll is a threat to your internet sounds like the people responsible for securing it aren't doing a very good job.

    link to this | view in thread ]

  39. identicon
    Châu, 19 Apr 2017 @ 1:50am

    Re: Re: Re: Re: Re: Obvious?

    That is why CIA and NSA spy very good, people there already know how use spy equipment, save training time!

    link to this | view in thread ]

  40. identicon
    Anonymous Coward, 19 Apr 2017 @ 3:04am

    Re: Re: Obvious?

    New Stasi Agency?

    link to this | view in thread ]

  41. icon
    Narcissus (profile), 19 Apr 2017 @ 3:22am

    Re: Re:

    Sorry, can't let this go uncommented...

    "The us has the LEAST backward government of others"

    If you're saying that the US is a shining beacon of progressiveness when it comes to destroying dangerous toys I might agree since I don't have much of an opinion on that. If this is meant as a general statement meaning that in all things the US is the least backward, then I can only assume you meant it as satire or you have no clue what happens in other countries.

    The last 2 or 3 decades the US has been moving backward, not forward. This last government seems intent on speeding things up in that regard.

    "but USA is a super power for a reason!" Again, not sure what is the connection to toys but if you are looking for the reason how about spending more on defense than the next 6 countries combined? Would that do it? Is that your definition of being "the least backward"? I thought that our utopian future entailed less wars, not more?

    link to this | view in thread ]

  42. icon
    Bergman (profile), 19 Apr 2017 @ 6:17am

    Re: Destroy it... or else...

    Destroy...batteries...? *GASP* You mean go OFF THE GRID?!?

    link to this | view in thread ]

  43. icon
    btr1701 (profile), 19 Apr 2017 @ 10:40am

    Re: Re: Re: Re: Not a simple problem

    > This doesn't remove it's capability of being an espionage
    > device the same way a gun without bullets can be used to
    > kill people once you find the right bullets.

    Yeah, because evil cyber hackers with backpacks full of AAA batteries are gonna be breaking into suburban homes and covertly refilling the empty battery slots of little girls' dolls so that they can spy on the moppet's daily tea party with Mr. Bear and Mrs. Frog.

    You and German government are insane.

    link to this | view in thread ]

  44. icon
    btr1701 (profile), 19 Apr 2017 @ 10:45am

    Re: Re: Re: Re: Obvious?

    > The same reasons you aren't allowed to own certain guns
    > with appropriate permits.

    If I want to allow myself to be observed, that's my business, not the government's. Analogies to guns are logically invalid.

    A more appropriate analogy would be the German government ordering all citizens to close their window blinds every night so no one can see (spy) them in their homes. If the homeowner doesn't care if people can see him watching TV or eating dinner from the street, why is it the government's business to dictate otherwise?

    link to this | view in thread ]

  45. identicon
    Anonymous Coward, 22 Apr 2017 @ 1:00am

    Re: Re: Re: Re: Re: Not a simple problem

    > You and German government are insane.

    Yeah, because no one would ever put batteries back in it. Or bullets back in a gun. In fact, guns make great children's toys if you take the bullets out first!

    link to this | view in thread ]

  46. identicon
    Anonymous Coward, 22 Apr 2017 @ 1:03am

    Re: Re: Re: Re: Re: Obvious?

    > If I want to allow myself to be observed, that's my business, not the government's.

    Or if I want to observe someone else as well!

    link to this | view in thread ]

  47. identicon
    Anonymous Coward, 22 Apr 2017 @ 1:08am

    Re: Proof

    Never mind that possession of such a device is illegal under the law. And ignorance of the law is no excuse. What's that, you say? You're a cop? Oh, well in your case ignorance of the law certainly *is* an excuse! Carry on.

    link to this | view in thread ]

  48. identicon
    Anonymous Coward, 23 Apr 2017 @ 4:51pm

    Oh, now they blame it on consumers...

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.