German Regulators Urge Parents To Destroy WiFi Connected Doll Over Surveillance Fears
from the barbie-needs-a-new-firewall dept
For a while now, we've discussed how your children's toys are quickly becoming the latest and greatest privacy threat courtesy of cryptic or half-cooked privacy policies and the treatment of device security as an afterthought; rather part and parcel now for the privacy dumpster fire that is the internet of not-so-smart things era. Numerous privacy groups have complained that smart Barbies and other toys not only now hoover up and monetize childrens' prattle, but leave the door open to the devices' being used nefariously by third parties.
The problems culminated in a lawsuit last December here in the States against Genesis Toys, maker of "smart" toys like the My Friend Cayla doll and the i-Que Intelligent Robot. The lawsuit accuses the company of violating COPPA (the Childrens' Online Privacy Protection Act of 1998) by failing to adequately inform parents that their kids' conversations and personal data collected by the toys are being shipped off to servers and third-party companies. The privacy policy for the toys does warn users that companies like Nuance Communications, also a government defense contractor, will receive this data for analysis:
"We may use the information that we collect for our internal purposes to develop, tune, enhance, and improve our products and services, and for advertising and marketing consistent with this Privacy Policy." It continues, “If you are under 18 or otherwise would be required to have parent or guardian consent to share information with Nuance, you should not send any information about yourself to us."
The lawsuit alleges the toys are violating COPPA because they're marketed to "ages 4 and up" and being mostly used by kids under age 18. Under COPPA, companies gathering kids' data have to provide notice to, and obtain consent from parents regarding data collection. They also have to provide parents tools to access, review and delete this data if wanted, as well as the parental ability to dictate that the data can be collected, but not shared with third parties. The complaint suggests neither Nuance or Genesis Toys are doing any of this.
But Genesis is also under fire for the fact that these toys just aren't all that secure. A report by the Norwegian Consumer Council (pdf) found that a lot of the data being transmitted by these toys is done so via vanilla, unencrypted HTTP connections that could be subject to man-in-the-middle attacks.
While Genesis faces a lawsuit here in the States, the FTC has yet to act against the company. Overseas however, German regulators are taking a different tack and urging parents to destroy the data-collecting dolls entirely:
"An official watchdog in Germany has told parents to destroy a talking doll called Cayla because its smart technology can reveal personal data. The warning was issued by the Federal Network Agency (Bundesnetzagentur), which oversees telecommunications. Researchers say hackers can use an unsecure bluetooth device embedded in the toy to listen and talk to the child playing with it.
As it stands, German regulators say that a bluetooth-enabled device could connect to Cayla's speaker and microphone system within a radius of 33 feet. As a result, the doll is being effectively treated as a "concealed transmitting device," illegal under an article in German telecom law. A spokesman for the Federal Network Agency said it doesn't really matter what shape the device took; "it could be an ashtray or fire alarm" and would still be illegal. While demanding destruction of the dolls may be overkill, it's just another example of how privacy and security apathy continue to haunt the IoT space.
Filed Under: dolls, germany, iot, privacy, security, surveillance
Companies: genesis toys