German Consumers Face $26,500 Fine If They Don't Destroy Poorly-Secured 'Smart' Doll

from the internet-of-broken-things dept

We've noted repeatedly how modern toys aren't immune to the security and privacy dysfunction the internet-of-broken-things has become famous for. A new WiFi-enabled Barbie, for example, has come under fire for trivial security that lets the toy be modified for use as a surveillance tool. We've also increasingly noted how the data these toys collect isn't secured particularly well either, as made evident by the Vtech incident, where hackers obtained the names, email addresses, passwords, and home addresses of 4,833,678 parents, and the first names, genders and birthdays of more than 200,000 kids.

Last fall a lawsuit was filed against Genesis Toys, maker of the My Friend Cayla doll and the i-Que Intelligent Robot. The lawsuit accuses the company of violating COPPA (the Childrens' Online Privacy Protection Act of 1998) by failing to adequately inform parents that their kids' conversations and personal data collected by the toys are being shipped off to servers and third-party companies for analysis. A report by the Norwegian Consumer Council (pdf) also found that a lot of the data being transmitted by these toys is done so via vanilla, unencrypted HTTP connections that could be subject to man-in-the-middle attacks.

In Germany, where surveillance fears run a little deeper for obvious reasons, regulators last February went so far as to urge German parents to destroy the My Friend Cayla doll, highlighting that hackers can use an unsecure bluetooth device embedded in the toy to listen to and to talk to the child playing with it. Since then, Germany's Federal Network Agency has clarified its position further. It's not only banning the sale, purchase, and ownership of the toy, but it's warning families that they face fines up to $26,500 if they don't comply with demands that the toy be destroyed:

"The agency has now laid out just how parents are to destroy the doll. Parents are asked to fill out a destruction certificate that must be signed by a waste-management company and sent back to the agency for proof. While the agency says it has no plans to take action against those who don’t destroy the doll, it certainly could. Under German telecommunication laws, those who don’t comply with Federal Network Agency directives could face a fine up to $26,500 and two years in prison.

How very...thorough. One mother, amusingly, felt bad destroying the doll -- so she came up with a novel solution:

"One mother tells the WSJ that she was surprised to have had the doll sitting in her daughter’s room for two years. She says she was hesitant to actually destroy the doll, so instead she donated it to the German Spy Museum Berlin."

Germany's decision is certainly unnecessarily excessive, but it's a step up from the outright apathy on many fronts to the problems raised by connecting everything to the internet without prioritizing security and privacy. Researchers continue to argue that the IOT is creating thousands of new attack vectors into every home and business on the planet every day. Given the rise in the use of IOT devices in record-setting DDoS attacks, it's only a matter of time before these devices contribute to an attack on essential infrastructure, potentially at the cost of human lives.

It's obviously not their intent, but these devices continue to function as advertisements for the "dumb" technologies of yesterday. At least until parents collectively realize that Barbie and Ken need a better firewall.

Filed Under: fines, germany, iot, my friend cayla, privacy, security, smart doll

Another Lawsuit Highlights How Many 'Smart' Toys Violate Privacy, Aren't Secure

from the Barbie-is-a-rat dept

So we've talked a bit about the privacy implications of smart toys, and the fact that people aren't exactly thrilled that Barbie now tracks your childrens' behavior and then uploads that data to the cloud. Like most internet-of-not-so-smart things, these toys often come with flimsy security and only a passing interest in privacy. As such we've increasingly seen events like the Vtech hack, where hackers obtained the names, email addresses, passwords, and home addresses of 4,833,678 parents, and the first names, genders and birthdays of more than 200,000 kids.

Unsurprisingly, the collection of kids' babbling while in the company of smart toys continues to ruffle feathers. This week, a coalition of consumer advocates including the Consumer's Union filed suit against Genesis Toys, the maker of two such toys, the My Friend Cayla doll and the i-Que Intelligent Robot. According to the full lawsuit (pdf), the toy maker is violating COPPA (the Childrens’ Online Privacy Protection Act of 1998) by failing to adequately inform parents' that their kids conversations and personal data collected by the toys are being shipped off to servers and third-party companies.

Among the problems cited in the complaint is that the privacy policies governing the collection of kids' data aren't clear, aren't prominently displayed, and often change without notice. Parents aren't properly informed that data is being culled from the toys and sent off to companies like Nuance Communications, most commonly known for its Dragon voice recognition software, but a company that also has prominent roles in healthcare dictation and as a defense contractor. Both toys by proxy are governed by Nuance's privacy policy, which among other things says:

"We may use the information that we collect for our internal purposes to develop, tune, enhance, and improve our products and services, and for advertising and marketing consistent with this Privacy Policy." It continues, “If you are under 18 or otherwise would be required to have parent or guardian consent to share information with Nuance, you should not send any information about yourself to us."

With the toys being marketed to "ages 4 and up" and being mostly used by kids under age 18, the lawsuit states the companies selling and collecting this toy data are violating COPPA. Under COPPA, companies gathering kids data have to provide notice to, and obtain consent from parents regarding data collection. They also have to provide parents tools to access, review and delete this data if wanted, as well as the parental ability to dictate that the data can be collected, but not shared with third parties. The complaint suggests neither Nuance or Genesis Toys are doing any of this.

And again, privacy is just part of the equation. There's also the fact that these toys just aren't all that secure. A report by the Norwegian Consumer Council (pdf) found that a lot of the data being transmitted by these toys is done so via vanilla, unencrypted HTTP connections that could be subject to man in the middle attacks. Reconfiguring the devices to create in-home surveillance tools was also "very easy and requires little technical know-how," according to the report.So again, much like all internet of things devices, companies were so excited to integrate internet connectivity, they effectively forgot about user privacy and security. Are we perhaps noticing a ongoing theme yet?

Filed Under: coppa, i-que intelligent robot, iot, my friend cayla, privacy, security, smart toys
Companies: genesis toys, nuance