Is Santa spying on your kids?
A set of consumer groups think so and are petitioning the Federal Trade Commission to step in on Tuesday.
In a broader report accompanying the complaint, consumer groups are warning that a coming “Internet of Toys” could have long-term implications for child safety.
“Product safety is no longer just about a small toy that you are afraid your kid will choke on,” said Jeffrey Chester, executive director of the Center for Digital Democracy. “It’s about how the products are designed and what they might be doing with your children’s information.”
Two hot new internet-connected toys “subject young children to ongoing surveillance … and pose an imminent and immediate threat to the safety and security of children,” the complaint alleges.
The two toys — one doll named My Friend Cayla, marketed to girls, and i-Que, which targets boys — are made by a Chinese company, Genesis Toys, which has a Los Angeles-based affiliate named Genesis.
iQue and Cayla engage in simulated conversations with children. They use Bluetooth to connect to smartphones and gain access to the internet.
“A child’s statements are converted into text, which is then used by the application to retrieve answers using Google Search, Wikipedia and Weather Underground,” the complaint says.
The toys are available from many U.S. retailers. On one product page, they are described as being appropriate for children ages 3 to 12.
“Via speech-recognition technology, Cayla can understand and respond to your child in real time about almost anything,” the page says. “She can tell stories, play games, share photos from her photo album, and can sing too. She can even help your child with their homework questions.”
The consumer groups — including the Electronic Privacy Information Center, The Campaign for a Commercial Free Childhood and Consumers Union — claim that the devices record children’s conversations “without any limitations on collection, use or disclosure” of personal information. They say the Genesis toys violate the Child Online Protection Act, and that the Federal Trade Commission should step in immediately.
Genesis Toys claims that My Friend Cayla has amassed over 1 million fans worldwide, according to the complaint.
Attempts to reach Genesis for comment were unsuccessful.
Massachusetts-based Nuance Communications, which provides voice-recognition services for the toys, according to the complaint, was also named. Emails and phone calls to the firm were not immediately returned.
Too much personal information?
The consumer groups also say the toys don’t employ basic Bluetooth security, such as requiring a pairing code.
“As a result, when the Cayla and i-Que dolls are powered on and not already paired with another device, any smartphone or tablet within a 50-foot range can establish a Bluetooth connection with the dolls,” it says. That opens the door to strangers in close proximity being able to use the doll to connect with the child who’s using it, the groups allege.
Last year, Mattel’s release of the Hello Barbie talking toy raised similar concerns, particularly after researchers were able to hack it. Mattel addressed that concern by offering a bug bounty program with its voice-processing partner, ToyTalk.
Still, Josh Golin of Commercial Free Childhood told Credit.com that parents need to be aware of these new kinds of toys.
“These are becoming must-have toys,” he said. “And these problems are ongoing. Sure, there was a splash made when someone hacked the toy, but then it goes away. This issue needs to be front and center for parents.”
“Hello Barbie and ToyTalk only state that they can share data with ‘vendors, consultants and other service providers’ without specifying or giving examples of what this entails,” the report says.
Marissa Beck, a spokeswoman for Mattel, objected to the European group’s criticism of its third-party data sharing notice.
Should parents be concerned?
Fundamentally, these types of toys are “not great to begin with,” Golin said. (Real friends are superior to talking dolls that can mimic friendly conversations). But parents should be concerned that while kids are being trained to “connect with toys, and really confide in them,” there are longer-term concerns, Golin said.
“I think what happens is there is a rush to get things into the marketplace before the technology and policy and ethical considerations have all been worked out …There’s this misguided idea that connecting anything to the Internet makes it better. With toys, there’s all sorts of reasons you don’t want to do that,” Golin said. “The issues are really sensitive. The recordings of children’s conversations are really sensitive. And the fact that these companies can’t explicitly say, ‘This is exactly what we are doing with these recordings,’ should be very concerning to parents.”
“These discoveries are another sign that emerging IoT-technologies may not be well suited for children’s products,” the Norwegian Consumer Council concludes. “Unless the manufacturers and service providers are willing to take these issues seriously, the NCC are concerned that the area of connected toys is rife with potential risks for children’s safety and well-being, as they play and interact with these products.”
Remember, you can keep an eye out for identity theft by monitoring your credit. (You can pull your credit reports for free each year at AnnualCreditReport.com and view two of your scores, updated every 14 weeks, for free on Credit.com.) Parents can request a credit history for their minor children from the three credit reporting agencies with documentation proving they are the parent or legal guardian to keep an eye out for child identity theft as well.