When Santa Gives Your Little Ones a Personal Digital Spy

This past week, consumers were subject yet again to a huge database hack, this time affecting personal and private information of potentially hundreds of millions of Quora readers and travelers who stayed at Marriott or Starwood hotels. Yet, in spite of this continued onslaught of cyberattacks, consumers seem to gleefully add more potential hacker entrees into their personal computer networks.

For daily updates, subscribe to our newsletter by clicking here.

An awareness of the nature of these added network vulnerabilities is especially pertinent around the holidays when oblivious parents buy their children what can effectively be referred to as giant network holes and digital spies in the form of internet-connected toys.

Santa Claus in Jerusalem (illustration). Photo: AFP

What toys are problematic? Consider, for example, CloudPets—which, as of this summer, are no longer available on Amazon—internet connected stuffed toys that let parents and children exchange messages through an insecure Bluetooth connection. Most parents were also unaware that the manufacturer was storing those messages offsite in a database that was eventually hacked, exposing millions of personal interactions.

Another example is My Friend Cayla, a doll capable of conducting a conversation with a child using speech recognition technology that in February 2017 was completely banned in Germany. Local authorities in the country notified parents that they must destroy any Cayla doll in their possession, since it was considered a concealed espionage device, according to the German Telecommunications Act. Germany seems especially aggressive when it comes to threats from toys and kids’ accessories and has gone as far as banning smartwatches marketed for children, as they often transmit the user’s location data without encryption.

Why was the Cayla doll so troublesome? The doll had a sophisticated voice recorder that employed internet searches to converse with children. Genesis Toys, Cayla’s Hong Kong-based manufacturer, sold voice prints of the children to Burlington, Massachusetts-based speech recognition company, Nuance Communications Inc. Nuance’s clients include both military and intelligence firms. Cayla could also be easily hacked via a Bluetooth connection. To make matters worse, Genesis reportedly had a deal with Disney to surreptitiously help advertise Disney products by having the doll ask children about their favorite Disney movie.

Hello Barbie, a similarly intended artificially intelligent (AI) toy would automatically connect to unsecured wireless networks to facilitate its call and response interaction with children, effectively creating a wide-open hole for unscrupulous individuals to access home networks and interact with other people’s children.

Hello Barbie, CloudPets and Cayla are all part of what is referred to as the Internet of Toys, representing a rapidly growing multi-billion dollar market. The internet connectivity of these toys and the network vulnerabilities they create are often exacerbated when the toys are designed to effectively be open-mics, listening in constantly for relevant wake words.

Despite all of the potentially problematic toys out there, the market is slowly coming to terms with the dire issues, some of which were described above.

In light of these and other considerations, some established brands seem to have begun to become more responsible. This change of heart is not simply altruistic: on the manufacturer’s side, there is much more to fear than simply the bad press associated with a hack or an insidious toy design. Toy companies with European market-share may find themselves under the thumb of the new General Data Protection Regulation (GDPR), exposing themselves to huge fines for failure to follow the recently enacted privacy regulations, such as the requirement that the toys be designed with privacy in mind, not simply as an afterthought.

U.S.-facing companies may similarly have to deal with relevant legislation. The arguably less-toothy Children’s Online Privacy Protection Act (COPPA) requires that manufactures protect children from various online activities without parental consent and other safeguards. In the first ever U.S. enforcement action against these toys, earlier this year, VTech Electronics agreed to pay $625,000 in relation to COPPA violations. VTech’s app, associated with toys such as singing animals, collected personal information from hundreds of thousands of children without direct and verifiable parental consent. VTech’s fine was likely associated with an earlier data breach that threatened the privacy of millions of its users.

The open-mic described above has its own legal problems: toy companies have to contend with inconsistent state laws relating to the necessary levels of consent for third-party recordings of conversations.

While no device is totally safe for children, this holiday season, both consumers and manufacturers can benefit from the U.S. Federal Trade Commission’s efforts to certify internet connected toys as safe via their kidSAFE seal of approval.

What grown-ups need to keep in mind whenever they share data, regardless of the ways in which it is collected, is that there are only two types of databases, those that have been hacked, and those that haven’t been hacked, yet.

Dov Greenbaum, JD-PhD, is the director of the Zvi Meitar Institute for Legal Implications of Emerging Technologies at the Radzyner Law School, at the Interdisciplinary Center in Herzliya.

Tomer Herzig, a student at the institute, contributed to the research and writing of this article.