Who is listening as your children talk to their toys?
Advocates fear Internet-connected playthings put kids’ privacy at risk
Your daughter rips open the wrapping paper and screams with excitement — it’s Talk To Me Tammy!
After connecting the doll to your home’s wireless network through a smartphone app, she and Tammy start chatting. Tammy tells her jokes, quizzes her on some math questions and says her favourite colour is pink. She asks your daughter lots of questions about her likes and dislikes, hopes and dreams, and family and friends.
The next day, you notice advertisements for products your daughter told Tammy she wants on your Facebook page. That’s because buried in Tammy’s terms of service — which you didn’t read — was a clause authorizing the toy company to sell the data Tammy collects to marketers.
Meanwhile, hackers who don’t want to pay the toy company for your daughter’s valuable data are working on a way to access it for free.
They’re breaking into the database in the cloud that stores your daughters’ conversations with Tammy, trying to piece together enough information to steal her identity in the hopes she won’t figure it out until she turns 18 and tries to apply for a credit card. They’re also working on a way to hijack Tammy’s microphone and speaker, making it possible for strangers to say nasty things to your daughter and listen to your family whenever they want.
These risks aren’t just hypothetical. As smart toys such as Mattel Inc.’s Hello Barbie — a Wi-Fi enabled doll that talks to its owner — hit shelves, privacy and children’s rights advocates are raising concerns about how toy companies will use, store, and safeguard the data they collect.
Just last week, Hong Kong-based toymaker VTech Holdings Ltd. announced a hacker had compromised a database containing photos and personal information of about 6.4 million children, including 316,000 in Canada.
And that story about the creep hacking into toys to harass children? It’s already happening too, with reports that Internet-connected baby monitors have been used to scream obscenities at infants surfacing over the past couple of years.
All this has Josh Golin, executive director of the Campaign for a Commercial-Free Childhood, wondering what’s wrong with a good, old-fashioned book or model train set under the tree instead.
“The best toys are the toys where children have to use their imaginations, where if there’s pretend going on, the children are the ones generating the pretend play and the creativity,” Golin said. “Even if there weren’t all these privacy concerns and worries about these toys being hacked, I would recommend the toy that isn’t connected to the Internet.”
Of all the smart toys that are in development or have been recently released, Hello Barbie has created the most controversy. Even before the doll hit shelves in November, headlines called it “creepy,” “surveillance Barbie” and “every parent’s worst nightmare.”
Billed as “the first fashion doll that can have a two-way conversation with girls,” the toy is powered by technology from a company called ToyTalk that sends a child’s statements over the Internet, analyzes them and responds with one of 8,000 lines of dialogue stored in a cloud server.
Other toys and products that haven’t garnered this amount of negative publicity use similar technology.
A company called Elemental Path is now taking orders for Green Dino, which also connects to a cloud-based server to analyze a child’s statements and respond. International Business Machine Corp.’s Watson, an artificial intelligence platform that can process natural language, powers it.
Amazon.com Inc.’s Echo isn’t a toy — it’s a voice interaction device that can play music, set alarms and control other home smart devices — but it raises similar concerns about the collection and storage of children’s data and conversations.
Last spring, Google Inc. filed a patent for a smart teddy bear, equipped with cameras and microphones that drew comparisons to the super toy teddy in Steven Spielberg’s 2001 film AI.
But David Fewer, director of the Canadian Internet Policy and Public Interest Clinic and an intellectual property and technology lawyer, said he’s skeptical of such assurances.
“‘We’re collecting this information to serve you better.’ What does that mean? You’re collecting this information to profit-maximize,” Fewer said. “The problem with privacy-related transactions is we never really know the deal. We don’t know exactly what we’re giving up, we don’t know the cost to us.”
Fewer said Canadian children using technology-enabled toys have legal protection. The Personal Information Protection and Electronic Documents Act requires companies to put more effort into securing more sensitive data, and legal precedents have determined that children’s data must be considered the most sensitive of all.
Still, as the VTech breach demonstrates, this legal protection is far from a guarantee your child’s data is safe. Brian Bourne, co-founder of the information technology security conference SecTor, said we partly have our own apathy to blame.
“People have understood for a long time that with Facebook, they’re giving up their privacy and being targeted (by marketers),” Bourne said. “You start to become numb.”
For parents who decide to let their children play with smart toys, Bourne said it’s important to remember you don’t have to give up personal information just because you’re asked.
“You don’t have to put in your kids’ full, real name and full, real date of birth. The toy may ask you to put in those things, but you don’t have to,” he said. “When the VTechtype attack happens — which it will — the information lost is irrelevant to you. You change your password and move on.”