Edmonton Journal

Who is lis­ten­ing as your chil­dren talk to their toys?

Ad­vo­cates fear In­ter­net-con­nected play­things put kids’ pri­vacy at risk


Your daugh­ter rips open the wrap­ping pa­per and screams with ex­cite­ment — it’s Talk To Me Tammy!

Af­ter con­nect­ing the doll to your home’s wire­less net­work through a smart­phone app, she and Tammy start chat­ting. Tammy tells her jokes, quizzes her on some math ques­tions and says her favourite colour is pink. She asks your daugh­ter lots of ques­tions about her likes and dis­likes, hopes and dreams, and fam­ily and friends.

The next day, you no­tice ad­ver­tise­ments for prod­ucts your daugh­ter told Tammy she wants on your Face­book page. That’s be­cause buried in Tammy’s terms of ser­vice — which you didn’t read — was a clause au­tho­riz­ing the toy com­pany to sell the data Tammy col­lects to mar­keters.

Mean­while, hack­ers who don’t want to pay the toy com­pany for your daugh­ter’s valu­able data are work­ing on a way to ac­cess it for free.

They’re break­ing into the data­base in the cloud that stores your daugh­ters’ con­ver­sa­tions with Tammy, try­ing to piece to­gether enough in­for­ma­tion to steal her iden­tity in the hopes she won’t fig­ure it out un­til she turns 18 and tries to ap­ply for a credit card. They’re also work­ing on a way to hi­jack Tammy’s mi­cro­phone and speaker, making it pos­si­ble for strangers to say nasty things to your daugh­ter and lis­ten to your fam­ily when­ever they want.

Th­ese risks aren’t just hy­po­thet­i­cal. As smart toys such as Mat­tel Inc.’s Hello Bar­bie — a Wi-Fi en­abled doll that talks to its owner — hit shelves, pri­vacy and chil­dren’s rights ad­vo­cates are rais­ing con­cerns about how toy com­pa­nies will use, store, and safe­guard the data they col­lect.

Just last week, Hong Kong-based toy­maker VTech Hold­ings Ltd. an­nounced a hacker had com­pro­mised a data­base con­tain­ing pho­tos and per­sonal in­for­ma­tion of about 6.4 mil­lion chil­dren, in­clud­ing 316,000 in Canada.

And that story about the creep hack­ing into toys to ha­rass chil­dren? It’s al­ready hap­pen­ing too, with re­ports that In­ter­net-con­nected baby mon­i­tors have been used to scream ob­scen­i­ties at in­fants sur­fac­ing over the past couple of years.

All this has Josh Golin, ex­ec­u­tive di­rec­tor of the Cam­paign for a Com­mer­cial-Free Child­hood, won­der­ing what’s wrong with a good, old-fash­ioned book or model train set un­der the tree in­stead.

“The best toys are the toys where chil­dren have to use their imag­i­na­tions, where if there’s pre­tend go­ing on, the chil­dren are the ones gen­er­at­ing the pre­tend play and the cre­ativ­ity,” Golin said. “Even if there weren’t all th­ese pri­vacy con­cerns and wor­ries about th­ese toys be­ing hacked, I would rec­om­mend the toy that isn’t con­nected to the In­ter­net.”

Of all the smart toys that are in de­vel­op­ment or have been re­cently re­leased, Hello Bar­bie has cre­ated the most con­tro­versy. Even be­fore the doll hit shelves in Novem­ber, head­lines called it “creepy,” “sur­veil­lance Bar­bie” and “ev­ery par­ent’s worst night­mare.”

Billed as “the first fash­ion doll that can have a two-way con­ver­sa­tion with girls,” the toy is pow­ered by tech­nol­ogy from a com­pany called ToyTalk that sends a child’s state­ments over the In­ter­net, an­a­lyzes them and re­sponds with one of 8,000 lines of di­a­logue stored in a cloud server.

Other toys and prod­ucts that haven’t gar­nered this amount of neg­a­tive public­ity use sim­i­lar tech­nol­ogy.

A com­pany called El­e­men­tal Path is now tak­ing or­ders for Green Dino, which also con­nects to a cloud-based server to an­a­lyze a child’s state­ments and re­spond. In­ter­na­tional Busi­ness Ma­chine Corp.’s Watson, an ar­ti­fi­cial in­tel­li­gence plat­form that can process nat­u­ral lan­guage, pow­ers it.

Ama­zon.com Inc.’s Echo isn’t a toy — it’s a voice in­ter­ac­tion de­vice that can play mu­sic, set alarms and con­trol other home smart de­vices — but it raises sim­i­lar con­cerns about the col­lec­tion and stor­age of chil­dren’s data and con­ver­sa­tions.

Last spring, Google Inc. filed a patent for a smart teddy bear, equipped with cam­eras and mi­cro­phones that drew com­par­isons to the su­per toy teddy in Steven Spiel­berg’s 2001 film AI.

Hello Bar­bie’s pri­vacy pol­icy states that ToyTalk, the com­pany that pro­vides the tech­nol­ogy pow­er­ing the doll, will only share data the toy gath­ers “when you give us your con­sent to do so.” In an emailed state­ment, ToyTalk’s head of com­mu­ni­ca­tions Tom Sar­ris said the com­pany only asks for such con­sent to im­prove the prod­uct, not sell the data to mar­keters — “We sim­ply do not do that.”

But David Fewer, di­rec­tor of the Cana­dian In­ter­net Pol­icy and Pub­lic In­ter­est Clinic and an in­tel­lec­tual property and tech­nol­ogy lawyer, said he’s skep­ti­cal of such as­sur­ances.

“‘We’re col­lect­ing this in­for­ma­tion to serve you bet­ter.’ What does that mean? You’re col­lect­ing this in­for­ma­tion to profit-max­i­mize,” Fewer said. “The prob­lem with pri­vacy-re­lated trans­ac­tions is we never really know the deal. We don’t know ex­actly what we’re giv­ing up, we don’t know the cost to us.”

Fewer said Cana­dian chil­dren us­ing tech­nol­ogy-en­abled toys have le­gal pro­tec­tion. The Per­sonal In­for­ma­tion Pro­tec­tion and Elec­tronic Doc­u­ments Act re­quires com­pa­nies to put more ef­fort into se­cur­ing more sen­si­tive data, and le­gal prece­dents have de­ter­mined that chil­dren’s data must be con­sid­ered the most sen­si­tive of all.

Still, as the VTech breach demon­strates, this le­gal pro­tec­tion is far from a guar­an­tee your child’s data is safe. Brian Bourne, co-founder of the in­for­ma­tion tech­nol­ogy se­cu­rity con­fer­ence Sec­Tor, said we partly have our own ap­a­thy to blame.

“Peo­ple have un­der­stood for a long time that with Face­book, they’re giv­ing up their pri­vacy and be­ing tar­geted (by mar­keters),” Bourne said. “You start to be­come numb.”

For par­ents who de­cide to let their chil­dren play with smart toys, Bourne said it’s im­por­tant to re­mem­ber you don’t have to give up per­sonal in­for­ma­tion just be­cause you’re asked.

“You don’t have to put in your kids’ full, real name and full, real date of birth. The toy may ask you to put in those things, but you don’t have to,” he said. “When the VTechtype at­tack hap­pens — which it will — the in­for­ma­tion lost is ir­rel­e­vant to you. You change your pass­word and move on.”

 ?? MARK LENNIHAN/THE AS­SO­CI­ATED PRESS ?? Of all the smart toys, Hello Bar­bie has cre­ated the most con­tro­versy. Me­dia out­lets are call­ing it ‘creepy,’ ‘sur­veil­lance Bar­bie’ and ‘ev­ery par­ent’s worst night­mare.’
MARK LENNIHAN/THE AS­SO­CI­ATED PRESS Of all the smart toys, Hello Bar­bie has cre­ated the most con­tro­versy. Me­dia out­lets are call­ing it ‘creepy,’ ‘sur­veil­lance Bar­bie’ and ‘ev­ery par­ent’s worst night­mare.’

Newspapers in English

Newspapers from Canada