Beware the holiday ‘smart toys’ that spy on your kids
Children talk to their toys as if they’re really listening, sometimes confiding in dolls and stuffed animals.
Now toys are actually listening. And remembering.
This holiday season, shoppers can buy “smart toys,” internet connected playthings equipped with microphones, cameras, and the ability to collect reams of data about children.
Consumer advocates warn the toys pose privacy and security risks for kids. Security experts have shown smart toys can be easily hacked, and toy makers have taken heat for major data breaches and sharing personal information with third parties. Examples include a doll banned in Germany for recording children and a teddy bear with a hackable camera.
Smart toys seemingly come to life utilizing “Internet of Things” (IoT) technology that has wirelessly connected coffeemakers, thermostats, and yes, toilets. But smart toys have proven to be particularly vulnerable to cyber attacks. Manufacturers try to keep toy prices low and lack an incentive to add reasonable security mechanisms, said Kayne McGladrey, member of the Institute of Electrical and Electronics Engineers, the world’s largest technical professional organization.
"Toys are basically the poster child for bad security in IoT,” said Bree Fowler, cybersecurity editor at Consumer Reports. “Nest and Google, they have huge security departments. They can actually sink some cash into security when they build things if they choose to. Toys don’t really have that background. They’re not tech companies.”
The FBI warned consumers last year that smart toys raise “concerns for privacy and physical safety” of children. The potential risks range from hackers eavesdropping on kids to stealing a child’s identity. The mining of sensitive data such as GPS location, pictures or videos, and known interests all could aid kidnappers, the FBI wrote.
In January, the Hong Kongbased electronic toy maker VTech agreed to pay $650,000 to settle charges by the Federal Trade Commission after a data breach exposed the personal information of millions of parents and children, including names, gender, birth dates, and email addresses. It was the FTC’s first children’s privacy and security case involving connected toys. And kids might not know the full ramifications of smart-toy data breaches until they apply for loans later in life and learn their identity has been stolen, experts said.
Last year, German officials labeled an innocent-looking smart doll, My Friend Cayla, an illegal “espionage device” and asked parents to disable it. The blond, childlike doll recorded conversations, translated them to text, and shared data with third-parties, according to a complaint filed in 2016 by consumer groups.
This went on despite the toy’s assurances that it would keep things confidential. If you asked the Cayla “can you keep a secret?” the doll said: “I promise not to tell anyone; it’s just between you and me.” The manufacturer, Genesis Toys, which is incorporated in Hong Kong and headquartered in Los Angeles, did not return a request for comment.
Internet-connected smart toys are growing in popularity, with the $6 billion market expected to expand to $18 billion by 2023, according to Juniper Research.
Federal law requires companies to get parental permission before collecting and sharing data of children under 13. The Children’s Online Privacy Protection Act also mandates clear privacy policies. It gives parents access to their children’s data, and enables parents to have the personal information deleted, among other rules.