Are Smart Toys Spying on Your Kids?
By: Christa Kaila
February 8th, 2017
Toy company Genesis Toys, which specializes in tech toys, has caused controversy with its interactive toys My Friend Cayla and i-Que. According to a complaint filed with the Federal Trade Commission (FTC) on December 6, 2016 by a coalition of consumer privacy advocates, these spying toys pose a threat to the “safety and security of children in the United States”. The complaint alleges violations of Section 5 of the Federal Trade Commission Act, which prohibits unfair or deceptive practices, as well as violations of the Children’s Online Privacy Protection Act (COPPA). The coalition, including the Electronic Privacy Information Center (EPIC), names in its complaint both Genesis Toys, which manufactures the toys, and Nuance Communications, which is the company in charge of the software used in the toys.
The Cayla toy, which resembles a traditional doll toy, and i-Que, which looks more like a robot, are both smart toys that can talk and interact with kids. The toys are an example of the so-called Internet of Things, as they are connected to the internet via an app that users will download on their phones. When a user asks the toy a question, the toy will record it, send it to the app, which will look up an answer to the question online so that the toy can give an answer. Although this might sound like an appealing and innovative idea, there are also various troubling aspects. The recordings themselves are not deleted after the questions have been answered, but instead sent to Nuance, which, according to the complaint, uses the recordings to enhance its other types of products and services that are sold to military, intelligence, and law enforcement agencies. Another issue is that the toy will ask the child to answer certain questions about themselves, including their own name, their parents’ name and the name of their school and hometown. The toy will also invite the child to set their physical location, and the app collects the users IP address.
This is clearly problematic, as COPPA has strict rules on how personal information can be collected from children. COPPA requires the operator of the online service to verify that the parents have given their consent for this type of collection, which according to EPIC, Genesis and Nuance has failed to do. The complaint also highlights issues with the Terms of Service and Privacy Policies of the companies; they are vague, subject to change without notice and difficult to access. Yet another problem is that the toy connects to the app via Bluetooth, and this connection simply isn’t safe. Outsiders can easily access the toy with their own phones without any advanced hacker skills. There are also videos online where Cayla has been hacked by “ethical hacker” Ken Munro, who makes Cayla say things like “Calm down or I will kick the shit out of you”. Definitely not something parents would want their kid’s toy to be able to say.
This is not the first time that concerns are raised about spying smart toys. Genesis has also been targeted by consumer agencies in Europe. In 2015, Mattel came out with its Hello Barbie, which was criticized by privacy rights groups too. Already in 1999, there was discussion about whether the owl-like must-have Furby toy in fact was a spy, and it was banned from entering the premises of the National Security Agency (NSA). In this case, however, it seems like the privacy violations are so egregious that the FTC cannot just turn a blind eye to it, as the enforcer of COPPA.
Article in Consumerist:
Complaint filed with the FTC:
https://epic.org/privacy/kids/EPIC-IPR-FTC-Genesis-Complaint.pdf
Video of Cayla:
https://www.youtube.com/watch?v=EvMb_TusPPs