Playtime's over: Internet-connected kids toys 'fail miserably' at privacy
Won't someone think of the children, literally?
The Electronic Privacy Information Center (EPIC) and the European Consumer Organization (BEUC) are calling for US and EU data protection authorities to take action against insecure networked toys.
Declaring that "My Friend Cayla," a Bluetooth-enabled doll released in 2014, and "i-Que," a connected robot released last year, "fail miserably when it comes to safeguarding basic consumer rights, security, and privacy," the BEUC on Tuesday presented findings about the device's shortcomings, based on an investigation by the Norwegian Consumer Council, a BEUC member.
The BEUC argues that the toys violate the EU Unfair Contract Terms Directive and the EU Data Protection Directive.
EPIC, also on Tuesday, filed a complaint with the Federal Trade Commission alleging that the toys violate US privacy law.
The toys, manufactured by Genesis Toys and supported by speech recognition software from Nuance Communications, are designed to talk to children and to capture their speech, in conjunction with Android or iOS mobile apps.
EPIC and BEUC contend the companies use collected data for purposes beyond interaction, specifically hidden marketing. The BEUC says that the toys spout pre-programmed phrases that endorse commercial products. "For example, Cayla will happily talk about how much she loves different Disney movies, meanwhile, the app-provider also has a commercial relationship with Disney," the BEUC said.
The BEUC also objects to the transference of speech data from EU-based children to Nuance, a US-based company. Moreover, it asserts the terms of service presented to customers are illegal because customers must agree that the terms can be changed without notice, that personal data can be used for advertising, and that information may be shared with undisclosed third parties.
Finally, BEUC says the toys lack adequate security measures because, without much effort, they can be hijacked using a mobile phone.
The EPIC complaint echoes those concerns: "The failure to employ basic security measures to protect children’s private conversations from covert eavesdropping by unauthorized parties and strangers creates a substantial risk of harm because children may be subject to predatory stalking or physical danger."
Pen Test Partners, a UK-based security research group, came to the same conclusion last year when it published details about several security problems affecting "My Friend Cayla" and hacked the doll to make it swear.
Genesis Toys, incorporated in Hong Kong and based in Los Angeles, was not immediately reachable for comment.
A spokesperson for Nuance, in response to a query from The Register, pointed to a post by Richard Mack, VP of corporate marketing.
Mack says Nuance has not received in inquiry from the FTC or other privacy authority. He stresses that the company's policy is that it doesn't use or sell voice data for marketing purposes and that it doesn't share voice data collected from one customer with another.
"Upon learning of the consumer advocacy groups' concerns through media, we validated that we have adhered to our policy with respect to the voice data collected through the toys referred to in the complaint," he said. ®