Buying a connected toy for Christmas? Perhaps read this first...
‘Technology has surpassed our morality and our legislation – smart toys included’ – Jason Snyder, chief technology officer, Momentum
Hello Barbie is another connected toy that offers increased interactivity, but also poses additional risks.
When I was a kid, the cassette-playing bear Teddy Ruxpin marked the height of interactive play – and the fact that a coworker told my mother he was a money pit and I never received one may be one of the greatest tragedies of my childhood. After all, I was an only child and a toy that actually talked to me was the stuff of dreams.
And here’s where I start to sound like a curmudgeon: Kids today have far more options when it comes to interactive toys, which is not surprising in an era that has given adults connected homes and cars.
And while parents themselves may not fully comprehend the security risks that come with the connected devices they use, issues of security and privacy become particularly important when they involve products for children. And yet parents likely don’t fully realize what they are doing when they give their children connected toys this holiday season either.
Smartest toys
Connected toys for good little boys and girls this year include products like Hasbro’s Love2Learn Elmo, which comes with an app that enables a “customized play experience” in which parents can select a child’s name, along with “desired subject, level and favorites” and “the Elmo toy will talk and play based on those selections.” They also include smart toy company Elemental Path’s WiFi-enabled Cognitoys Dino, which is powered by IBM Watson and promises “the kind of personalized play experience every child deserves,” and the voice-enabled Hello Barbie Dreamhouse from Mattel. In this smart Dreamhouse, kids can use voice commands to open the door, make the chandelier spin, operate the elevator and even turn the staircase into a slide – hear that, Mark Zuckerberg? And, of course, smart toys also include Hello Barbie herself, who boasts a microphone, speaker and speech recognition technology – but who, funny enough, is not capable of standing on her own, as well as the “beautiful 18[-inch] interactive fashion doll” My Friend Cayla who, per manufacturer Genesis, can “understand and respond to [children] in real-time about almost anything.”
Cayla can also speak and understand Spanish and speak with a British accent and, like Alexa, can tell you about the weather in your area at any time. And that means there’s likely some kind of location tracking component within Cayla, which puts something of a more ominous spin on Genesis’ claim, “She's the smartest friend you will ever have!”
None of these toy manufacturers responded to requests for comment aside from Elemental Path and Mattel. The latter said, “Someone will follow up if they find [it] appropriate to do so at this time.” They did not.
According to JP Benini, chief technology officer of Elemental Path, however, connected toys offer unprecedented personalization and interaction, as well as upgradability.
“The toy you buy isn’t the same toy weeks down the line,” he said.
But he conceded most parents don’t seriously think about privacy on their own devices, much less that of their children, which is why Elemental Path asks for permission about data, uses encryption and anonymizes any interaction with third party entities.
Risky presents
But that’s not to say other toy brands necessarily have subversive motives. These interactive toys surely bring joy to countless children and the brands behind them are in fact taking some steps to ensure safety.
The app that powers Cayla, for example, is programmed with what Genesis called “a kid-safe proprietary software called Violet” that it said protects children from offensive and/or sensitive words and/or images.
And, according to Mattel, a one-time app download and a WiFi connection are required for two-way conversation between Hello Barbie and children, along with parental consent.
Nevertheless, Newsweek called Hello Barbie “your child’s chattiest and riskiest Christmas present” last year because in part of the aforementioned speech recognition, as well as the cloud database used to store conversations and information. Mattel said this gives parents the ability to, say, share snippets of Barbie’s conversations with their children to social networks. But, according to Newsweek, Hello Barbie is able to interact with children thanks to a partnership between Mattel and entertainment and technology company ToyTalk, which receives recordings of children’s conversations with Hello Barbie and uses speech recognition and AI to trigger increasingly tailored responses. However, the resulting data can also be accessed by third party vendors for research and development, Newsweek reported. And many parents giving their children Hello Barbie may not realize that.
In fact, according to Jason Snyder, chief technology officer of brand experience agency Momentum Worldwide, it is very easy for smart devices to record, store and transmit a great many number things consumers may not realize, including position, presence and proximity, as well as sounds and types of sounds -- like creating a so-called voice print to distinguish between people or to listen for pets or certain music or TV programming – in addition to the time of day, location and movement. But that’s not all! It’s also easy to record, store and transmit details like acceleration and vibration and how hard and where on the object something is squeezed or held, as well as the amount of light or dark, in addition to temperature, barometer and humidity, he said.
“As an eight-year-old, the top of my list for Santa was the electronic game Simon. In 1978, Milton Bradley marketed the fat, Frisbee-shaped device that dominated homes across America. Using the randomizing capabilities in the microprocessor, we would sit around trying to repeat the game's pattern of flashing colors and whining sounds. But that was all Simon did. Nobody worried about Milton Bradley making a voice print of eight-year-old me and sending it across the Internet to a machine learning engine to adapt to my moods and behaviors,” Snyder added. “At that time, there wasn’t an internal clock transmitting when I played Simon, or a microphone, accelerometer, Bluetooth or WiFi radio and location services to identify and transmit what room it was in when I played and where my home was, what we were saying and who we were saying it to while we played.”
And that goes to show how much the world has changed, doesn’t it? And that there’s a very real possibility consumers are not prepared for this.
The complaint against Cayla
Cayla and the i-Que Intelligent Robot in particular were the subject of a recent complaint filed with the Federal Trade Commission by child advocacy, consumer and privacy groups, which said connected toys are spying on children and threatening their privacy and security.
The complaint asked the FTC to investigate Genesis, as well as Nuance Communications, which provides voice recognition software for toys like Cayla and i-Que, because they “unfairly and deceptively collect, use and disclose audio files of children's voices without providing adequate notice or obtaining verified parental consent.”
Further, the complaint said Genesis has not taken reasonable security measures to prevent unauthorized Bluetooth connections and fails to prevent strangers from covertly eavesdropping.
The complaint also said the terms of service for a toy like Cayla are hard to find and “shed little light on what information is actually collected from children, how it's used or where it ends up,” which could include law enforcement and military intelligence products. Further, a press release about the complaint noted Cayla is pre-programmed with dozens of phrases about Disney World and Disney movies, which children may not recognize as advertising.
Uncharted territory
For her part, Alison Mierzejewski, senior editor at toy review site Toy Insider, said this is new territory for toy manufacturers as well and they are going to great lengths to impose new safety standards, such as Mattel with Hello Barbie, which doesn’t register certain information she hears from a child, like an address or phone number. And, what’s more, Mierzejewski noted parents frequently hand over their own devices to children, which are just as vulnerable, if not more so.
“While connected toys might not be perfect, they are still a great option for kids,” she said, adding safety is one of the biggest concerns she sees at trade shows.
Smart toys do offer incredible advantages when it comes to, say, education. But they nevertheless raise ethical questions about the bold new world we live in – not to mention they open another avenue for hackers.
And, per Snyder, even if a toy company has no intention of violating a child’s privacy, the Internet and near-field communication connections are “low-hanging fruit for hackers or ruthless marketers.”
In fact, Darren Guccione, chief executive of password manager and digital vault company Keeper Security, pointed to a 2015 breach at electronic learning product company VTech, which included the personal information of children.
“Children are attractive targets for hackers,” Guccione said. “Child identity theft is 35 times more common than adult identity theft. More unsettling, credit reports fail to detect 99% of instances of child identity theft. This means that families don’t realize that a child has been hacked for many years, giving hackers the needed time to take out loans or file tax returns in their name. Another frightening concern is that many of these devices transmit audio, video and geolocation, giving child predators access to your children.”
Further, Guccione noted the IoT landscape simply lacks regulation overall, which has resulted in grossly inadequate cybersecurity practices. And even though he said connected toys are “awesome,” and “offer a great platform for children in terms of engaged education, creativity and fun,” they also represent a massive cybersecurity risk and he expects the government will eventually step in and impose requirements on manufacturers.
Pointing to a study from Washington University in St Louis -- “Analysis of Security Concerns & Privacy Risks of Children’s Smart Toys” -- Snyder more or less agreed.
“The conclusion of the research is very much like many of the studies around security and privacy with connected devices in a world of ambient intelligence,” he said. “The simple fact that technology has surpassed our morality and our legislation – smart toys included.”
Benini concurred, adding legal ramifications are usually a great way to get companies to respond -- and since the pace of technology is much faster than legislation, companies should perhaps be self-governing.
Snyder said manufacturers can also do their part by publishing simple warnings like the FCC does and by making more secure products that encrypt data and store it locally, meaning it is never transmitted in the cloud or on other servers unless encrypted and obfuscated. Further, he said the architecture of the systems should respond to the personal or private information in a manner that would do everything possible to protect the identity and location of a child and communications should be encrypted point to point.
Security experts agree parents should take the time to read through the disclosures that come with connected toys so they are educated about what they are giving their children. But that’s admittedly sometimes a tall order. August Brice, chief executive of privacy and security firm Safertech, noted smart toys are often produced in partnership with third parties who have their own privacy policies that parents need to find and read, too.
Reaching out to advocacy groups is perhaps a more realistic option as they are typically aware of what's in these disclosures. And so, too, is a simple Google search, which may reveal if a particular toy has been hacked and poses a potential risk, Benini added.
In addition, Zach Lanier, director of research at security software firm Cylance, said parents should look at toy manufacturer track records, determine what data is actually collected and make sure WiFi-enabled toys support generic WiFi capabilities like WP2.
And then there are the bigger questions we have yet to collectively answer.
“Perhaps we have to reframe our ethics, our understanding of what privacy means and, in the case of toys, what role we want the Internet and machine intelligence to play in the lives of our children,” Snyder said. “Will the AI share and amplify our values? Will it provide educational and emotional growth opportunities? Or is it trying to learn a child’s behaviors to persuade them to love a certain product or brand? At this point, there is very little legislation forcing toy manufacturers to employ even basic security measures to protect children’s private conversations and behaviors from covert eavesdropping by unauthorized parties and strangers. Does this create a substantial risk of harm because children may be subject to predatory stalking or physical danger? As a parent, these ideas should certainly be a part of our purchase consideration set.”