Advocacy groups in the US and EU applaud the move, but agree legislative changes are sorely needed for connected toys.
It’s not every day the government calls on parents to destroy their children’s toys, but that’s exactly what has happened in Germany, where a connected toy has been likened to spy gear and banned over security and privacy concerns.
According to the BBC, that’s because hackers can potentially use an unsecure Bluetooth device embedded in My Friend Cayla dolls to listen and talk to the children playing with them. Among other things.
This Bluetooth vulnerability was the subject of a recent complaint filed with the Federal Trade Commission by child advocacy, consumer and privacy groups in the US, which also said connected toys are spying on children and posing a threat to their privacy and security.
German blog Netzpolitik.org reports Professor Stefan Hessel of the University of Saarland examined the doll to determine whether it violated a German telecommunications act that prohibits the misuse of broadcasting equipment, which is intended to curb espionage. As a result of unsecured access to the microphone via Bluetooth, Hessel classified My Friend Cayla as a forbidden broadcasting system.
"Each Bluetooth-capable device within a range of about ten meters can connect to it and use speakers and microphone,” Hessel told Netzpolitik.org. “In an attempt, I had access to the doll over several walls. There is no built-in fuse.”
Netzpolitik.org reports Olaf Peter Eul of the Federal Network Agency, which is the German agency overseeing telecommunications, said the doll is tantamount to a forbidden espionage machine. This, in turn, is why Cayla must be destroyed by parents who otherwise risk up to two years in prison for possessing prohibited spy gear, Netzpolitik.org says.
Spiegel Online reports the Federal Network Agency also said all toys with secret image or sound recording are prohibited in Germany and it now plans to put more interactive toys to the test.
The BBC says additional EU bodies have also called for investigations, including the Norwegian Consumer Council.
“The Norwegian Consumer Council applauds Germany for banning the Internet connected doll Cayla,” the organization said in a statement on February 17. “It is, however, regrettable that EU laws are insufficient when it comes to digital privacy and security issues, which has resulted in Germany using a punitive espionage article that could see unwitting owners of Cayla fined with up to €25,000.”
In addition, Finn Lützow-Holm Myrstad, director of digital policy at the Norwegian Consumer Council, said, “We are calling for EU-wide rules fit for the age of connected devices, not only covering traditional issues such as choking, crash injuries and chemicals but also digital threats.”
The European Consumer Organisation (BEUC), too, said it welcomed the decision to ban the toy, but noted consumers are left empty-handed and will struggle to get compensation. It also agreed a legislative update is in order.
“The case illustrates the striking lack of up-to-date EU legislation in protecting consumers effectively from unfair commercial practices and the new security and privacy breaches that are emerging through connected products,” the BEUC said.
Monique Goyens, director general of BEUC, added, “If connected toys such as this speaking doll can be hacked to spy on or talk to children, they must be banned. Cayla illustrates how unprotected consumers are in an increasingly connected world.”
Similarly, Josh Golin, executive director of the advocacy group Campaign for a Commercial-Free Childhood, which is one of the groups that filed the complaint about Cayla with the FTC, said:
It’s great that German regulators are taking important steps to protect children from My Friend Cayla. And it’s great that leading retailers like Toys R Us, Target and Walmart are no longer selling the doll in the US. But it’s also crucial that we develop clear and strong global regulations for Internet-connected toys so that we no longer have to work to protect children’s privacy and security on a doll-by-doll and country-by-country basis.
The threats are myriad.
As The Drum previously reported, Cayla can tell you about the weather in your area at any time, which means there’s likely some kind of location tracking component.
Further, even though the app that powers Cayla is programmed with what manufacturer Genesis Toys called “a kid-safe proprietary software called Violet,” the doll has reportedly been hacked to quote 50 Shades of Grey and Hannibal.
Per the BBC, distributor Vivid Toy Group has previously said hacking was isolated and carried out by specialists, but it would utilize the information to potentially upgrade the app.
Genesis did not respond to a request for comment.