Is Santa spying on your kids?
A set of consumer groups think so, and are petitioning the Federal Trade Commission to step in on Tuesday.
And in a broader report accompanying the complaint, consumer groups are warning that a coming “Internet of Toys” could have long-term implications for child safety.
“Product safety is no longer just about a small toy that you are afraid your kid will choke on,” said Jeffrey Chester, executive director of the Center for Digital Democracy. “It’s about how the products are designed and what they might be doing with your children’s information.”
This story first appeared on Credit.com. Read it there.
Two hot new internet-connected toys “subject young children to ongoing surveillance … and pose an imminent and immediate threat to the safety and security of children,” the complaint alleges.
The two toys — one doll named My Friend Cayla, marketed to girls, and i-Que, which targets boys — are made by a Chinese company, Genesis Toys, which has a Los Angeles-based affiliate named Genesis.
iQue and Cayla engage in simulated conversations with children. They use Bluetooth to connect to smartphones and gain access to the internet.
“A child’s statements are converted into text, which is then used by the application to retrieve answers using Google Search, Wikipedia and Weather Underground,” the complaint says.
The toys are available from many U.S. retailers. On one product page, they are described as appropriate for children ranging from age 3-12.
“Via speech recognition technology, Cayla can understand and respond to your child in real-time about almost anything,” the page says. “She can tell stories, play games, share photos from her photo album, and can sing too. She can even help your child with their homework questions.”
The consumer groups — including the Electronic Privacy Information Center, The Campaign for a Commercial Free Childhood and Consumers Union — claim that the devices record children’s conversations “without any limitations on collection, use or disclosure” of the personal information.
They say the Genesis toys violate the Child Online Protection Act and the Federal Trade Commission should step in immediately.
Genesis Toys claims that My Friend Cayla has amassed over 1 million fans worldwide, according to the complaint.
Attempts to reach Genesis for comment were unsuccessful. A phone call placed to the firm’s Los Angeles office was answered by an operator who directed a reporter to send questions to a customer service email address. An auto-response to that email said responses would not come for several days. A phone call to a media relations representative listed on a company press release indicated the telephone extension was no longer operational, and an email was returned undeliverable.
Massachusetts-based Nuance Communications, which provides voice recognition services for the toys according to the complaint, was also named in it. Emails and phone calls to that firm were not immediately returned.
The complaint alleges that the toys ask for personal information, such as parents’ names, favorite TV show, school name, and home city. The Genesis privacy policy – only available as a pop-up when downloading an app — says all data can be stored and shared with certain third parties, according to the complaint.
The consumer groups also say the toys don’t employ basic Bluetooth security, such as requiring a pairing code.
“As a result, when the Cayla and i-Que dolls are powered on and not already paired with another device, any smartphone or tablet within a 50-foot range can establish a Bluetooth connection with the dolls,” it says. That opens the door to strangers in close proximity being able to use the doll to connect with the child using it, the groups allege.
Last year, Mattel’s release of the Hello Barbie talking toy raised similar concerns, particularly after researchers were able to hack it. Mattel addressed that concern by offering a bug bounty program with its voice processing partner, ToyTalk.
In a report named Toyfail by European consumer group Norwegian Consumer Council timed to coincide with the U.S. FTC complaint, Mattel scored well in terms of privacy policy disclosures and minimization of data collection. Hell Barbie doesn’t connect to the Internet to supply conversation; it relies on pre-programmed dialog. But recordings of conversations are sent to ToyTalk.
ToyTalk’s privacy policy says those recording are used to refine its voice processing service, and are not used to contact or market to children.
Still, Josh Golin of Commercial Free Childhood, told Credit.com that parents need to be alert to these new kinds of toys finding their way under the Christmas tree.
“These are becoming must-have toys. And these problems are ongoing. Sure, there was a splash made when someone hacked the toy, but then it goes away,” he said. “This issue needs to be front and center for parents.”
Fundamentally, the toys are “not great to begin with,” he warned. (Real friends are superior to talking dolls that can mimic friendly conversations). But parents should be concerned that while kids are being trained to “connect with toys, and really confide in them,” there are longer-term concerns.
“I think what happens is there is a rush to get things into the marketplace before the technology and policy and ethical considerations have all been worked out…There’s this misguided idea that connection anything to the Internet makes it better. With toys, there’s all sorts of reasons you don’t want to do that,” he said. “The issues are really sensitive. The recordings of children’s conversations are really sensitive. And the fact that these companies can’t explicitly say, ‘This is exactly what we are doing with these recordings,’ should be very concerning to parents.”
The report from the EU group said that while Hello Barbie’s terms and conditions were written in clear language and are easily available online – in contrast to the Genesis toys – it was critical of Mattel for not explaining how changes to the privacy policy would be announced, and not being clear about what third parties might receive data that’s collected.
“Hello Barbie and ToyTalk only state that they can share data with ‘vendors, consultants, and other service providers’ without specifying or giving examples of what this entails,” the report says.
In an email, Jade McNorton, a spokesperson for ToyTalk maker, San Francisco-based Pullstring Inc., said “we feel this is clearly communicated” when asked about updates to the firm’s privacy policy, and pointed to this section of it:
“If we make changes, we will notify you by revising the date at the top of the Privacy Policy and, in some cases (such as for material changes), we will provide you with additional notice (such as adding a statement to our web site’s homepage or sending you a notification) and/or obtain your prior verifiable consent.”
She added that third-party firms which might receive data are detailed in the privacy policy also.
Still, the European report warned that the age of connected toys gives parents a lot more to thinking about when buying gifts this season.
“These discoveries are another sign that emerging IoT-technologies may not be well suited for children’s products,” the Norwegian Consumer Council concludes in its report. “Unless the manufacturers and service-providers are willing to take these issues seriously, the NCC are concerned that the area of connected toys is rife with potential risks for children’s safety and wellbeing, as they play and interact with these products.”
If you’ve read this far, perhaps you’d like to support what I do. That’s easy. Sign up for my free email list, or click on an advertisement, or just share the story.
Tweet this story |
Follow @RedTapeChron |
2 Trackbacks / Pingbacks