Security and Privacy Challenges of Connected Toys: Can you trust your children’s new best friends?

In the 1990’s and early 2000’s, popular toys amongst children would have included, ‘Furby’, the robotic owl-like creature, that would speak to its user, with its own language, or Tamagotchi, a digital pet that you could feed, play games with and take care of. Children’s toys today have greatly evolved, not only being digital but incorporating a range of features that make them highly interactive. These toys can now come equipped with cameras, sensors, and microphones, but most importantly, they are connected to the internet. There is a range of variations in this new category of toys ranging from “My friend Cayla”, to “The Dino”, and “Hello Barbie”. Through the use of wi-fi and speech recognition, the new Barbie doll can now speak to its users, continually learning from the voice recording they collect and progressively adapting their responses. Similarly, “My friend Cayla”, can also talk with its user, as well as read stories and play games, through the use of an application downloadable on android or IOS system. “Teddy the Guardian”, is geared for use by infants, devised to teach children to maintain a good posture and healthy life.

It can measure a child’s temperature, and even check their heart rate and oxygen saturation. Although less interactive with the child, the toy enables parents to keep track of their children’s safety, even when they are not at close proximity.

Whilst these new toys bring a range of benefits to both parent and child, there are also rising concerns with regards to security and privacy. The majority of these toys are now connected through an application, to be downloaded on a smartphone or tablet, linking them directly to the internet. They are part of the Internet of Things, considered as a major disruptive technology, and based on the continuous collect and sharing of user’s data. Here, the application that accompanies the toy generally requests the disclosure of personal data when people create their account, and the toy itself is able to collect and store the data it obtains from being used by the child. The data being collected can range from, a child’s name, his likes, dislikes, activities, current location, as well as other personal and biometrical data such as the voice or picture. Children’s minimal awareness of the internet and implications, when it comes to disclosing personal information, makes them more vulnerable to the dangers of the internet.

These toys are said to have poor security measures set in place, making them easy targets for a hack. They can enable hackers easy access to personal information that can ultimately be harmful to the individual and unreasonably expose children.

Given the fact that users are children, The FBI has warned against the use of these toys given the safety and privacy risks associated with them; especially as there has cases of the toy being hacked due to vulnerabilities in the system.

• Children are more vulnerable and prone to be placed in risky situations on the internet
• Sensitive information such as location can easily be misused in case of a data breach or hack.
• Children under the age of 16 are protected by specific laws, which require parental consent.

As a consequence of these specific concerns, most countries implement either a specific regulation covering children and their data, and/or exercise a stricter control over these devices and the companies that distribute them. This can be seen in the reactions to breaches in this particular field. These growing concerns about security and the privacy of these connected toys have proven unfortunately well-founded after different cases of breaches that triggered claims and lawsuits.

In France in November 2017, the CNIL (National Commission of Informatic and Freedoms) summoned the company Genesis Industries Ltd., that distributes “My friend Cayla” to secure the doll. They discovered that a person situated at nine meters from the doll could pair it with a smartphone or other connected device without any authentication required and then access all the data contained in it (voices, preferences, recording of conversations with the child…). Besides, the app connected to the doll that requires data from the child, was not properly informing the parents about the use of the data. These kind of practises will be severely considered and sanctioned under the European General Data Protection Regulation that sets high requirements in terms of data security, transparency, and consent that enters into force in May 2018. In case of a breach of the GDPR a company would be exposed to a fine of €10 million or 2% of the company’s global annual turnover of the previous financial year, whichever is higher or at a more severe level, €20 million or 4% of the global annual turnover of the previous financial year whichever is higher.

On the other side of the Pacific, in January 2018, the US Federal Trade Commission together with the Office of the Privacy Commissioner of Canada settled their first-ever connected toy privacy case against VTech Electronics Ltd. resulting in a $650,000 penalty, in application of Canadian law and the US Safe Web Act, and the Children’s Online Privacy Protection Act. The case was a consequence of a data breach in the company exposing the data of 6 million children and 5 million adults. The authorities concluded that VTech’s negligence and lack of reasonable measures were to be blamed.

These two examples of precedents underline the strong willingness of the authorities to condemn severely data breaches in the field of connected toys. This is in response to the people’s outrage and a universal demand for stronger protection for children from new tech toys, including: Cayla, Teddy, and Barbie. National regulations are already a useful tool to make the companies comply in this sector, but both requirements and sanctions will be reinforced by the implementation of the GDPR. Connected toys is one of the sectors of disruptive technologies where public authorities all over the world seem to have understood the challenges that arise and have opted to adopt a position consistent with the expected growth of the sector. “All toys will be connected in 2020” claims a french newspaper, “They have to be secured” is the authorities answer.

Written by: Irina Roulin and Anais Alle, LLB Students

Assignment: Disruption and Technology in the Legal Markets

Professor: Cristina Sirera