On Friday, a German privacy watchdog advocated for smashing a doll named My Friend Cayla out of concerns that it was technically an illegal espionage device that could be used by hackers to spy on children. The doll was quickly removed from the market.
Cayla includes Bluetooth-enabled speakers and microphone, as well as an internet connection through pairing with a smartphone. The doll can remember information about kids and parents and fetch things like the weather using the internet. “Cayla knows millions of things!” the ad says.
The Cayla app collects IP addresses and prompts children to set their physical location, according to an FTC complaint filed in December against toy maker Genesis by the Electronic Privacy Information Center.
The app also asks children to complete the following statements, according to the complaint:
- My name is
- My mom’s name is
- My dad’s name is
- My favorite TV program is
- My favorite meal is
- I go to school at
- My favorite princess is
- My favorite toy is
- The place I live in is called
Unfortunately, the hackers could theoretically listen in on conversations and even talk to children through the doll, privacy advocates warned.
The toy was also criticized for plugging Disney World and Disney movies in its pre-programmed responses.
This — privacy blowups over internet-connected toys with little to no security — is becoming a trend.
In November 2015, the toy maker VTech left data collected from its toys stored online where it was accessed by hackers. That data included personal identifying details for almost 5 million parents and more than 6.3 million kids, along with photos and chat logs between kids and parents.
Germany tells parents to destroy toy doll - because it can spy on their kids 😬 https://t.co/5XW7hbs9Et
— Internet of Shit (@internetofshit) February 17, 2017
Later that year, security researchers reported flaws in Hello Barbie, another interactive doll that stores conversations in the cloud where they could conceivably be accessed by hackers. ToyTalk, which makes Hello Barbie, had given security so little thought that it had programmed the dolls to connect to any Wi-Fi network with the word “Barbie” in it. After the flaws were revealed, ToyTalk resolved the issues and started a bug bounty program to detect future problems.
But just two months later, Fisher-Price had to update a “smart” bear that exposed kids' names, birthdates, genders, and other data.
Carla and Genesis smart toy i-Que robot, which has similar issues, are the latest toys to come under fire. And yet, the smart toy market is booming. Toys are heavily regulated at the federal level with provisions for lead paint, small parts, labeling, cleanliness, stuffing materials, how loud the sounds made by the toy can be, and so on, but no requirements for information security and data collection. The law needs to catch up.
