child's privacy

child's privacyIs Santa spying on your kids?

A set of consumer groups think so and are petitioning the Federal Trade Commission to step in on Tuesday.

In a broader report accompanying the complaint, consumer groups are warning that a coming “Internet of Toys” could have long-term implications for child safety.

“Product safety is no longer just about a small toy that you are afraid your kid will choke on,” said Jeffrey Chester, executive director of the Center for Digital Democracy. “It’s about how the products are designed and what they might be doing with your children’s information.”

Two hot new internet-connected toys “subject young children to ongoing surveillance … and pose an imminent and immediate threat to the safety and security of children,” the complaint alleges.

The two toys — one doll named My Friend Cayla, marketed to girls, and i-Que, which targets boys — are made by a Chinese company, Genesis Toys, which has a Los Angeles-based affiliate named Genesis.

iQue and Cayla engage in simulated conversations with children. They use Bluetooth to connect to smartphones and gain access to the internet.

“A child’s statements are converted into text, which is then used by the application to retrieve answers using Google Search, Wikipedia and Weather Underground,” the complaint says.

The toys are available from many U.S. retailers. On one product page, they are described as being appropriate for children ages 3 to 12.

“Via speech-recognition technology, Cayla can understand and respond to your child in real time about almost anything,” the page says. “She can tell stories, play games, share photos from her photo album, and can sing too. She can even help your child with their homework questions.”

The consumer groups — including the Electronic Privacy Information Center, The Campaign for a Commercial Free Childhood and Consumers Union — claim that the devices record children’s conversations “without any limitations on collection, use or disclosure” of personal information. They say the Genesis toys violate the Child Online Protection Act, and that the Federal Trade Commission should step in immediately.

Genesis Toys claims that My Friend Cayla has amassed over 1 million fans worldwide, according to the complaint.

Attempts to reach Genesis for comment were unsuccessful.

Massachusetts-based Nuance Communications, which provides voice-recognition services for the toys, according to the complaint, was also named. Emails and phone calls to the firm were not immediately returned.

Too Much Personal Information? 

The complaint alleges that the toys ask for personal information, such as parents’ names, favorite TV show, school name and home city. The Genesis privacy policy — only available as a pop-up when downloading an app — says all data can be stored and shared with certain third parties, according to the complaint.

The consumer groups also say the toys don’t employ basic Bluetooth security, such as requiring a pairing code.

“As a result, when the Cayla and i-Que dolls are powered on and not already paired with another device, any smartphone or tablet within a 50-foot range can establish a Bluetooth connection with the dolls,” it says. That opens the door to strangers in close proximity being able to use the doll to connect with the child who’s using it, the groups allege.

Last year, Mattel’s release of the Hello Barbie talking toy raised similar concerns, particularly after researchers were able to hack it. Mattel addressed that concern by offering a bug bounty program with its voice-processing partner, ToyTalk.

In a report named Toyfail by European consumer group Norwegian Consumer Council timed to coincide with the U.S. FTC complaint, Mattel scored well in terms of privacy policy disclosures and minimization of data collection. Hello Barbie doesn’t connect to the internet to supply conversation; it relies on pre-programmed dialogue. But recordings of conversations are sent to ToyTalk.

ToyTalk’s privacy policy says those recordings are used to refine its voice-processing service and are not used to contact or market to children.

Still, Josh Golin of Commercial Free Childhood told Credit.com that parents need to be aware of these new kinds of toys.

“These are becoming must-have toys,” he said. “And these problems are ongoing. Sure, there was a splash made when someone hacked the toy, but then it goes away. This issue needs to be front and center for parents.”

The report from the EU group noted that while Hello Barbie’s terms and conditions were written in clear language and are available online — in contrast to Genesis toys — it was critical of Mattel for not explaining how changes to the privacy policy would be announced and for not being clear about what third parties might receive collected data.

“Hello Barbie and ToyTalk only state that they can share data with ‘vendors, consultants and other service providers’ without specifying or giving examples of what this entails,” the report says.

Marissa Beck, a spokeswoman for Mattel, objected to the European group’s criticism of its third-party data sharing notice.
“We have an entire section (in our privacy policy) that details this, called “What Information Do We Share With Third Parties?,” she said, pointing to the Hello Barbie policy on ToyTalk.com’s website. She also said the firm is clear about updates to the policy.

In an email, Jade McNorton, a spokesperson for ToyTalk maker, San Francisco-based Pullstring Inc., said “we feel this is clearly communicated” when asked about updates to the firm’s privacy policy, and pointed to this section of it:

If we make changes, we will notify you by revising the date at the top of the Privacy Policy and, in some cases (such as for material changes), we will provide you with additional notice (such as adding a statement to our web site’s homepage or sending you a notification) and/or obtain your prior verifiable consent.

She added that third-party firms which might receive data are detailed in the privacy policy also.

Should Parents Be Concerned?

Fundamentally, these types of toys are “not great to begin with,” Golin said. (Real friends are superior to talking dolls that can mimic friendly conversations). But parents should be concerned that while kids are being trained to “connect with toys, and really confide in them,” there are longer-term concerns, Golin said.

“I think what happens is there is a rush to get things into the marketplace before the technology and policy and ethical considerations have all been worked out …There’s this misguided idea that connecting anything to the Internet makes it better. With toys, there’s all sorts of reasons you don’t want to do that,” Golin said. “The issues are really sensitive. The recordings of children’s conversations are really sensitive. And the fact that these companies can’t explicitly say, ‘This is exactly what we are doing with these recordings,’ should be very concerning to parents.”

“These discoveries are another sign that emerging IoT-technologies may not be well suited for children’s products,” the Norwegian Consumer Council concludes. “Unless the manufacturers and service providers are willing to take these issues seriously, the NCC are concerned that the area of connected toys is rife with potential risks for children’s safety and well-being, as they play and interact with these products.”

Remember, you can keep an eye out for identity theft by monitoring your credit. (You can pull your credit reports for free each year at AnnualCreditReport.com and view two of your scores, updated every 14 weeks, for free on Credit.com.) Parents can request a credit history for their minor children from the three credit reporting agencies with documentation proving they are the parent or legal guardian to keep an eye out for child identity theft as well.

This article originally appeared on Credit.com and was written by Bob Sullivan.