Could your child's new talking toy actually spy on your family? It appears that the answer is yes. A seemingly innocent toy has the capacity to eavesdrop on your household – and could be a prime target for hackers. A German watchdog has now banned sales, purchase and ownership of a doll — a doll that has stirred controversy in the U.S. as well — and parents who violate the ban may receive a hefty fine or even go to prison. 

See also: Cyber Security Threats to Move up the Agenda? (SYMC, PANW)

The Trouble with These Talking Toys 

In December, 2016, a coalition of consumer watchdogs warned that a pair of internet-connected toys created by Genesis Toys – the My Friend Cayla doll and i-Que Intelligent Robot – may gather personal information from children. Both toys use voice-recognition software created by Nuance Communications. The software enables the toys to answer questions children ask them.

Some consumer advocacy groups allege that Nuance is saving the recordings of these children-toy conversations for future use. Because the company has not provided adequate notice to parents, this action would violate a 1998 federal law designed to protect the online privacy of children.

A top German watchdog, Bundesnetzagentur, has now issued an order to parents to destroy the doll and banned sales, purchase and ownership of it, the Wall Street Journal writes. Violations of the ban can lead to fines up to €25,000 (close to $26,600) and two years in prison. Germany is known to have particularly tough privacy regulations, perhaps due to its legacy of surveillance and dictatorships in the past. Last year, the watchdog also banned a teddy bear functioning as a nanny-cam with the ability to connect to cell phones.

"Items that conceal cameras or microphones and that are capable of transmitting a signal, and therefore can transmit data without detection, compromise people's privacy. This applies in particular to children's toys,"  Jochen Homann, Bundesnetzagentur's President said in a statement. "This is also to protect the most vulnerable in our society."

See also: Cybersecurity Stocks for 2017

Complaints from Consumer Groups

In the U.S., an alliance of consumer-privacy advocates filed a complaint with the Federal Trade Commission in December, naming both Nuance Communications and Los Angeles–based Genesis Toys, a complaint the Commission said it would "carefully review." The coalition filing the complaint included a number of organizations, such as the Electronic Privacy Information Center (EPIC), Consumers Union (publisher of Consumer Reports magazine), the Center for Digital Democracy and the Campaign for a Commercial-Free Childhood. According to the complaint, consumers “could not reasonably anticipate that their children’s voices and text would be recorded and used in this way.”

Nuance Communications, a speech-to-text company that sells voice biometric services, has contracts with military and law enforcement agencies, according to the complaint. It states, “The use of children’s voice and text information to enhance products and services sold to military, intelligence, and law enforcement agencies creates a substantial risk of harm, because children may be unfairly targeted by these organizations if their voices are inaccurately matched to recordings obtained by these organizations.”

Dangerous Dolls and Risky Robots?

My Friend Cayla retails for $59.93 at Walmart.com, where the toy is described as a “beautiful 18-inch interactive fashion doll that offers hours of imaginative play.” The description goes on to say, “Cayla can understand and respond to your child in real time about almost anything.” The i-Que Intelligent Robot costs £59.99 (roughly $64) at ToysRUs.co.uk and is described as an “interactive, intelligent robot” with a “wicked sense of humour” and “cheeky sound effects.”

Both the My Friend Cayla and i-Que Intelligent Robot toys include a Bluetooth microphone and speaker. Children download and use a mobile app to communicate with the toys. The My Friend Cayla doll asks for permission to access the hardware, storage, microphone, Wi-Fi and Bluetooth on the user’s smartphone or tablet. On the other hand, the i-Que Robot asks for permission to use a mobile device but does not explain why, according to the complaint.

When a child asks My Friend Cayla or i-Que Robot a question, the app searches for answers on sites such as Wikipedia and then responds. In the process the app records and collects these conversations, and the recordings are converted into text.

The complaint asserts that My Friend Cayla prompts children to share personal information, including the names of their family members and where they live and attend school. While this may seem innocent enough, the complaint alleges that these personal recordings could then be sent to Nuance Communications, which has more than 30 million “voiceprints” in its system. It further charges that in the My Friend Cayla privacy policy there is no mention of speech data or the collection and use of data by Genesis Toys, Nuance Communications or any other third parties.

Consumer advocates also warn that the two toys could be easily targeted by hackers, pointing out that any smartphone or tablet within 50 feet can connect to the toys via Bluetooth without a password. According to the complaint, “Researchers discovered that by connecting one phone to the doll through the insecure Bluetooth connection and calling that phone with a second phone, they were able to both converse with and covertly listen to conversations collected through the My Friend Cayla and i-Que toys.” EPIC says that My Friend Cayla dolls and i-Que robots should be pulled from store shelves immediately.

The Bottom Line

As an increasing number of toys incorporate Wi-Fi internet connections via mobile apps, privacy advocates are warning consumers about the safety of these products. Not only could they violate your family’s privacy; these toys might also be prime targets for hackers. Until the FTC resolves these issues, you may want to stick with the old-fashioned dress-up dolls and action figures. 

See also: Internet of Things Poses Massive Cyberthreat.

 

Want to learn how to invest?

Get a free 10 week email series that will teach you how to start investing.

Delivered twice a week, straight to your inbox.