The Electronic Privacy Information Center (EPIC) is asking the Federal Trade Commission (FTC) to ban vulnerable IoT-enabled toys from the marketplace.
In its complaint, the non-profit public interest research organization calls out two toys for spying on its young consumers: My Friend Cayla and the i-Que Intelligent Robot, both of which are produced by a Los-Angeles company called Genesis.
"By purpose and design, these toys record and collect the private conversations of young children without any limitations on collection, use, or disclosure of this personal information. The toys subject young children to ongoing surveillance and are deployed in homes across the United States without any meaningful data protection standards. They pose an imminent and immediate threat to the safety and security of children in the United States."
Wow, okay... so how exactly are these toys spying on children?
Scandinavian consultancy Bouvet has the answer. It was commissioned by the Norwegian Consumer Council to investigate the two Genesis toys along with the Hello Barbie, a doll in which researchers discovered some serious privacy flaws back in 2015.
The trouble begins with how the toys communicate with the Internet. While the toys' apps use HTTPS encryption most of the time, the applications for My Friend Cayla and i-QUE don't when they're communicating with the Weather Underground commercial weather service provider. An attacker could therefore intercept those questions sent over HTTP as part of a man-in-the-middle attack.
It gets worse.
Conversations between a child and either of the two toys don't remain private. Instead they're sent to a speech recognition technology company called Nuance Communication, as Bouvet explains:
"In the agreements for Cayla and i-QUE it states that 'When you ask the app a question, this information request is stored on a Nuance Communication (for Apple-based users) or IVONA or Google (for Android/Google-based users) server in the cloud.' On Android the apps sends a request to the nuance.com webpage when they launches. If the apps cannot get the website they tell the user that they cannot connect to the internet, so the apps might use it as a test to see if they have access to Internet. The IP address 18.104.22.168, which is the IP address the apps uploads what we believe to be recordings to, is from Massachusetts Burlington, which is the same city where Nuance has their main offices."
And if that wasn't bad enough, a "toyfail" report published by the Norwegian Consumer Council reveals both toys come with an unreadable set of terms which, among other things, don't specify what constitutes personal data and allows the toys to share all data with unspecified "vendors, consultants, and other service providers."
Pretty scary stuff.
Given those privacy shortcomings, it's no wonder organizations other than EPIC are filing their own complaints.
On 6 December, the European Consumer Organization (BEUC) announced it had written letters to the the European Commission, the EU network of national data protection authorities, and the International Consumer Protection and Enforcement Network (ICPEN) accusing My Friend Cayla and i-QUE of violating several European consumer laws.
Monique Goyens, Director General of The European Consumer Organisation (BEUC), said this on the subject:
"Children are especially vulnerable, and are entitled to products and services that safeguard their rights to security and privacy. As long as manufacturers are not willing to take these issues seriously it is clear that this type of connected products is not suitable for children.
"As an increasing number of manufacturers and providers move into the digital field, they must be careful with the security and privacy risks that the digital world opens up.
"With internet-connected devices gaining ground, market supervision is becoming increasingly complex. The challenge to make sure European consumers are properly protected is huge and co-operation between authorities and consumer organisations is key. The fact that business malpractices spill over national borders is making this task even harder."
At this time, it's unclear what will come of EPIC's complaint. We can only hope it will spark a conversation among IoT manufacturers to incorporate more robust security and privacy safeguards into their products.
In the meantime, we as consumers have a responsibility to demand better products. That includes toys that DON'T spy on our children, even if that means buying a regular old teddy bear and letting our children's imagination do its work.
Nothing is worth jeopardizing our children's privacy. If a toy doesn't live up to such a basic expectation, exercise your power of the purse and don't buy it. Toy manufacturers will begin to catch on sooner or later.