For many people, protecting your privacy on the internet is sort of like eating your vegetables, recycling, or watching Ken Burns documentaries: something you know you should do in theory, but don’t actually do that much in practice.
Yet when companies harvest kids’ personal data and share it with advertisers, the stakes are much higher. Kids don’t know the full extent of the risks of sharing their data with strangers — and without that knowledge, they can’t provide informed consent to do so. According to a new report from the US Public Interest Research Group (USPIRG), many tech companies making kids’ toys are taking advantage of that.
The report, “Trouble in Toyland,” raises red flags about privacy concerns posed by smart toys, or connected toys that may be sharing kids’ data with third parties. USPIRG cites an investigation by Mozilla, the organization behind the privacy-focused Firefox browser, which has created a Privacy Not Included buyers’ guide to kids’ toys.
Mozilla found that a Bluetooth-enabled robot called Dash shared children’s data with third parties; it also found that the Amazon Fire HD Kids’ Edition, a popular tablet that’s marketed to children ages 3 and up, shares your child’s data with third parties and does not delete the data it stores. The organization offered a sobering warning: “Amazon gets to know your kid’s personal information from the cradle on.”
In an email to Vox, Vikas Gupta, the CEO of Wonder Workshop, which sells Dash, denied the report’s claims. “All of Wonder Workshop’s robots and associated apps have always been compliant with the Children’s Online Privacy Protection Act (COPPA),” Gupta wrote. “We never collect, track, or share personally identifiable data about the children using our robots and apps. Due to technical limitations, it is not even possible for the robots to violate privacy laws.”
Amazon also denied the report’s security claims in a statement to Vox.
“Amazon has a longstanding commitment to privacy and data security, and Amazon FreeTime on Fire Kids Edition tablets is compliant with the Children’s Online Privacy Protection Act (COPPA). We do not share children’s data with third-parties,” a spokesperson said in an email. “Parents have the ability to view their child’s tablet activity by logging into Parent Dashboard (parents.amazon.com) and can delete activity data by contacting Amazon Customer Service.” (Mozilla did not immediately respond to a request for comment.)
Concerns about smart toys and privacy are certainly not new. (Earlier this year, Mozilla expressed similar worries about the Amazon Echo Dot Kids Edition, encouraging the company to be more transparent about how it uses children’s data.) There’s a great deal of parental anxiety surrounding the smart toys market, a space that encompasses everything from tablets to watches to dissectable augmented reality (AR) teddy bears.
That anxiety reached a fever pitch in 2015, when the Hong Kong-based kids’ toy company VTech was subject to a data breach that exposed the personal information of 6.5 million people, many of them children. The person behind the attack later told Motherboard that he hacked into VTech’s servers essentially as a public service, to expose the company’s “shitty security” to concerned parents. (VTech settled with the Federal Trade Commission for collecting parents’ and children’s data without permission and paid a fine of $650,000 earlier this year.)
The case marked the first time a connected toy company had been fined for violating COPPA, which is intended to protect the privacy of children on the internet; COPPA complaints have traditionally been leveled against website operators.
Perhaps more terrifyingly, many parents are concerned that hackers could hijack Bluetooth-enabled toys and use them to spy on or communicate with children. There’s evidence that this is possible, and not even that difficult. In the past, security researchers have found that toys like Hello Barbie and the robotic Toucan are vulnerable to being hacked, allowing anyone to gain access to data on company servers.
In one instance, security expert Troy Hunt noticed that information stored by the smart stuffed animal company CloudPets had been exposed, allowing anyone to access children’s names, birthdays, and even audio clips of them speaking to the toys. “There’s no doubt whatsoever in my mind that there are many other connected toys out there with serious security vulnerabilities in the services that sit behind them,” he wrote in a blog post.
In 2016, privacy advocacy groups filed a complaint against the makers of the Bluetooth-enabled My Friend Cayla doll, which comes equipped with a microphone so children can talk to the doll; that data is then processed and translated by an app so Cayla can issue a response. The complaint stated, among other things, that Cayla had the ability to “record and collect the private conversations of young children without any limitations on collection, use, or disclosure of this personal information.”
(Perhaps less egregious — but still problematic — was the report’s concern that Cayla was secretly a shill for Disney, and was programmed to advertise for the Epcot theme park.)
The German government pulled Cayla from shelves in 2017, arguing that it was classified as an “illegal espionage apparatus”; according to the US website for the doll, it no longer appears to be for sale at Walmart.
The controversy surrounding the doll prompted the Federal Trade Commission to update COPPA guidelines in 2017 to specifically refer to smart toy manufacturers, and the FBI has issued a statement warning parents to consider the cybersecurity risks associated with smart toys. But the technology is still relatively new and the smart toy industry is growing, with one projection estimating it’ll be worth $18 billion by 2023. It’s possible, even likely, that many parents just don’t know the extent of the risks associated with such toys.
Of course, to a degree, none of this is particularly surprising: Even the least tech-savvy consumer knows that we release a great deal of personal data to large companies on a daily basis. And while many of us take precautionary measures such as changing our privacy settings, for a lot of us, ceding our personal data is simply part of the trade-off of living in an uber-connected world.
Even Hunt points out in his blog post that the risks of connected toys are not “particularly any different to the ones you and I face every day with the volumes of data we produce and place online.” But when kids are involved, he says, “our tolerances are very different.” So it’s worth keeping these concerns in mind before you buy a Bluetooth-enabled teddy bear at that Black Friday sale.
Update 12/13: This post have been updated to include a statement from Vikas Gupta, the CEO of Wonder Workshop.