With the holiday shopping season now in full swing, a nonprofit group is warning parents to beware of certain toys.
Concerns about gifts for children typically involve health and safety problems. “Smart” and other internet-connected toys, one or more of which are in more than a third of households in the United States, pose another risk.
Such products collect personal information and sell it to companies that target kids, according to the U.S. Public Interest Research Group (USPIRG). The market is expected to grow to $18 billion within the next five years.
A new report by USPIRG, “Trouble in Toyland,” is based on a Mozilla analysis. The Firefox browser's investigators identified two popular toys that share young people's data with third parties: a robot named Dash, which purportedly “makes coding fun” on apps for various devices; and the Amazon Fire HD Kids' Edition, a tablet created for children as young as 3 years of age.
A toy that Mozilla previously criticized, the Amazon Echo Dot Kids Edition, is marketed as “an Alexa-enabled speaker … to play music, read news, play games and more.”
After USPIRG cautioned that “Amazon gets to know your kid's personal information from the cradle on,” the company responded: “Parents have the ability to view their child's tablet activity by logging into 'Parent Dashboard,' and can delete activity data by contacting Amazon Customer Service.”
In 2015, a hacker told Motherboard that Vtech, a toy manufacturer based in Hong Kong, was failing to protect tablet customers' data. The names, addresses, pictures and chat logs of 6.5 million parents and kids allegedly were exposed.
Earlier this year, Vtech agreed to pay a $650,000 fine as part of a legal settlement with the Federal Trade Commission for having violated the Children's Online Privacy Protection Act. The case was the first time a manufacturer of internet-connected toys had been punished, according to Vox.
The website reported that hackers could steal information from Bluetooth-enabled toys “to spy on or communicate with children.” One of the devices, which is no longer available, was a doll called My Friend Cayla. It had a microphone with an app that could analyze a child's words and develop a response. A criminal complaint filed two years ago cited the doll's ability to “record and collect the private conversations of young children without any limitations on collection, use or disclosure of this personal information.”
Authorities have long known that cyberattacks on Hello Barbie, Toucan and other such products are possible. Even teddy bears are not safe. CloudPets allegedly has not protected kids' names and birthdates, or audio recordings of them talking to stuffed animals.
In July 2017, the Federal Trade Commission (FTC) issued a statement regarding “smart, interactive, internet-connected toys … that learn and tailor their behaviors based on user interactions” with the use of “sensors, microphones, cameras, data-storage components … speech recognition and GPS options.”
The agency said “these features could put the privacy and safety of children at risk due to the large amount of personal information that may be unwittingly disclosed.” Microphones, which record everything going on in a room, are especially invasive. The result is a threat not only to privacy, but also “physical safety,” according to the FTC.
Officials explained that to set up a user account, a child typically must enter personal information like name, birthday and address. Pictures of users are sometimes requested, as well. “In addition, companies collect … voice messages, conversation recordings, past and real-time physical locations, internet use history and internet addresses/Ips,” the FTC wrote.
The warning continued: “The exposure of such information could create opportunities for child identity fraud. Additionally, the potential misuse of sensitive data such as GPS location information, visual identifiers from pictures or videos, and known interests to garner trust from a child could present exploitation risks.”
The agency advised parents to “examine toy company user agreement disclosures and privacy practices,” find out “where their family's personal data is sent and stored,” use “only connect and use toys in environments with trusted and secured Wi-Fi internet access,” use a PIN or password with Bluetooth devices, and employ encryption “when transmitting data from the toy to the Wi-Fi access point and to the server or cloud.”
Other recommendations include monitoring children's interactions with the toys, making sure the devices are turned off when not being used, and entering only required information.
Manufacturers also need to take action, according to Katie McInnis of Consumers Union, a nonprofit advocacy group. “With connected products flooding the marketplace, it's vital that companies pay attention to privacy and security,” she said. “This is especially true when products collect sensitive information from children.”
McInnis added: “We applaud the FTC for taking this action. We hope this is a sign that the FTC is going to be more vigilant in holding companies accountable for breaking privacy laws. Parents have a right to know and a right to choose how their children's personal data is being collected.”