Opinion: internet-connected toys may be all the rage, but we need to remember what they mean for a child's privacy and safety

It's the season for toys. Childhood play has undergone a profound transformation, migrating into the digital arena where there is a variety of internet-connected toys. Seeing this demand, industries have created opportunities for children to play and socialise online via internet-connected toys. But as well as enabling children’s to play online, these toys are also gathering user information, either surreptitiously or with the consent of parents or children, who agree to data collection and sharing practices in an effort to gain an optimal experience.

The Internet of Things is already in existence, with smartphone apps that remotely control objects and wearable tech measuring and monitoring sleep patterns, heart rates and exercise regimes. The Internet of Toys refers to the connection of digital and physical entities to gain access to new applications and services. Toys such as Hello Barbie and Smart Toy Bear using voice and/or image recognition connect to the cloud which allows children's conversations and images to be analysed, processed and acted on. Other app-enabled toys include drones, toy cars and robots connecting action figures to video games. In addition, there are puzzle and building games and children’s tech wearables such as smart watches and fitness trackers.

These toys put children’s security and privacy at risk through the surveillance of activities and incursions into their data privacy and security. Other risks include geo-tracking of children, remote control of toys’ recording and 'speaking’ functions by others and hacked surveillance of internet-connected toys such as that of Mattel's Wi-Fi Hello Barbie and VTech's Learning Lodge in 2015.

CNET report on how the 2015 VTech hack exposed details of five million accounts, including kids' photos and chats

Toy companies are reluctant to assume responsibility for these security failures and tend to use terms and conditions that place the responsibility totally on consumers. However, the safety and security of children’s data requires companies to go beyond the "opt-in-opt-out" paradigm of data privacy.

It is argued that the protection of private life comes with positive obligations that go beyond non-interference. International courts have stressed that advances in technology and the potential for surveillance of citizens must be accompanied by rules to prevent an erosion of rights. More than 33% of US homes have at least one internet-connected toys, such as a cuddly creature who can listen to and respond to a child’s inquiries, and Amazon recently released an Echo Dot smart-home device aimed at children in an era. 

These toys wirelessly connect with online databases to recognise voices and images, identify children’s queries, commands and requests and respond to them. Their unique selling point is that they improve children’s quality of play, providing them with new experiences of collaborative play, developing children’s literacy, numeric and social skills.

From Al Jazeera, 2017 report on how American and European consumer rights campaigners have expressed concern over the My Friend Cayla doll

Some such toys can connect to smartphone apps without authentication. In 2015, it was discovered that the Hello Barbie doll automatically connected to unsecured Wi-Fi networks that broadcast the network name "Barbie." A potential attacker could set up a Wi-Fi network with that name and communicate directly with an unsuspecting child. The same thing could happen with unsecured Bluetooth connections to the Toy-Fi Teddy, I-Que Intelligent Robot and Furby Connect toys. 

In 2017, German authorities said the My Friend Cayla doll was an "illegal espionage apparatus," thereby, leading to an outright ban. Some internet-connected toys have GPS like those in fitness trackers and smartphones and can also reveal users’ locations. In addition, the Bluetooth communications in some toys use can be detected as far away as 30 feet. If someone within that range looks for a Bluetooth device, even if they’re only seeking to pair their own headphones with a smartphone, they’ll see the toy’s name, and know a child is nearby. The Consumer Council of Norway found that  smartwatches marketed to children were storing and transmitting locations without encryption, allowing strangers to track children’s movements. Following an alert issued by Norwegian authorities, Germany banned the sale of children’s smart watches.

Internet-connected toys have cameras and microphones that watch and listen to children, recording what they see and hear. This information is then sent to company servers for analysis and instructions on how to respond. These functions can be hijacked to listen in on family conversations or take photographs or video of children without the parents’ or children’s knowledge. Toy manufacturers may not always ensure the secure storage or transmission of data. In 2018, toymaker VTech was fined US$650,000 for failing to encrypt private data and for violating U.S. laws protecting children’s privacy.

2015 promo video about Teddy the Guardian

Toy companies have also shared the collected information with other companies. In both Norway and the US  a business relationship with Disney led to the programming of the My Friend Cayla doll to discuss what were described as the doll’s favourite Disney movies with children. 

Digital toys and devices have benefits for children. Baby monitors with built-in cameras enable parents to keep their child in sight from anywhere and GPS trackers helps to locate missing children. Teddy the Guardian is an interactive toy with a vital signs sensor that enables parents to check their child’s temperature. There are internet-connected toys that promote science, technology, engineering, maths and coding. Internet-connected devices with fitness trackers help children stay healthy. There are even smart toothbrushes.

But without proper safeguards, children are at risk. With toys being connected to the internet, online hackers and other cybercriminals have the potential to access a clear pathway to the personal information of children. Internet-connected toys should be researched before purchase and their capabilities, functions and security and privacy settings evaluated. 

The views expressed here are those of the author and do not represent or reflect the views of RTÉ