It has been a few months since we posted our white paper titled, “How Companies You Trust Are Stealing From You.” Since then, we decided to investigate a couple of Internet-connected children’s toys to monitor the traffic and determine if they too are taking data and uploading it to the Internet.
One of the toys we investigated was the Barbie Hello Dreamhouse. Our investigator set it up on our conference room table, got his laptop out and started capturing the network traffic it generated.
Soon after assembly and connecting it to the Internet, we learned that in order to use the voice recognition features of the dollhouse, we had to give permission to PullString, Inc. dba ToyTalk. We were asked to enter a name and email address.
After reading the above email, we learned:
- “Barbie Hello Dreamhouse involves the recording of audio, which may include voices”
- “We may also use these recordings as part of the customized sounds in your Barbie Hello Dreamhouse, which recordings would be heard by anyone using the toy”
We agreed to the above request for permission and then received a second email that contained legalese, again outlining what we had previously agreed to and included a link at the bottom to revoke consent. Overall, we were pleased with the openness in the disclosure offered by the companies associated with the Barbie Hello Dreamhouse. Other toy companies, however, have taken a considerably more aggressive approach to collecting information and may end up in court to defend their actions.
For example, the makers of i-Que and Cayla smart toys have been accused in a formal complaint to the Federal Trade Commission of ongoing surveillance on children and even posing an imminent threat to their safety. According to the recent complaint filed by the Electronic Privacy Information Center (EPIC) international consumer coalition, the doll prompts children to verbally answer questions about personal information—including their parents’ names, the name of their school and the place where they live. The complaint also states:
“The failure to employ basic security measures to protect children’s private conversations from covert eavesdropping by unauthorized parties and strangers creates a substantial risk of harm because children may be subject to predatory stalking or physical danger.”
Other countries such as Norway, France, Sweden, Greece, Belgium, Ireland and the Netherlands are filing complaints as well.
Pen Test Partners, a UK-based security research group, came to the same conclusion last year when it published details about several security problems affecting “My Friend Cayla” and hacked the doll to demonstrate they could make it say anything they wanted.
My Friend Cayla is hacked:
Manufacturers reserve the right to change the terms and conditions of their privacy agreements at any time. The Barbie Hello Dreamhouse agreement we reviewed stated that:
We felt the above was considerably more palatable compared to some other end user agreements that we have read.
A key takeaway from this is the realization that how data is collected, stored and shared is largely unregulated. Some companies are doing a pretty good job at full disclosure regarding the information they are taking; however, many are not.
Consumers need to be aware that anything connecting to the Internet or a computer, including children’s toys, has the ability to send information back to the mother ship on the Internet. Until industry compliance regulations are put in place, “Buyer Beware” is something we all need to take very seriously when buying anything electronic.