A connected doll (i.e. a doll connected to the Internet), ‘My Friend Cayla', was banned last week by Germany’s telecommunications regulator, the Federal Network Agency, as it classified the doll as an ‘illegal spying device’. Parents were also urged to disable the connected doll.
The connected doll, which was voted as one of the top toys by the Irish Times for Christmas 2014, provides children with a connected play experience by listening and talking to them. When connected to an app via Bluetooth, children can ask the doll questions. The child's speech is then converted into text using speech recognition software and the app then searches the Internet for the answer and responds to the child. The doll is essentially connected to the Internet and is an Internet of Things (IoT) device.
However, this connected doll has raised concerns about the potential threat to children’s data privacy as a child’s interactions with the doll are recorded and potentially shared with third parties, which may include sensitive information, such as a child’s secrets. There have also been allegations that due to an insecure Bluetooth connection embedded within the doll, hackers could listen in or even talk directly to children through the doll.
In December 2016, privacy campaign groups in the United States submitted complaints to the US Federal Trade Commission alleging that a number of IoT toys (My Friend Cayla, i-Que Intelligent Robots and Hello Barbie) record children’s private conversations without any limitations on the collection, use or disclosure of this personal data in breach of data protection standards. The complaint also alleged that such toys could be heavily compromised because of an insecure Bluetooth connection.
Similar complaints were also made in the EU by consumer organisations to the European Commission, the International Consumer Protection and Enforcement Network (ICPEN) and to the European Data Protection Supervisor.
The EU complaints identified a number of issues:
Security – They noted that there are serious security flaws with two of the toys (My Friend Cayla and I-Que Intelligent Robots) as they have insufficient security measures to prevent unauthorised access to microphones and speakers.
Data Protection – They also claimed that the toys fail to meet data protection standards on a number of fronts and gave specific examples:
Consumer Protection – The complaints also alleged that these toys do not respect consumer protection standards and they identified a number of specific issues in this regard, some of which include:
The Office of the Data Protection Commissioner (“ODPC”) in December 2016 issued a Guidance Note regarding possible data protection issues with toys that use microphones and cameras which connect to the Internet.
The ODPC cautions that any interactions a child might have with these toys is a ‘potentially sensitive matter’. The ODPC highlighted, in particular, that some of these toys allow for the collection and recording of conversions between a doll and a child. It also warned that such voice recordings may be shared with third parties, for example for targeted advertising.
The ODPC has urged parents to take ‘extra care’ when buying these types of toys and has provided a useful set of questions for parents to consider before purchasing:
While IoT creates new play experiences and learning opportunities for children, it also poses risks to their privacy and security as hackers may be able to gain unauthorised access and control of devices such as connected toys. This highlights the need for connected devices such as toys to be designed with privacy, security and consumer protection laws in mind at the outset of the design stage, in order to avoid such issues arising at a later stage and also to avoid the cost of re-engineering products.
For further information on this topic, please contact Peter Bolger at firstname.lastname@example.org.