Internet-Connected Toys Are Spying on Kids, Threatening Their Privacy and Security

Date of Release: 

Tuesday, December 6, 2016

For Immediate Release

Contact: 
Josh Golin, CCFC (josh@commercialfreechildhood.org; 617-896-9369)
Jeff Chester, CDD (jeff@democraticmedia.org; 202-494-7100) 

Internet-Connected Toys Are Spying on Kids, Threatening Their Privacy and Security
Groups say products violate federal kids' privacy law and FTC rules; New report on "Internet of Toys" accompanies unprecedented regulatory action from groups in US and EU

WASHINGTON, DC – December 6, 2016 – The growing popularity of "smart" Internet-connected toys poses significant privacy, security, and other risks to children, according to a complaint filed today by leading child advocacy, consumer, and privacy groups at the Federal Trade Commission (FTC). My Friend Cayla and I-Que Intelligent Robot, dolls marketed to both young girls and boys, collect and use personal information from children in violation of the Children's Online Privacy Protection Act (COPPA) and FTC rules prohibiting unfair and deceptive practices. The complaint calls upon the FTC to investigate and take action against Genesis Toys, the maker of My Friend Cayla and I-Que, and Nuance Communications, which provides third-party voice recognition software for the toys. Groups filing the complaint are the Campaign for a Commercial Free Childhood (CCFC), the Center for Digital Democracy (CDD), Consumers Union, and the Electronic Privacy Information Center (EPIC). 

When companies collect personal information from children through the Internet, they incur serious legal obligations to protect children's privacy. COPPA reflects a general understanding that the collection and use of information about young children should be treated with care and avoided when possible. Yet, the complaint charges, "Both Genesis Toys and Nuance Communications unfairly and deceptively collect, use, and disclose audio files of children's voices without providing adequate notice or obtaining verified parental consent." The complaint also takes issue with Genesis' failure to take reasonable security measures to prevent unauthorized Bluetooth connections with the toys. As a result, Genesis fails to prevent strangers and predators from covertly eavesdropping on children's private conversations, which "creates a substantial risk of harm because children may be subject to predatory stalking or physical danger." 

"With the growing Internet of Things, American consumers face unprecedented levels of surveillance in their most private spaces, and young children are uniquely vulnerable to these invasive practices," said Claire T. Gartland, Director, EPIC Consumer Privacy Project. "The FTC has an obligation here to step in and safeguard the privacy of young children against toys that spy and companies that exploit their very voices for corporate gain."

According to the complaint, the list of privacy violations by these "spy toys" is lengthy. For example, the packaging for My Friend Cayla has no mention of privacy, and locating the doll's Terms of Service is a major challenge. Once a parent does locate Cayla's Privacy Policy and Terms of Use, these documents shed little light on what information is actually collected from children, how it's used, or where it ends up. In one of the most serious legal violations, Genesis fails to get parents' consent before collecting children's voice recordings and other personal data. Children's voice recordings from the dolls are also sent to Nuance, a company that may use them for its law enforcement and military intelligence products.

"Genesis and Nuance are completely disregarding their legal and ethical obligations when it comes to kids' privacy," Gartland said. "Instead, they have chosen to exploit children's sensitive voice recordings and private conversations for corporate profit. It is extremely alarming that what a child says to her 'trusted' friend could end up in a voice biometrics database sold to law enforcement and intelligence agencies."

Today's FTC complaint is part of an unprecedented, coordinated, transatlantic legal action involving consumer and privacy groups in the US and Europe. Leading European consumer organizations filed a series of formal complaints with EU regulators, and with data protection, consumer protection, and product safety agencies in France, the Netherlands, Belgium, Ireland, and Norway. The combined US and European advocacy effort was triggered by groundbreaking research from the Norwegian Consumer Council, which conducted an in-depth legal and technical analysis of three Internet-connected toys. The Council's "Toyfail" report examined Cayla, I-Que, and Mattel's interactive Hello Barbie doll, all of which are produced and distributed by multinational companies and targeted at children.  

These products are part of a new generation of digital playthings – known as the "Internet of Toys" – which are growing in popularity, with consumers spending an estimated $2.8 billion on them last year. The toys use WiFi, Bluetooth, or mobile apps, and offer "smart" features such as cameras, microphones, and sensors that can record and respond to children's interactions. 

Consumer groups on both sides of the Atlantic have raised serious concerns about the threats that Internet-connected toys pose to children's privacy, security, and safety, as well as potential harms to children's psychosocial development. 

Researchers who analyzed the Cayla doll discovered that it had been pre-programmed with dozens of phrases that reference Disneyworld and Disney movies. This product placement is not disclosed to users and would be difficult for young children to recognize as advertising.

"Children form friendships with dolls and toys with 'personalities,' and confide intimate details about their lives with them," said CCFC's Executive Director Josh Golin. "It is critical that the sensitive data collected by these toys be subject to the most stringent protections and not be used for manipulative and sneaky marketing."

Katie McInnis, technology policy counsel for Consumers Union, said, "As more toys are connected to the Internet, we have to ensure that children's privacy and security are protected. When a toy collects personal information about a child, families have a right to know, and they need to have meaningful choices to decide how their kids' data is used. We strongly urge the FTC to investigate these companies, stop the deceptive practices, and hold them accountable."

"Children today are growing up immersed in a digital world, where mobile devices, games, apps, and now a new generation of Internet-toys are profoundly shaping their social interactions, personal experiences, and behaviors," commented Kathryn Montgomery, Professor of Communication at American University and consultant to CDD. "Regulators need to ensure that children will be able to reap the benefits of these digital technologies without being subjected to harmful practices that undermine their privacy, safety, and wellbeing." 

As Montgomery, who led the campaign for passage of COPPA, also noted: "This will be a crucial test of the new FTC under the Trump Administration. Now more than ever, we must ensure that children's needs are high on the policy agenda for the Big Data era." 

The full FTC complaint from CCFC, CDD, Consumers Union, and EPIC is available at https://epic.org/privacy/kids/EPIC-IPR-FTC-Genesis-Complaint.pdf 

The full Toyfail report is available at http://www.forbrukerradet.no/siste-nytt/connected-toys-violate-consumer-...

A short video demonstrating the toys' vulnerabilities can be viewed at https://www.youtube.com/watch?v=lAOj0H5c6Yc

###

Issue: