The FBI has weighed into a major controversy with a consumer notice encouraging parents “to consider cyber security prior to introducing smart, interactive, internet-connected toys into their homes or trusted environments.”
The notice states that
Smart toys and entertainment devices for children are increasingly incorporating technologies that learn and tailor their behaviors based on user interactions. These toys typically contain sensors, microphones, cameras, data storage components, and other multimedia capabilities – including speech recognition and GPS options. These features could put the privacy and safety of children at risk due to the large amount of personal information that may be unwittingly disclosed.
It recommends close examination of user agreements and privacy policies, which should explain where personal data is sent and stored, and if third parties have access to it. However, “safeguards for these toys can be overlooked in the rush to market them and to make them easy to use.” So a few web searches for known issues with the toys on your shopping list is also recommended. This is one of the easier ways to uncover problems with that latest talking doll.
The spectrum of personal information at risk of being hacked, shared or used without explicit consent includes
- Conversations within earshot of the device (such as the child’s name, school, likes and dislikes, and activities)
- Personal information (e.g., name, date of birth, pictures, address) typically provided when creating user accounts
- Voice messages, past and real-time physical locations, browsing histories, and IP addresses
Opportunities for child identify fraud and exploitation of minors are the gravest of concerns, and the FBI encourages “all consumers to research areas and circumstances concerning the toys and Web services where [existing] laws may or may not provide coverage.” The US legal and regulatory environment is explained as follows:
The Children’s Online Privacy Protection Act (COPPA) imposes requirements on Web site and online service operators directed to children under the age of 13 and on operators of other sites and services who knowingly collect personal online information on children under 13 (for further details on COPPA and protecting children online, refer to link). On 21 June 2017, the Federal Trade Commission (FTC) updated its guidance for companies required to comply with COPPA to ensure those companies implement key protections with respect to Internet-connected toys and associated services, to include the use of mobile apps, Internet-enabled location-based services, and voice-over IP services (link). In addition, a manufacturer’s failure to implement reasonable security measures for data collected by its Internet-connected toys could subject that company to an FTC enforcement action under Section 5(a) of the FTC Act, which prohibits unfair or deceptive practices in the marketplace.
Other sensitive data such as passwords and other Wi-Fi information “could be exposed if the security of the data is not sufficiently protected with the proper use of digital certificates and encryption when it is being transmitted or stored.” In particular, Bluetooth-connected toys interacting with a smartphone or tablet may not be protected by any pin or password at all. In many cases, such vulnerabilities could enable unauthorized direct communications with a child user, or even remote control of the toy itself.
The final section of the FBI notice instructs consumers to
- Only connect and use toys in environments with trusted and secured Wi-Fi Internet access
- Use authentication when pairing the device with Bluetooth (via PIN code or password)
- Use encryption when transmitting data from the toy to the Wi-Fi access point, server or cloud
- If they can be updated, ensure your toys are running on the most updated software and patches
- Research where user data is stored – with the company, third party services, or both – and whether any publicly available reporting exists
- Carefully read disclosures and privacy policies (from company and any third parties) and consider:
- If the company is victimized by a cyber-attack and your data may have been exposed, will the company notify you?
- If vulnerabilities to the toy are discovered, will the company notify you?
- Where is your data being stored?
- Who has access to your data?
- If changes are made to the disclosure and privacy policies, will the company notify you?
- Is the company contact information openly available in case you have questions or concerns?
- Closely monitor children’s activity with the toys (such as voice recordings) through the toy’s partner parent application, if possible
- Ensure the toy is turned off, particularly those with microphones and cameras, when not in use
- Use strong and unique login passwords when creating user accounts
- Provide only what is minimally required when inputting information for user accounts
- File a complaint with the Internet Crime Complaint Center if you suspect your child’s toy may have been compromised