The spectrum of personal information at risk of being hacked, shared or used without explicit consent includes

  • Conversations within earshot of the device (such as the child’s name, school, likes and dislikes, and activities)
  • Personal information (e.g., name, date of birth, pictures, address) typically provided when creating user accounts
  • Voice messages, past and real-time physical locations, browsing histories, and IP addresses

Opportunities for child identify fraud and exploitation of minors are the gravest of concerns, and the FBI encourages “all consumers to research areas and circumstances concerning the toys and Web services where [existing] laws may or may not provide coverage.” The US legal and regulatory environment is explained as follows:

The Children’s Online Privacy Protection Act (COPPA) imposes requirements on Web site and online service operators directed to children under the age of 13 and on operators of other sites and services who knowingly collect personal online information on children under 13 (for further details on COPPA and protecting children online, refer to link). On 21 June 2017, the Federal Trade Commission (FTC) updated its guidance for companies required to comply with COPPA to ensure those companies implement key protections with respect to Internet-connected toys and associated services, to include the use of mobile apps, Internet-enabled location-based services, and voice-over IP services (link). In addition, a manufacturer’s failure to implement reasonable security measures for data collected by its Internet-connected toys could subject that company to an FTC enforcement action under Section 5(a) of the FTC Act, which prohibits unfair or deceptive practices in the marketplace.

Other sensitive data such as passwords and other Wi-Fi information “could be exposed if the security of the data is not sufficiently protected with the proper use of digital certificates and encryption when it is being transmitted or stored.” In particular, Bluetooth-connected toys interacting with a smartphone or tablet may not be protected by any pin or password at all. In many cases, such vulnerabilities could enable unauthorized direct communications with a child user, or even remote control of the toy itself.

The final section of the FBI notice instructs consumers to