Eavesdropping concerns and security failings were behind November’s decision in Germany to ban sales of various children’s smartwatches, just as My Friend Cayla, an infamous connected doll, was banned for similar reasons earlier in the year.

The Federal Network Agency regulator said it had taken prompt action against online retailers serving the domestic market, urging destruction of the smartwatches:

The agency has instructed parents to destroy any devices they have bought, and asked schools to be on the look out for smartwatches being used by children — and to request destruction of listening devices they identify.

German law prohibits the manufacture, sale or possession of surveillance-capable devices which are disguised as or resemble unrelated objects. A key feature and selling point of these smartwatches is that parents can remotely (via an app) activate a microphone to listen in on their child’s environment. Though the smartwatches had basic security issues which might allow hackers to eavesdrop, these flaws could easily be fixed by their respective manufacturers after hearing of the ban. The unfixable problem is that children wearing the watch cannot prevent a fully-authorized user – their parent – from listening to conversations in their vicinity. Eavesdropping on other children or adults in this nonconsensual manner violates German law.

In October, the Norwegian Consumer Council published their #WatchOut report, which looked at the Gator 2, Tinitell, Viksfjord, and Xplora smartwatches, concluding that these are “wearable mobile phones” with “critical security flaws” produced in a “chaotic” marketplace of low-cost Chinese manufacturing, rebranded for Western retail with a clear “lack of respect for consumer rights”. They also produced the following video:

Ken Munro, a security expert, told the BBC:

“Poorly secured smart devices often allow for privacy invasion. That is really concerning when it comes to kids’ GPS tracking watches – the very watches that are supposed to help keep them safe. There is a shocking lack of regulation of the ‘internet of things’, which allows lax manufacturers to sell us dangerously insecure smart products.”

Concerns over internet-connected toys were similarly raised by the UK consumer group, Which?, who put out a safety alert last month:

Over the past 12 months, Which?, in collaboration with consumer organisations and security research experts, has conducted investigations into popular Bluetooth or wi-fi toys on sale at major retailers. This has revealed concerning vulnerabilities in several devices that could enable anyone to effectively talk to a child through their toy:

  • In all cases, it was found to be far too easy for someone to use the toy to talk to a child.
  • Each time, the Bluetooth connection had not been secured, meaning that person didn’t need a password, Pin code or any other authentication to get access. That person would need hardly any technical know-how to ‘hack’ your child’s toy.