/ 17 December 2015

Hush, honey! Don’t speak in front of the toys

Hush, Honey! Don’t Speak In Front Of The Toys

This week saw the largest-ever hack targeting minors, described as an Ashley Madison-level breach. It serves as a reminder that children can be targeted too.

As parents shop for holiday presents, they should think twice about buying toys that connect to the internet. Privacy risks are very real for some “interconnected” toys but, unfortunately, it is not easy to understand privacy policies – even for a lawyer like me.

On Tuesday, VTech, a Hong Kong-based company that sells tablets, “learning” toys and apps designed for children, experienced one of the largest-ever hacks targeting children. Nearly five million parent accounts and 6.4-million children’s profiles are believed to have been compromised.

Security experts have been warning about the potential vulnerabilities of many next-generation toys that include features such as wi-fi, data collection and voice recognition.

For example, Hello Barbie, which Mattel put on the market in time for the holidays, was flagged by researchers for raising security concerns. Hello Barbie uses the ToyTalk app to transmit children’s conversations using wi-fi and stores them on ToyTalk’s server. Using speech recognition technology and artificial intelligence, Barbie responds to the child by selecting among more than 8 000 dialogue scripts.

Adults may find that information they used to register these kinds of interconnected toys, such as their email address or answer to a secret question, is used by hackers to access their bank accounts or perpetrate fraud. And who is to say if conversations among family members or friends could be recorded without their knowledge and turned over to law enforcement?

Marketers could potentially use information disclosed by children, location data made available by a device and tracking cookies to target personalised advertising to children who are too young to even understand the concept of advertising.

What can parents do to protect their children and themselves? The most foolproof method is simply not to buy these types of toys.

They generally offer little or no benefit while imposing substantial risks. Why encourage a young child to confide in an electronic doll and receive preprogrammed responses instead of playing with a real friend or holding an imaginary conversation with a traditional doll? What possible benefit is there to recording the child’s intimate conversations, storing them in the cloud and making them available to parents and unidentified third parties?

If parents want to go ahead anyway, being aware of privacy policies is key. The Hello Barbie privacy policy, for example, requires that parents agree to allow ToyTalk to “use, store, process, convert, transcribe, analyse or review” recordings of their child for a variety of purposes, including the vague and open-ended “other research and development and data analysis purposes”.

Although ToyTalk says it will not use recordings “to contact children or advertise to them”, it is unclear exactly what this means. Because data collection and analysis is not well understood by the public and is constantly evolving, it is unrealistic and unfair to place the burden of determining the risks on parents.

Nor can parents count on the law to protect their or their children’s private information – legislation has not kept up with technological developments.

The VTech hack has brought much-needed attention to the significant privacy issues raised by many new children’s toys. Until they are satisfactorily addressed, the best option for parents is to say no to dubious toys that may risk your child’s privacy. – © Guardian News & Media 2015