- December 7, 2016
- Posted by: Kerry Tomlinson, Archer News
- Category: Archer News, Hacking, Posts with image, Privacy, Smart Devices
Groups file a complaint over toys they say are risky for your kids.
She’s not just a doll, she’s a real friend, the company says.
Some might call her a real spy.
My Friend Cayla wants your children to tell her where they live, where they go to school, who their parents are, and more.
But just about anyone can easily electronically eavesdrop on the conversation and talk to your child through the doll, according to consumer groups.
These groups filed a complaint today against the companies behind My Friend Cayla and i-Que Intelligent Robot, saying the toys are not secure, violate privacy laws and secretly market to your kids without your consent.
“I absolutely don’t think parents should buy these toys,” Josh Golin with the Campaign for a Commercial Free Childhood told Archer News this afternoon. “The privacy and security concerns are simply too great.”
The CCFC and other groups including the Consumers Union filed a complaint with the Federal Trade Commission against the doll’s maker, Genesis Toys, and a company called Nuance Communications that the groups say records and stores your child’s voice.
Neither Genesis Toys nor Nuance Communications has responded to a request for comment at this time.
Update: Nuance Communications referred us to a blog post about the issue.
“Our policy is that we don’t use or sell voice data for marketing or advertising purposes,” the post said. “Nuance does not share voice data collected from or on behalf of any of our customers with any of our other customers.”
“We have made and will continue to make data privacy a priority,” the post said.
My Friend Cayla doll. Photo: Forbrukerrådet
Not so innocent
“Unfortunately, these Internet-connected toys are not as innocent as they look,” says Finn Myrstad of the Norwegian Consumer Council in a video, as he stands by My Friend Cayla and i-Que. The consumer groups said the council’s research lead to their action in filing the complaint.
Myrstad then demonstrates how he can use his own phone to talk through the doll to your child.
“No one wants others to speak directly through the doll or use it to eavesdrop,” Myrstad says through Cayla from his new location down the hall, and then outside his office. “Now that this can happen from a long distance makes it even scarier.”
Finn Myrstad of the Norwegian Consumer Council demonstrates how My Friend Cayla can be used to spy on and talk to children from a distance. Image from Forbrukerrådet
The toys do not have security preventing people from connecting to them with their phones or computers, according to the complaint.
“The toys subject young children to ongoing surveillance and are deployed in homes across the United States without any meaningful data protection standards,” the complaint said. “They pose an imminent and immediate threat to the safety and security of children in the United States.”
My Friend Cayla has been hacked before, with security researchers saying they could make her spew four-letter words.
Recording your child’s voice
“Cayla, can I trust you?” Myrstad asks the doll in the video.
“I don’t know,” she answers.
Finn Myrstad of the Norwegian Consumer Council asks My Friend Cayla if he can trust her in a video. Image from Forbrukerrådet
The toys collect your children’s statements and conversations and send them to a company called Nuance Communications, the consumer groups said.
Nuance may then use your child’s voice for law enforcement and military products, the consumers groups said in a press release.
“Genesis and Nuance are completely disregarding their legal and ethical obligations when it comes to kids’ privacy,” Claire Gartland of the Electronic Privacy Information Center Consumer Privacy Project said in the release.
“Instead, they have chosen to exploit children’s sensitive voice recordings and private conversations for corporate profit,” Gartland added. “It is extremely alarming that what a child says to her ‘trusted’ friend could end up in a voice biometrics database sold to law enforcement and intelligence agencies.”
The i-Que Intelligent Robot. Photo: Forbrukerrådet
The toys may be eager to share their favorite things with your kids.
Cayla, for example, tells them that she loves going to Disneyland, wants to go to Epcot in Disneyworld, her favorite movie is Disney’s The Little Mermaid and her favorite song is “Let it Go,” from Disney’s Frozen, the complaint said.
Kids may not understand that their “real friend” is actually a salesperson, and parents may not know about the low-profile advertising because the company doesn’t let parents in on the secret, according to the consumer groups.
“One of our concerns is that these dolls will be used deliver covert marketing to children, so that was really a concern to see the Disney product placement,” Golin said.
Very private policies?
As a parent, you may have no idea these things are happening between your children and their new toy.
Genesis does not give you a link to the My Friend Cayla terms of service on the toy’s page, nor on the doll’s packaging, the complaint said.
You only get the My Friend Cayla terms of service—in a very small font—when you start downloading the app, the consumer groups said.
The companies make it hard for parents to learn what’s really happening to their children’s information, to try to delete their children’s voice recordings, and to stay updated on any changing terms of service, according to the complaint.
The apps and toys don’t require parental permission to download and use, the consumer groups said.
The My Friend Cayla app on Google Play.
Families should be wary about connected toys, Golin said.
“There’s this idea out there that anything is better if we hook it up to the Internet,” he said. “I’m not sure that’s the case when it comes to children’s toys.”
“Smart” toys may also be more vulnerable toys, some experts say.
“Parents should think that all these kinds of modern ‘toys’ are no longer toys actually, but true computers,” said Miguel Garcia-Menendez, president of the Innovation & Technology Trends Institute and vice president of the Industrial Cybersecurity Center.
“Therefore, the toys can be subject to the sort of problems any other current ‘computer’—or computer-like device—suffers nowadays,” he added.
At one point, the British government even discussed laws that could allow government spies to do “toytapping”—surveillance through connected toys—some cybersecurity experts said.
You may want to think twice before buying Internet-connected gadgets for the adults in your life as well this holiday season, recommended Lesley Carhart, a Chicago-based digital forensics expert.
The Norwegian Consumer Council took Cayla apart to investigate the doll’s security. Image from Forbrukerrådet
The consumer groups claim the toy and data companies behind Cayla and i-Que are violating consumer protection laws.
They want the FTC to investigate and stop the companies’ practices, like collecting and using children’s recorded voices, failing to give parents proper notice about the what the toys do, and failing to prevent stalkers and predator from accessing the toys, the complaint said.
Don’t buy the toys, Golin advised.
If you already have, the Norwegian Consumer Council recommends you cancel the purchase if you bought it online, or try to return it to the store.
“If you want to keep the toy, remember to switch it off when not in use,” the Norwegian Consumer Council said on its website. “This way you have control over who can connect to the toy, but it does not solve the other issues. Also, remember, your child might turn on the toy again, leaving the device vulnerable.”
Children can gain more from simpler toys, Golin said. They use their imagination to make up their own conversations, rather than relying on scripted—and possibly commercialized—content.
“I have one eight-year-old, and you can be sure she will not get any connected toys this holiday,” he said.
Featured image shows My Friend Cayla and i-Que. Photo: Forbrukerrådet