The KidKraft toy kitchen looks normal like children’s toy kitchens. There are all the accessories you would find in an adult-sized kitchen: a refrigerator, an oven, a stove and a sink. Plastic and wooden utensils and food are stored in drawers or in the small pantry.
What sets the kitchen apart is not obvious. Many items include RFID chips that allow sensors placed around the kitchen to register them. Suppose a child is pretending to fry something on the stove, a speaker might emit a sizzling sound. RFID capability can be attached to Echo Dots, Amazon’s Alexa-hosting smart speaker product.
When connected, Alexa plays with the child using the kitchen, guiding them through recipes, pretending to buy from a display case included in the toy set, all while telling dad jokes.
While playing in the kitchen is a benign activity, what happens to your child’s data once Alexa collects it? What is this for? Where is it stored? Who can see it and do parents have any control over it?
“They tell you they won’t sell your child’s data to a third party,” said Shelby Knox, campaign director for Parents Together, a Washington DC-based family advocacy nonprofit. “But that hardly matters when it’s Amazon, a global consumer force, listening to your child play.”
The KidKraft kitchen is just one of many toys and gadgets that Parents Together highlights in a giveaway notice for possible privacy concerns. The report features a diverse range of toys and gifts, including a water bottle that collects geolocation data and a smart mirror that collects facial images of users that it sells to third parties.
“Unlike a toy that has small parts you can see your child playing with, things can happen on a phone, computer or tablet that you don’t know about until it’s too late,” Knox said.
Knox said the report is not intended to be comprehensive, nor to be a “do not buy” list. It doesn’t have every Alexa-enabled kid’s toy on the market, Fuzzible Friends, a range of Alexa-enabled plush toys is a notable absence. Rather, the intention is to highlight tech toys that they deem intrusive or problematic so that parents, relatives and friends can be more cautious. They joined a growing chorus of security advocates, including the FBI, warning of the dangers of smart toys.
Smart toys have a history of scandal
The problem with smart toys is not completely new. Privacy issues in the smart toy space have periodically surfaced since smart toys debuted over the past decade. It’s another form of what technology and privacy researchers call “surveillance capitalism,” the collection of intrusive data for hyper-targeted advertising. When toys collect data about children, it threatens to turn innocent play into profit, advocates warn.
In 2015, Mattel caused an uproar with Hello Barbie, a Wi-Fi-enabled doll that could have conversations with children. Hello Barbie stored recordings of children’s voices on remote servers operated by Mattel and its partner ToyTalk. Security researcher Matt Jakubowski successfully hacked Barbie into accessing user information, voice recordings and account credentials. He claimed that he could use this data to determine users’ addresses. Mattel tried to keep the line alive with a connected smart “Dream House”, but the line was discontinued in 2017.
2017 was a bad year for smart dolls. Cloud Pets, a plush toy with a voice recording messaging app, leaked more than 800,000 voice recordings and personal user data through an unsecured database. German regulators have sentenced a doll to death, advising parents to destroy a smart, conversational doll called ‘My Friend Cayla’. The manufacturer reserves the right to share data with advertisers.
“She was programmed to ask kids things like, ‘What’s your name? What is your parent’s name? Which school? What is your favorite TV program? What is your favorite meal ? said RJ Cross, Don’t Sell My Data campaign director and policy analyst. “A child will treat this toy as a trusted friend, not realizing that there is a company on the other end listening and talking… It totally exploits the innocence of children”
Unlike My Friend Cayla or Hello Barbie, Cloud Pets are always online and available.
Just last year, UK security consultancy Pen Test Partners successfully turned the Fischer Price Chatter Bluetooth phone into a bugging device capable of bugging a neighbour’s house. Although Fischer Price said the toy was intended for adults, it looks exactly like a plastic rotating Fischer Price phone and is capable of receiving calls from any Bluetooth pairing capable smartphone.
“Didn’t Fischer Price learn of similar safety issues exhibited in children’s toys many years ago?” wrote Pen Test Partners on their blog.
Privacy policies longer than A Christmas Carol
Jen Caltrider, leader of the Mozilla Foundation’s Privacy Not Include project, works through privacy policy legalese for a living. She said the onus of managing privacy is often shifted onto parents.
“I’ve read enough privacy policies to know that they tell parents, ‘It’s your responsibility,'” Caltrider said. “It’s kind of ridiculous how these companies have pushed the responsibility on parents and their children to protect their own privacy on devices that aren’t designed to protect your privacy.”
Parents are asked to tick boxes, set up apps, and agree to long and confusing privacy documents for their children.
Caltrider singled out the Meta Quest VR headset as an item of particular concern. The virtual reality device uses 16 cameras to immerse users in digital worlds. Five of these cameras are focused on the face. Other cameras focus on your hands and your surroundings. Microphones record the environment. The location of the device is plotted. But to find out what happens to the recordings from those cameras, Caltrider had to read 14 different privacy documents and 37,700 words.
“It’s longer than a novel and it’s super complicated to understand,” Caltrider said. “And you’re giving up all that data to a company that has a really terrible track record of trying to collect as much data as possible and use that data to make as much money as possible.”
Meta is the new face of Facebook, Caltrider points out, which has been plagued by data leaks, privacy issues and intrusive user tracking for more than a decade.
Does the toy have to be smart?
So what are parents supposed to do? Parents Together’s Knox recommends that parents carefully weigh the installation of smart toys in the home, particularly because the responsibility for privacy will fall on them.
“When you buy them, really look at the privacy policy,” Knox said. “Think about the need to have a conversation with your child about safe use.”
Ideally this should be done long before you are in the toy aisle, advocates advise against making such decisions on the fly. If you’re shopping for someone else’s child or a parent, Cross recommends not surprising the parent with an intrusive toy.
“It’s not uncommon for a parent to buy the coolest smart toy because they think their nephew will enjoy it,” Cross said. “But it’s more important than ever to be careful with these toys.”
One of the other things to keep in mind is that not all tech toys of the same type are created equal. Video game consoles, like Playstations or Nintendo Switch, are considerably safer and more secure than gaming app platforms like Roblox. Proponents advise going for tech toys from reputable companies.
A good rule of thumb, proponents say, is to really consider whether a toy or device should be connected to the internet or collect certain types of data. Why does the Hydroflask need your child’s location data? Should your child’s mirror collect and store images of your child’s face in the cloud?
“When it comes to kids, I think the right question is, ‘Do my kids need to be online to have fun with it? “said Caltrider. “Or is it just better if I get the mute version?
#toys #holiday #season #data #privacy #issues #experts #warn