“I look through your letters. I look through your lockers. I listen to your conversations, you don’t know that, but I do. I am the eyes and ears of this institution, my friends.”
Those of us who remember “The Breakfast Club” remember the concerned, almost panicked, look on John Bender’s face when Carl, the janitor, delivered those lines. We all knew what he was thinking: What has he seen or heard, and what has he reported? If the onslaught of web-enabled toys does not evoke the same response from parents, then it is time to consider them a little more carefully, because maybe they should.
Web-enabled toys are hitting the toy store shelves, accompanied by the marketing campaigns you would expect for the hot new toys at Christmas — meaning our children know about them, probably even if we do not. Rest assured, Santa has heard all about them. This year, the biggest marketing blitz for a web-enabled toy is probably for Hello BarbieTM. More are coming, and at an increasing pace and with increasing capabilities. All of these devices (in this column, I will not always call them “toys,” for reasons that should be evident) present concerns as to privacy and security. Both issues must be understood, both are equally important, and both are addressed below in no particular order.
What Do Web-Enabled Toys Do?
Quite simply, web-enabled toys send information gathered by the device to one or more computer servers, which will do several things with that information, then send information back to the device, all via internet.
What kind of information? It depends on the device. In the case of Hello BarbieTM, that information is a recording of the child’s conversation with the doll. The marketing makes this seem like a very cool idea, and it is. Imagine a little girl having a conversation with her doll, which girls have done for decades. However, now Barbie responds, and not just with a handful of pre-loaded canned phrases that have nothing to do with what the child said. The doll is truly interactive, drawing from (so far) 8000 lines of dialogue. Its responses are relevant, and actually responsive, to what was said. In other words, Barbie now has speech recognition software that interprets what is said and responds accordingly. For those of you with Apple products, think of it as Siri with the body she wishes she had.
In a nutshell, when Hello BarbieTM is enabled, the device transmits the child’s conversation, via internet, to a computer that interprets it, formulates a response, and sends the response back to the device for it to say something in response to the child. You can see how much fun it could be for the girl to finally have a companion to talk to, no matter what.
Other toys are more obvious in their reliance on the internet and remote computers, such as tablets and laptops intended for small children. But the appearance, branding, and marketing of a web-enabled toy makes it easy for parents to forget that it is a recording device, and for children to not even realize it in the first place.
Privacy: What Is the Device Doing with what it “hears?”
The potential privacy concerns that web-enabled toys present arise largely from what else is happening with the information it obtains. These toys can be the “eyes and ears” of an institution, and amazing things can be done with what they “see” and “hear.” Often the information captured by the device (such as a child’s statements speaking to the device, or even a background conversation) goes to a computer server. As part of the process of interpreting the statements, they are stored on a computer somewhere. The recordings often are not deleted, even after the system sends the response to the doll. This raises two important questions: (1) How is that information being used by the toy company; and (2) With whom is the toy company sharing it (and what are those companies doing with it)?
So far, companies making these web-enabled toys have stated that they do not intend to “monetize” the information obtained, or in effect, sell it. However, there are other ways that the statements of a child can be of benefit to the toy company. For example, suppose a little girl tells her toy that her birthday is coming up, or a little boy mentions an upcoming trip to the beach. Part of the capabilities of the devices and their software could be to suggest to the child particular toys that might be suited based upon those conversations. A little girl’s birthday? What kind of birthday party are you having? A trip to the beach? A remote control dune buggy sure would be fun to play with. This is just an example of possible ways toy companies can benefit themselves using the information their devices obtain.
Speech recognition software will increasingly tailor conversations with children, and the data obtained from the devices allow companies to improve the devices and their software. While it is fun for the children, it is also could be the next step in marketing in sales. It is well established that suggestions to children work: toy commercials run during cartoons, candy is in the check out aisle at grocery stores, and the kids’ cereals are on lower shelves, where little eyes can see the brightly colored boxes.
And tailoring marketing is a huge part of what Google does — that is why banner ads on websites are often for products and services that have been searched recently. Combining these two proven concepts may not be far away. And we all know how committed children can become to particular gift ideas once exposed to them.
But the information stored on the toy company’s computer server does not necessarily stay there. What a toy company (or any other company) does with information it obtains is controlled in large part by its privacy policy. While privacy statements are generally easily obtained, their implications are not always easily recognized.
For example, a company may state that it will use data obtained by a device to improve the entire system and for other research and development and data purposes. What does that really mean? The recordings can also be shared with third-parties. Who are those third-parties, and what are they going to do with the data? That third-party could be anyone, and their use(s) could be limitless. Suddenly, such a seemingly innocuous phrase in a privacy policy is far less innocuous. Furthermore, data files containing conversations between a child and his toy are property. Whose property they are is an entirely different discussion, but needless to say, it opens additional cans of worms. And while the company involved in the development of the speech recognition software may state that parents can delete the recordings from the company’s servers, the recordings may have already been shared under the privacy policy. Furthermore, privacy policies can be changed.
Security: If It Is on the Web, It Can Be Hacked
Web-enabled toys generally access the internet via Wi-Fi. Any device connected to the internet, including a toy (particularly if connected via Wi-Fi), can be hacked.
A new and rapidly growing development in technology is called the “Internet of Things” (“IoT”). The IoT is the connection of devices to computers via internet. IoT devices are everywhere, and their numbers and capabilities are increasing rapidly in ways most people do not realize. A FitBit is connected to the internet. Garage door openers, home alarm systems, HVAC controls, and more are now web-enabled. If these devices can access the internet, then that means that others can access those devices.
Generally, these devices have some type of security software to try to prevent that. Much of this security software is written by other companies and bought (or licensed) by the company distributing the product. Some software is better than others. Sometimes, software has defects in it that hackers find and exploit. While software is often updated with “patches” (i.e., a software “band-aid” to repair a security defect), software and product developers often do not discover the defects and repair them until after they are exploited by hackers. And, of course, the device has to be connected to the internet in order to receive the patch. Furthermore, many people do not know that they need to change the password given to the device when it is built (or simply do not take the trouble to change it), and hackers generally know that common passwords include those oh-so-original passwords set by the factory, such as “Password,” or “8888.”
Suddenly, your child’s toy is sending information to a different computer, or is activated when it was not intended to be activated by the user. The device becomes the “eyes and ears” of someone else. The possibilities here are nearly endless, and scary. You may not have heard about it, but this very issue has already arisen in at least two frightening ways. Web-enabled baby monitors were hacked when their owners did not change the factory set passwords, and the hackers gained control of the “eyes and ears” of the listening station in the cribs of children. Creeped out yet? Also, a manufacturer of computer devices for children was recently hacked, and the names, dates of birth, and other information of millions of child users were obtained.
Occasionally, malware (i.e., software written to do bad things) is unknowingly downloaded onto a computer device, giving a hacker control over the camera installed on the device, allowing the hacker to turn the camera on and watch what it sees, when the owner of the device does not know it is on (or its images obtained). Creeped out yet?
Gaining control of a web-enabled toy and turning on its “eyes and ears” is no different, either technologically or in its effect. If the idea of a hacker gaining control of a five year old’s toy in the middle of the night does not creep you out, I’m not sure what will. Certainly, changing passwords helps tremendously, but news stories of hackers exploiting security flaws in software are almost daily occurrences. If you think that a web-enabled toy is not subject to having security flaws, think again. Furthermore, the data stored on the toy company’s system that it obtained from the devices could also be targets for hackers.
Is the purpose of this article to dissuade you from buying these toys for your children? Absolutely not. (After all, if you do not buy it, how do you prevent the grandparents from doing it?) Am I saying that your child’s toy can turn into Chucky, from the 1988 movie Child’s Play? No. The purpose is to help you understand the implications of these devices, and to help you realize that while they are toys on the outside and in the way they interact, they are computers, with recording devices, video cameras, and transmitters, subject to being exploited by others who do not necessarily have your intentions for your children as their number one goal. Therefore:
- Choose wisely in buying these devices. Understand what their capabilities are and how these capabilities might change in the future.
- Read and understand the applicable privacy policies, and realize they allow consequences you may not intend. Seemingly innocuous phrases could have far reaching implications. Using data for “research and development” could mean almost anything. Watch out for distractors, such as “examples” of what the company may do with the data, which rarely are limits to the privacy policy, but merely lead you to a particular, but maybe not completely accurate, conclusion of what the policy does and does not allow. Privacy policies often note that third-parties that have access to stored data are subject to non-disclosure agreements. While that sounds reassuring, the passing reference to a non-disclosure agreement does not explain what the third-party is allowed to do with the data — it may protect the manufacturer’s information, not the information obtained from the device.
- Change any passwords and allow the devices to update so that you receive repairs to security flaws.
- Stay tuned in to the child and the device.