EPIC, a digital rights non-profit organization, filed a complaint with the FTC against Chinese toy manufacturer Genesis Toys and speech recognition technology provider Nuance Communications for violating both children-specific and general privacy laws in the United States.
“Smart Toys” Exposing Children To Hacks And Spying
Last year, Mattel’s “Hello Barbie” doll came under fire by Campaign for a Commercial-Free Childhood (CCFC) for recording children’s voices and then sending those recordings to the company’s servers for analysis. The CCFC argued that this was a privacy violation because Mattel was recording children without parental approval.
Often, the companies behind such “smart toys” don’t even use good security, which makes those recordings vulnerable to hackers. The “Hello Barbie” toy was found to be vulnerable to remote hacking, and last year we also saw a large data breach of a Hong-Kong-based toy manufacturer that exposed 4.9 million accounts of parents and 6.3 million accounts of children. Almost half of the accounts were from parents and children living in the United States.
EPIC, along with the CCFC, the Center for Digital Democracy (CDD), and the Consumers’ Union (which is Consumer Reports’ policy and mobilization division), accused Genesis Toys and Nuance Communications of recording users without parental consent, which violates U.S. privacy laws. The complaint specifically mentioned two smart toys called My Friend Cayla and the i-Que Intelligent Robot.
The main target of the complaint is Nuance, because that’s where all the recorded data goes. EPIC said Nuance doesn’t comply with children's privacy laws such as the Children’s Online Privacy Protection Act of 1998 (COPPA).
The company’s “Nuance Identifier” service is described as follows:
“Nuance Identifier is a highly accurate voice biometric solution that allows public security officials to quickly and easily identify known individuals through their voice within large audio data sets, as well as enroll voiceprints for individuals under surveillance or investigation to:Connect the dots – quicklyDeliver operational efficiencies by minimizing manual audio analysis”
EPIC called on the FTC to investigate Genesis Toys and Nuance Communications and halt any activity that doesn’t comply with U.S. privacy laws. The nonprofit organization also asked for “relief” for the affected customers, potentially in the form of refunds.
The Norwegian Consumer Council also evaluated the two toys made by Genesis Toys and described all the security issues in the video below:
With the rise of the Internet of Things, everything around us will get "smarter" by using more powerful chips, more microphones, and more cameras, and this includes children's toys. It will be up to the society at large, politicians, and enforcement agencies to strike a balance between allowing the products to be useful and preventing them from causing significant harm to their users through automatic voice and video recording and poor security that allows those recordings to be used by malicious actors.
Toys like these don't just stick to the children, but will be around in the home. With identifiable users the EULA practically makes it legit for Nuance to sell the service of live eavesdropping into any user's home, without noting the family under surveillance.
Isn't that the premise behind the animated movie G-Force? :P
The problem stems from what other purposes the data is (can be) used for, combined with what additional (personal) information the user is required to submit initially.
The only solution is to stay away from these products in the first place!