EPIC In FTC Complaint: Spying Toys Pose Threat To Kids' Safety In The United States

EPIC, a digital rights non-profit organization, filed a complaint with the FTC against Chinese toy manufacturer Genesis Toys and speech recognition technology provider Nuance Communications for violating both children-specific and general privacy laws in the United States.

“Smart Toys” Exposing Children To Hacks And Spying

Last year, Mattel’s “Hello Barbie” doll came under fire by Campaign for a Commercial-Free Childhood (CCFC) for recording children’s voices and then sending those recordings to the company’s servers for analysis. The CCFC argued that this was a privacy violation because Mattel was recording children without parental approval.

Often, the companies behind such “smart toys” don’t even use good security, which makes those recordings vulnerable to hackers. The “Hello Barbie” toy was found to be vulnerable to remote hacking, and last year we also saw a large data breach of a Hong-Kong-based toy manufacturer that exposed 4.9 million accounts of parents and 6.3 million accounts of children. Almost half of the accounts were from parents and children living in the United States.

EPIC Complaint

EPIC, along with the CCFC, the Center for Digital Democracy (CDD), and the Consumers’ Union (which is Consumer Reports’ policy and mobilization division), accused Genesis Toys and Nuance Communications of recording users without parental consent, which violates U.S. privacy laws. The complaint specifically mentioned two smart toys called My Friend Cayla and the i-Que Intelligent Robot.

The main target of the complaint is Nuance, because that’s where all the recorded data goes. EPIC said Nuance doesn’t comply with children's privacy laws such as the Children’s Online Privacy Protection Act of 1998 (COPPA).

Because of its too-general privacy policy, EPIC fears that Nuance may also use the automatic listening capability on the toys to record children, as well as their parents and other people around them, for law enforcement purposes. Nuance offers biometric voice identification services to law enforcement by analyzing voices of people who use its speech recognition services in consumer products. It then gives law enforcement access to all of its stored 30 million voiceprints for the purpose of fighting crime.

The company’s “Nuance Identifier” service is described as follows:

“Nuance Identifier is a highly accurate voice biometric solution that allows public security officials to quickly and easily identify known individuals through their voice within large audio data sets, as well as enroll voiceprints for individuals under surveillance or investigation to:Connect the dots – quicklyDeliver operational efficiencies by minimizing manual audio analysis”

Genesis Toys was also accused of not having a privacy policy on its website or on the mobile app that controls the toys. The toys also use insecure Bluetooth connections, to which anyone passing by the children’s homes could connect.

EPIC called on the FTC to investigate Genesis Toys and Nuance Communications and halt any activity that doesn’t comply with U.S. privacy laws. The nonprofit organization also asked for “relief” for the affected customers, potentially in the form of refunds.

The Norwegian Consumer Council also evaluated the two toys made by Genesis Toys and described all the security issues in the video below:

With the rise of the Internet of Things, everything around us will get "smarter" by using more powerful chips, more microphones, and more cameras, and this includes children's toys. It will be up to the society at large, politicians, and enforcement agencies to strike a balance between allowing the products to be useful and preventing them from causing significant harm to their users through automatic voice and video recording and poor security that allows those recordings to be used by malicious actors.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • rantoc
    Anyone want to bet if a skynet ever were to spawn it would come from a gazillion of thoose IoT devices with a clever ai programmer... not strong by itself but in numbers.
  • Olle P
    While FTC zoom in on the "privacy for kids" issue I see much broader implications.
    Toys like these don't just stick to the children, but will be around in the home. With identifiable users the EULA practically makes it legit for Nuance to sell the service of live eavesdropping into any user's home, without noting the family under surveillance.
  • hoofhearted
    Does anyone know of router level blacklisting functionality, maybe in DDWRT or Tomato or such? Something that works like adblock where community driven lists can identify and block when data leaves your router destined for servers such as these?
  • hoofhearted
    I mean this concept can go on all these new devices. Cars, Smart TVs, Phones, etc. I see this as an ongoing problems and us consumers need something like adblock network blcklisting/whitelisting functionality to fight this kind of crap.
  • ammaross
    18971140 said:
    Anyone want to bet if a skynet ever were to spawn it would come from a gazillion of thoose IoT devices with a clever ai programmer... not strong by itself but in numbers.

    Isn't that the premise behind the animated movie G-Force? :P
  • Olle P
    18972230 said:
    Does anyone know of router level blacklisting functionality, ... identify and block when data leaves your router destined for servers such as these?
    Why would you want that? You buy these dolls because they can communicate with the kids, and the data traffic is required for that communication to function.
    The problem stems from what other purposes the data is (can be) used for, combined with what additional (personal) information the user is required to submit initially.

    The only solution is to stay away from these products in the first place!