Parental and Consumer groups have added a new threat category to their annual Naughty Toy gift list for 2023: Privacy Violations.
Toys the child can talk to, interact with, that have a camera, a microphone, touch sensors, wi-fi or bluetooth connectivity, or have AI or VR capabilities, pose the greatest risks.
Smart Toys can violate the privacy of anyone in the household through their unsecured microphones, cameras, GPS, voice recognition, and internet connections through unsecured wi-fi or bluetooth. Toy vulnerability of privacy voice and image data, location, and AI interactions with minor children are in violation of COPPA, the U.S. Child Online Privacy and Protection Act. There have been reported cases of children being harmed and even abducted by bad actors hacking into and illegally using toy data to locate and/or communicate with children.
The US Public Interest Research Group (PIRG) and the Bureau of Consumer Protection at the Federal Trade Commission (FTC) warn adults to consider the privacy risks in children's smart toys. Their “Trouble in Toyland” 2023 list includes:
Toys with a microphone and/or a camera or other sensors. They may be recording and transmitting at any time. Those with a wake word means they are always listening. Is there an indicator light for when it is listening, capturing images, or recording? Is there an on/off switch or is it always on?
Toys with internet connection and/or an app can connect the child to the Internet of Toys. Is the wi-fi or bluetooth connection secure? Do they prevent a stranger from listening to the child through the toy, or does it have strong password protection? Is it able to block unwanted intrusions? In order to know for sure, you will need to test it.
Does the toy automatically connect to unsecured wi-fi network? A child's toy should not.
Toys with GPS tracking and unsecured wifi or bluetooth connections can be especially dangerous if the toy's range extends outside the home, or if child takes the toy to a public space. Good devices allow you to block unwanted pairings and should require two-factor authentication.
Toys that allow a child to connect with other “friends” through websites or apps are also potentially very dangerous. These toys allow a child to send or receive messages through social media like Facebook. The toy may ask to be linked with a social media account on set-up. Safe toys do not connect a child to any social media account.
Where is the collected information stored - in the toy, by the toy company's back-end server, or that of a third-party service provider? The more places and companies with which the data is shared, the greater the risk of a breach or hacking.
How are the voice and image recordings being used? Are they stored, shared, or even sold? These pose risks that misuse of private information will result in fraud, unwanted targeted advertising, AI inferences about the household or about the child, and identity theft.
Does the toy company have a privacy policy and is it satisfactory? For example, how long does the company say they will keep and use the data before deleting? Does it store recordings securely and only long enough to activate the play function, or is it retaining the data for as long as it chooses?
Does the toy have a memory card or can you otherwise access, review, and/or request permanent deletion of the recordings?
Does the toy have its own app? Are there in-app purchases? Does the app require a strong password? Does the app allow strangers to connect with the child, send the child messages? Can you opt-out of data sharing features on the app and allow the child to use the toy without connecting it to social media? If not, you may opt to delete the app.
Also, toys for children generally should not require linking to an online payment account such as Amazon, PayPay, or iTunes etc., nor should they require a balance on account that children can access without parental oversight.
Does the toy mention age 13? Does it say it is intended for children over the age of 13? That means beware, it will collect, use and store the toy's data, even on children under age 13, as if the child is an adult.
When setting up the toy, you should be linked to its privacy policy, you should be advised of its security policy, and given the right to request deletion of the data.
Settings restricting the toy from transmitting geolocation data, or that allow you as the user to adjust privacy settings should be easy to find and use. Pay attention to how often the privacy policy and user settings are updated.
If the toy does not meet these basic criteria, opt for one that does. Examples of good and bad smart toy privacy and security practices and procedures are available at the link.
[S]mart toys come with unique risks that parents should be aware of.