“My Friend Cayla” might be a spy, according to the Electronic Privacy Information Center (EPIC) and other advocacy groups who filed a complaint about the doll’s data collection risks with the FTC in December.[1] Cayla uses Bluetooth technology to connect to the Internet, then communicates in real time with children using speech recognition software.[2] A recent security investigation revealed the ease with which a hacker could remotely control the doll’s speech and collect children’s recordings.[3]
The Internet-connected toy industry has proliferated recently, constituting a significant portion of the Internet of Things.[4] In fact, the Internet of Toys is projected to be a $11.3 billion industry by 2020.[5] As the Internet of Things expands, technology consumers are subjected to unprecedented surveillance in their homes.[6] Children are especially vulnerable to privacy exploitation, and advocacy groups argue that the FTC has an obligation to protect children’s privacy in this context.[7]
These privacy groups have criticized the surveillance and data collection capabilities of connected toys. EPIC, joined by other organizations including The Center for Digital Democracy and Consumers Union, formally requested that the FTC investigate Genesis Toys, a toy-making company, and Nuance Communications, a speech recognition technology developer.[8] The complaint alleges that “toys that spy,” specifically Cayla and an i-Que Intelligent Robot, record and collect children’s private conversations without complying with meaningful data protection required by the Children’s Online Privacy Protection Act (COPPA).[9] The FTC responded, promising to carefully review security risks regarding connected toys.[10]
COPPA was enacted prior to the explosion of the connected toys market, but it provides a privacy framework for technology companies that collect data from kids online.[11] The statute requires companies, among other things, to: obtain affirmative parental consent before collecting personally identifiable information from children under 13; post a clear and conspicuous privacy policy; and to retain personal information only as long as necessary for functionality of the program.[12] EPIC alleges that Cayla and i-Que’s privacy policies are confusing and difficult to access; their parental consent systems are inadequate; and Genesis retains children’s personal data indefinitely.[13] Furthermore, the security of the toys’ Bluetooth connection is possibly the greatest concern: EPIC claims researchers were able to converse and listen to conversations collected through the toys.[14]
These data security concerns are validated based on other enormous breaches to connected playthings. In March, a breach to Internet-connected CloudPets stuffed animals exposed 80,000 users’ personal information, including children’s profile pictures and voice messages.[15] The CloudPets app allowed easily decipherable passwords and the company apparently ignored warnings from security breach experts.[16] In 2015, educational electronics company VTech was hacked, compromising names, genders, and birthdates of five million people, including children.[17]
German regulators have gone so far to protect kids’ data as to ban My Friend Cayla as an “espionage device.”[18] This label indicates that the doll shares children’s voices and is vulnerable to third party hacking.[19] Jochen Homann, President of Germany’s Federal Network Agency, says that the problem with this particular toy is that she looks like a traditional doll; Cayla provides no notice that she collects and transmits everything the child says.[20] Here, in fact, the child’s recording is sent to Nuance Communications, a company which also happens to provide voice recognition services to U.S. intelligence agencies.[21]
An outright ban on these type of covertly-connected toys would be excessive for the United States’ privacy regime. Germany has one of the strongest data-protection law schemes in the world: the country considers the individual’s right to privacy to be more vital than any public right to information.[22] Germans’ sensitivity to questions of data collection stems from their experiences under Nazi and Communist rule, when releasing personal information could be a “matter of life and death.”[23] The U.S. system, by contrast, attempts to balance individual privacy rights with general consumer freedom and choice.
To maintain that balance in a rapidly burgeoning Internet of Toys market, privacy advocates argue that the FTC should vigorously enforce COPPA. Last month, U.S. Senator Bill Nelson wrote a letter to the Commission, requesting that it detail the steps it has taken under the COPPA Rule to protect children’s personal data with regard to connected toys.[24] The FTC revised its COPPA Rule in 2013 to include children’s photos, audio and video recordings, and geolocation in its definition of personal information.[25] Nelson believes the FTC should make further revisions to provide itself with sufficient authority to protect children’s data specifically with regard to connected toys.[26]
Cayla promises to be a “real friend” who “understands you.” [27] Interactive “friends” such as Cayla and i-Que provide children with important opportunities to communicate and play, promoting social and cognitive development.[28] However, it’s also important that the FTC balance these consumer benefits with privacy concerns. Enforcing COPPA would inhibit third party hacker “friends” from stealing children’s personal information via unsecure and clandestine Bluetooth connections and recording devices.
Casey Thomas is currently a second-year law student at the Benjamin N. Cardozo School of Law. She is a Staff Editor on the Cardozo Arts & Entertainment Law Journal and has interned with the Tech Startup Clinic. A former kindergarten teacher, Casey now looks forward to a career in transactional law.
[1] Kimiko de Freytas-Tamura, The Bright-Eyed Talking Doll that Just Might be a Spy, The N.Y. Times (Feb. 17, 2017).
[2] Lisa R. Lifshitz, Smart Toys: Smart or Just Creepy?, http://www.canadianlawyermag.com/6377/Smart-toys-smart-or-just-creepy.html (Mar. 13, 2017); David Moye, Talking Doll Cayla Hacked to Spew Filthy Things, https://article.wn.com/view/2015/02/09/Talking_Doll_Cayla_Hacked_To_Spew_Filthy_Things/ (Apr. 11, 2017).
[3] See Moye, supra note 2; Can You Trust Your Children’s Toys?, Anderson + Wanca, http://www.andersonwanca.com/blog/2017/03/10/can-your-trust-your-childrens-toys/ (Mar. 10, 2017).
[4] Janis C. Kestenbaum, Privacy in the Age of Connected Toys, Inside Counsel, http://www.insidecounsel.com/2017/04/10/privacy-in-the-age-of-connected-toys (Apr. 10, 2017).
[5] Id.
[6] Kat Sieniuc, FTC to Look into Toys that Spy, Law 360, https://www.law360.com/articles/880365/ftc-to-look-into-toys-that-spy (Jan. 12, 2017).
[7] Id.
[8] Id.
[9] Complaint at 2, In re: Genesis Toys and Nuance Communications, https://epic.org/privacy/kids/EPIC-IPR-FTC-Genesis-Complaint.pdf (Dec. 6, 2016).
[10] See Sieniuc, supra note 6.
[11] Madison Moore, Senate Lawmaker Asks FTC for Answers on Recent Children’s IoT Breaches, http://sdtimes.com/senate-lawmaker-asks-ftc-answers-recent-childrens-iot-breaches/ (Mar. 30, 2017); See also Anderson + Wanca, supra note 3.
[12] See Moore, supra note 11; See also Anderson + Wanca, supra note 3.
[13] See Anderson + Wanca, supra note 3.
[14] Id.
[15] See Moore, supra note 11; see also Lifshitz, supra note 2.
[16] See Lifshitz, supra note 2.
[17] Daniel Victor, Security Breach at Toy Maker VTech Includes Data on Children, The N.Y. Times (Nov. 30, 2015).
[18] Bill Chappell, Banned in Germany: Kids’ Doll is Labeled an Espionage Device, http://www.npr.org/sections/thetwo-way/2017/02/17/515775874/banned-in-germany-kids-doll-is-labeled-an-espionage-device (Feb. 17, 2017).
[19] Id.
[20] Id.
[21] Id.
[22] See de Freytas-Tamura, supra note 1.
[23] Id.
[24] See Moore, supra note 11.
[25] Id.
[26] Id.
[27] Introducing Party Time, https://www.myfriendcayla.com/cayla-partytime (last visited Apr. 11, 2017).
[28] Kenneth R. Ginsburg, The Importance of Play in Promoting Healthy Child Development and Maintaining Strong Parent-Child Bonds, http://pediatrics.aappublications.org/content/119/1/182 (last visited Apr. 11, 2017).
