Christmas and connected toys: How to protect the privacy of our children?
What are the risks of connected toys and how can you protect yourself against them?
While the end-of-year celebrations are a source of joy for adults, it is a period that is especially eagerly awaited by children, who are impatient to discover their new toys. It is a growing market worth more than 3 billion euros each year in France. And expectations are changing; to adapt to the 90% of children under the age of two who have already mastered a tablet or a smartphone, manufacturers are taking inspiration from trends that appeal to adults and are now offering connected objects.
There will be more than 26 billion of them by 2020, an average of 10 per household. The number of connected toys sold worldwide was estimated at 224 million units in 2017. The turnover of these sales could triple by 2022 to reach 15.5 billion dollars, compared to 4.9 billion in 2017. Equipped with sensors to measure biometric or environmental data, geolocation systems, voice recognition via microphones, or even cameras, these toys connect to the web and to their own applications via Wi-Fi and Bluetooth.
Their control often requires the opening of an online user account allowing the storage of captured and recorded data. Drones, controllable rolling machines or intelligent dolls, while most of them can be valuable tools for keeping children awake and looking after their health, they are still a source of concern for parents, 57% of whom are worried that their children are too often connected, and 20% of whom fear repercussions on their health. Concerns which, in some cases, are not totally unfounded…
Some worrying cases
The CNIL recently gave notice to the Hong Kong company GENERAL INDUSTRIES LIMITED to secure its two connected toys “Mon amie Carla” and robot “I-QUE” within two months, following various tests revealing that they were insufficiently secure. Any smartphone within a radius of 9 metres could connect to them and use them as microphones or speakers. The Nuance application, which is required for any interaction with these models, recorded every conversation and collected registration information. Data that could be passed on to third parties or used for commercial purposes without the users’ knowledge.
However, far from being isolated, such cases seem to be frequent since two scandals broke out in 2015: the highly contested release of Mattel’s “Hello Barbie” doll, where the slightest interaction with a child was stored on a server and exploited for various purposes. The second incident was the hacking of servers of the Hong Kong company VTech, a manufacturer of educational consoles, which was the victim of a theft of data concerning 200 000 children. In the United States, Mattel was reprimanded for a second time in 2017, to the point of having to abandon a project for connected speakers for children under pressure from public opinion and a petition gathering more than 15 000 signatures. Unlike France, which has not yet banned such toys, Germany banned the marketing of connected watches for children aged 5 to 12 with remote listening functions on 17 November 2017.
Even online retailers such as Ebay and Amazon have taken a hard line by withdrawing connected plush toys from the Cloudpets brand after databases were found to store information on more than 800,000 of their users, which could be accessed without any passwords. The cuddly toys themselves could also be easily hacked and used as bugs. Such practices, which obviously do not concern all models of connected toys on the market, are not harmless and can have serious implications…
Security at risk
If all these recordings and data put at risk the privacy of all owners of connected toys, parents themselves can use them to monitor and locate their children abusively, to the point of infringing on their privacy by multiplying intrusions, even to the point of listening to teachers. Advertisers are also interested in it to propose more and more personalized offers. When used in inappropriate ways, this information can easily be used for kidnapping, harassment or fraud: precise data about a child is worth between 30 and 40 dollars on the black market, compared to only 20 dollars for an adult profile. A Carnegie Mellon University study found that 10 percent of stolen children’s Social Security numbers were associated with fraud, 10 times more than those of adults. As a recent report from the UK’s Commission for Child Protection points out, “we have no idea what all this information will do to our children’s lives“, so it’s important to use such items with care, but also to choose them well to be safe from any failures.
How to choose the connected toy?
- Does a physical access button or a password secure its connection?
- Does it have an indicator light when it records and transmits information?
- Is it already known to have a flaw, or is it not well known? Find out.
- Can data and records be deleted regularly?
- Is it adapted to the child’s age?
- Have you taken the time to get informed by reading the instructions for use?
For a secure grip :
- Protect your wifi connection and access to your smartphone with a password.
- Change the default settings and passwords of the toy. Always use different and complex access codes.
- Register using pseudonyms, fake birth dates, give as little information as possible and create an email address dedicated to the use of the toys.
- Disable unnecessary features, such as sharing on social networks.
- Perform regular security updates.
- Accompany the child in the handling of the toy.
- Do not let the child take pictures of someone without their consent.
- Do not let the child use the connected toy without supervision.
- Turn it off after use.
- Store it properly, do not leave it lying around in common rooms.
- Completely erase all data and recordings when not in use.
Of course, connected toys are far from the only threats to the personal data of young people. In April, a U.S. study by the International Computer Science Institute highlighted the tendency for about 57 percent of children’s apps offered on the Google Play platform to harvest users’ personal data without any informed consent. A report by the UK Office of the Children’s Commissioner also reveals the overexposure of young people on social networks, due in part to parents who post an average of 1,300 photos of their children before they turn 13. Until children are old enough to protect their privacy, it is up to parents to remain vigilant and take the necessary precautions. It should not be forgotten either that a right to erase data can be exercised at any time. In short, just as it is a good idea to tidy up your room after playing, it is also a good idea to put your personal data in order. For good holidays that stay in the family!