Calling military contractors “defense” contractors can be an exercise in propaganda. These are often companies that make countries less safe, through the retaliation that results from promoting a militaristic philosophy that breeds terrorism overseas. With that noted, Consumerist has a report on the title of this post.
Kids say a lot of random, unsolicited, or just plain personal things to their toys while playing. When that toy is stuffed with just fluff and beans, it doesn’t matter what the kid says: their toy is a safe sounding board. When their playtime companion is an internet-connected recording device that ships off audio files to a remote server without even notifying parents — that’s a whole other kind of problem.
According to a coalition of consumer-interest organizations, the makers of two “smart” kids toys — the My Friend Cayla doll and the i-Que Intelligent Robot — are allegedly violating laws in the U.S. and overseas by collecting this sort of voice data without obtaining consent.
In a complaint [PDF] filed this morning with the Federal Trade Commission, the coalition — made up of the Electronic Privacy Information Center (EPIC), the Campaign for a Commercial-Free Childhood (CCFC), the Center for Digital Democracy (CDD), and our colleagues at Consumers Union — argue that Genesis Toys, a company that manufactures interactive and robotic toys, and Nuance Communications, which supplies the voice-parsing services for these toys, are running afoul of rules that protect children’s privacy and prohibiting unfair and deceptive practices.
Researchers studied the way the toys work, the complaint continues, and it turns out that they send audio files to a third party: Nuance Communication’s servers at the company’s headquarters in Massachusetts.
Nuance is a giant company best-known — to consumers, at least — for its Dragon-branded suite of speech-to-text dictation software. The company also has a significant presence in healthcare dictation, and is — like more large corporations than you’d think — a defense contractor that sells products, including “voice biometric solutions,” to military, intelligence, and law enforcement agencies.
It continues, “If you are under 18 or otherwise would be required to have parent or guardian consent to share information with Nuance, you should not send any information about yourself to us.”
If you suddenly find yourself thinking: “but wait! Aren’t toys marketed for ‘ages 4 and up’ mostly going to be used by kids under age 18?” then you and the complaint are on the same track.
Because yes, there is a law that governs how you can collect kids’ data and what you can do with it. It’s called COPPA the Childrens’ Online Privacy Protection Act of 1998.
That rule says, among other things, that companies gathering children’s data have to provide notice to, and obtain consent from, parents about their privacy practices; that they have to permit parents access to review their kids’ data or have it deleted; and that they need to give parents the option of letting their kids’ data be used internally but not shared with third parties. And those are things that Genesis and Nuance are not doing, the complaint alleges.
Similarly, Cayla’s Terms of Service are not available on the website or in the app; they only show once, as a pop-up, the first time you open the app — preventing anyone from going back and reading them later.
It also says “you should look at the website regularly to check,” if anything has been updated which, as the complaint points out, is pretty useless when the terms of service aren’t viewable on the website to begin with.
Even if you can by some miracle read the terms of service, the complaint points out, it’s still not in line with what COPPA actually requires.
The app does specify that “as required by law, parental approval is required for the download of the App by any persons who are under 13 years old.”
It continues, “By accepting these terms, you (as the parent or guardian) have provided your consent to all the terms and conditions detailed in these Terms, including the collection of personally and non-personally identifiable information.”
That’s in the giant wall of text (3,800 words) that users see with an “agree” button the first time they install the app, and never again. Other than that, the complaint alleges, “Genesis does not take any other steps to verify parental consent to the collection, use, and disclosure of children’s voice recordings or other personal information” by the toys.
Then the third parties come in: because of the other work Nuance Communications does, some of the 30 million voice prints it claims to have access to — for the purpose of enhancing its ability to parse and analyze audio files on behalf of law enforcement — may well be generated by eavesdropping dolls.
If true, that’s yet another COPPA no-no, the complaint alleges, because it has “actual knowledge” that it is “collecting and maintaining personal information from a child” when it pulls in the toys’ audio files, and it has not obtained parental consent to do so.
And on top of all that, the toys’ connections are just plain insecure. Basically anyone searching for nearby Bluetooth devices can easily connect to them, as this video and report [PDF] from the Norwegian Consumer Council shows
The Norwegian researchers’ technical report [PDF, in English] also found that some queries, like ones that made the toys connect to Weather Underground, were using insecure HTTP connections that can easily be subjected to a man-in-the-middle attack if someone were so inclined.
The researchers were able to use free apps in order to turn both the doll and the robot into recording devices, and were able to use the toys as a two-way handset by calling the phone to which they were connected. “This is very easy and requires little technical know-how,” the researchers added.
These aren’t the first toys to catch heat for spying on the children who play with them, of course; last year, Hello Barbie brought home the annual “TOADY” worst toy award over similar concerns.
But Hello Barbie, the technical report points out, at least requires the user to hold down and activate the microphone before it records. Cayla and i-Que, on the other hand, are basically always listening.
“With the growing Internet of Things, American consumers face unprecedented levels of surveillance in their most private spaces, and young children are uniquely vulnerable to these invasive practices,” Claire T. Gartland, Director of the EPIC Consumer Privacy Project, said in a statement. “The FTC has an obligation here to step in and safeguard the privacy of young children against toys that spy and companies that exploit their very voices for corporate gain. … It is extremely alarming that what a child says to her ‘trusted’ friend could end up in a voice biometrics database sold to law enforcement and intelligence agencies.”
“As more toys are connected to the Internet, we have to ensure that children’s privacy and security are protected,” added Katie McInnis, technology policy counsel for our colleagues down the hall at Consumers Union. “When a toy collects personal information about a child, families have a right to know, and they need to have meaningful choices to decide how their kids’ data is used. We strongly urge the FTC to investigate these companies, stop the deceptive practices, and hold them accountable.”