A child poses with a Lego Boost set, a predicted top seller this Christmas, at the Hamleys toy store in London, Britain, October 12, 2017

commentary

(The RAND Blog)

December 21, 2017

A Smart Toy Could Have Personal Details for Life, Not Just for Christmas

A child poses with a Lego Boost set, a predicted top seller this Christmas, at the Hamleys toy store in London, Britain, October 12, 2017

Photo by Toby Melville/Reuters

by Erik Silfversten

Each Christmas, the average child aged nine and under receives around £350 worth of toys. In recent years, toys have become more sophisticated, computerised, and connected, but this has led to increasing privacy and security concerns. The big question for parents is how can they know if these 'connected' Christmas gifts are actually safe and secure?

Families are increasingly using so-called smart or connected devices to facilitate everyday tasks and services. You can turn off the light using your smartphone, ask your chosen voice assistant for the latest football scores, or have your fridge notify you when it is time to restock your favourite food items.

Similarly, children are increasingly engaging with smart or connected toys that can listen, talk, and interact. As technology evolves, it is only logical that children's toys will become more and more computerised and connected to the internet.

Smart toys offer a range of features and opportunities for interactive play and education. However, when toys make the transition from being an action figure or doll to being a child's interactive friend with the ability to collect personal data and provide external information, it becomes necessary to ensure that parents are informed and have confidence in their security and privacy safeguards.

Many smart toys have been found to lack sufficient security measures.

Smart toys are already able to engage in real-time tracking of children, direct communication with children, and storage of personal data including names, photos, and voice recordings. And many consumers could be led to assume that strong safeguards and security measures are already in place. However, recent reviews of smart toys have prompted concerns and many of these types of devices have been found to lack sufficient security measures.

Parents have been urged to boycott popular toy manufacturer VTech following a serious hacking incident, Germany recently banned several types of children's smartwatches due to privacy concerns, and recent reviews (PDF) from the Norwegian consumer council found that several of the internet-connected smart toys tested failed “miserably when it comes to safeguarding basic consumer rights, security, and privacy.” The issues include flaws in embedded security, terms and privacy agreements, and data security.

This is problematic, as a lack of security might mean that a user can take control of a device from afar using just a mobile phone, making it possible to communicate with and listen through the device without having physical access to it.

Children are vulnerable consumers who often do not understand exactly how a smart toy works and what risks it may pose.

Children are vulnerable consumers who often do not understand exactly how a smart toy works and what risks it may pose. For example, a study on children's engagement with smart toys revealed that many children did not realise that the toys were recording or that the recordings of their interactions with the toy could be available to others.

Clear user agreements and terms of use are therefore essential for parents to ensure that children understand their toys and that parents have sufficient control over what data is collected and how it is used. However, many smart toys have unclear or missing terms that do not ensure parental consent, do not notify parents if the terms change, and do not make it clear what personal data is collected, transmitted, and stored.

The review of smart toys (PDF) by the Norwegian consumer council also found questionable or insecure data protection practices, and that many smart toys transmitted personal data to servers outside of Europe (sometimes even without encryption), shared personal data with third parties for marketing purposes, and used personal data for other questionable purposes. In many toys capable of voice recognition, everything the child tells the toy is transmitted to external data processing companies, which may reside outside of the EU.

It is highly likely that smart toys will only increase in popularity in the future. While parents can take proactive steps to assist their child when using these toys, manufacturers could seek to design more secure products with proper privacy and security safeguards. Regulation can also play a role in achieving more secure products. In the United States, the Children's Online Privacy Protection Rule has been extended to smart toys, while in the EU, the General Data Protection Regulation will most likely have a positive outcome on smart toy privacy and data security.

Parents should not feel the need to avoid buying smart toys during the holiday period, particularly if they are at the top of their children's Christmas wish lists. However, the security and privacy risks are definitely things for parents to be wary of as children enjoy their smart toys through the Christmas period and beyond.


Erik Silfversten is an analyst at RAND Europe whose specialist area is cybersecurity. The op-ed is based on analysis that originally appeared on the Observatory for a Connected Society.

This commentary originally appeared on The RAND Blog on December 21, 2017. Commentary gives RAND researchers a platform to convey insights based on their professional expertise and often on their peer-reviewed research and analysis.