'Spy' toys put data protection and child safety at risk

Come December 25, there will no doubt be many a new doll lying under a Christmas tree. Either one that walks, one that talks, or one that cries or laughs. So at 50 centimeters tall, a blonde-haired, blue-eyed doll - sporting a denim jacket and pink skirt no less - should seem quite harmless.

But according to EU and US consumer watchdogs, "My Friend Cayla" is just one doll among a group of toys that can reportedly "spy" on children and their homes, breaching a whole plethora of privacy and data protection laws in the process.

When connected to a special app via Bluetooth, children can ask the doll questions. The speech is then converted into text and the app searches for a suitable answer on the internet, enabling the toy to respond.

But now the European Consumer Organization (BEUC) and US groups such the Electronic Privacy Information Center (EPIC) have filed complaints against manufacturers Mattel and Genesis Toys, targeting so-called "smart toys," including My Friend Cayla, the i-QUE Intelligent Robot and Hello Barbie.

"By purpose and design, these toys record and collect the private conversations of young children without any limitations on collection, use, or disclosure of this personal information," EPIC and other US watchdogs said in their complaint.

According to the Norwegian Consumer Council, which researched the smart toys, "anything the child tells the doll is transferred to the US -based company Nuance Communications, who specialize in speech recognition technology."

The Council also found that the toys subjected children to hidden marketing. Thanks to pre-programmed phrases, smart doll "Cayla" is particularly fond of telling her new playmate how much she loves Disney films. It therefore comes as little coincidence that the app-provider for the doll also has a commercial relationship with Disney.

Potential for misuse

Data protection expert at Intersoft Consulting, Dr. Nils Christian Haag, told DW that the potential for the misuse of these toys is huge.

"As toys develop and use more technology, it's important that more time is also put into safeguarding these products," Haag said.

"There must at least be clearer information with these products about which data will be passed on, where it will be sent and what it could be used for," he added, referring to the complicated and lengthy terms and conditions accompanying toys such as "Cayla."

Haag reiterated, however, that when using Bluetooth on any device, the potential is always there for hackers to connect.

"The recommendation for smartphones is to turn off your Bluetooth function whenever you don't need it," Haag said.

The company "Vivid," which sells "Cayla" and "i-QUE" in Germany, did not immediately respond to DW's request to comment on the toy's current safety protocol. The company's website states, however, that there are four safety levels "to enable children to play safely."

Invasion of child privacy

According to the BEUC, data protection isn't the only thing at risk when using "smart toys."

Citing the study commissioned by the Norwegian Consumer Council, the BEUC said: "With simple steps, anyone can take control of the toys through a mobile phone. This makes it possible to talk and listen through the toy without having physical access to the toy."

Luise Schmidt, head of culture and media at the German Aid Organization for Children (Deutsche Kinderhilfswerk), told DW that the "smart toys" leave a huge gap in child safety.

"You don't have to be an expert to be able to connect to something via Bluetooth," Schmidt said, adding that the ease leaves the door open to cyber grooming or bullying.

These smart toys also present a violation of privacy, Schmidt said. According to Article 16 of the UN Convention of the Rights of the Child, every minor has the right to privacy. However, with some of the "smart toys," parents can access the app and listen back to what their child has been saying or asking.

"Children often confide in their toys and dolls," Schmidt said. "They tell them things that they might not necessarily want to tell their parents.

"So being able to listen back to their conversations is a clear violation of a child's right to privacy," she added.

Toys 'unfit for the market'

Added to the list of problems, is the long-term purpose of the saved voice recordings, which also remains unclear. Schmidt warned, however, that the data risks being used in future to create an entire profile.

"Everything is connected," she said. "Recordings from the dolls, IP addresses, photos uploaded online by parents - everything could be gathered into one folder," Schmidt warned. "Whether the child - when they're older - likes it or not."

Instead of turning to "Cayla" for life's answers, Schmidt encouraged parents to always accompany their children when surfing the internet.

"These toys just shouldn't be on the market," she said.