Your Kid’s Toys may be Spying and Reporting to a Defense Contractor

December 22, 2016



When you buy a new toy for your kids, you probably have some realistic expectations. If it needs batteries, it probably won’t come with them. A barely-upgraded version will likely be on store shelves by February. One expectation that most of us don’t have is that our kid’s toys are listening and reporting everything they hear to a defense contractor.

In a tale that’s more 1984 than Toy Story, two popular holiday toys may be doing just that.

The My Friend Cayla and i-Que Intelligent Robot look like traditional gifts for boys and girls, but with a unique tech twist: they can connect via Bluetooth to a smartphone or tablet app so the doll can “converse more naturally” with the child.

No wait, it gets even creepier.

When setting up the dolls for the first time, the apps ask for multiple pieces of information, including the names of the child and parents, their school name and home town. The app also requests access to location settings and IP addresses.

So far, this doesn’t appear out of the ordinary in a world where coffee makers and washing machines can connect to the Internet. But researchers who have studied the toys learned that the dolls are not only always listening, they are also sending the audio files to a third party: Nuance Communications.

For those of you who are unfamiliar with Nuance, they’re the tech company behind the Dragon suite of speech-to-text dictation software. They are also a sizeable defense contractor who provides software to law enforcement, intelligence and military agencies.

This practice of collecting data is laid out in Nuance’s general privacy policy, and states that the company may use the information they collect for internal purposes to develop, tune, enhance and improve their products and services. However, privacy policies on the dolls themselves are questionably difficult to find. They appear as a pop up the first time the app is launched but, as of The Consumerist’s original report, are not available to view on the website or app once the initial terms have been accepted.

But having your children’s playtime audio sent to a major tech company is only part of the issue. The researchers who investigated these toys found that their Bluetooth connections are potentially insecure, letting nearby people search for available Bluetooth signals and connect to the toys remotely. This would give them full access to the toys, and allow them to hear whatever the microphone detects and speak directly through the doll.

I told you it got creepier.

Unsurprisingly, the toys have caused an uproar with consumer protection groups. The Electronic Privacy Information Center (EPIC), Center for Digital Democracy (CDD), and the Campaign for a Commercial-Free Childhood (CCFC) have jointly filed a complaint with the Federal Trade Commission, and the Norwegian Consumer Council have released a video alerting consumers to the potential risks:

As a parent, keeping your kids safe is the number one priority. But in a constantly connected, Internet of Things world, that seems to get harder by the day.


Your Comment