EPIC takes aim at IoT toys Cayla and i-Que that spy on kids, files complaint with FTC

EPIC claims that the Cayla doll and i-Que robot put kids under surveillance and violate federal law.

The Electronic Privacy Information Center (EPIC) is calling upon the Federal Trade Commission (FTC) to take action against “toys that spy” and violate federal privacy law. In particular, EPIC has issues with My Friend Cayla dolls and i-Que Robots which “subject young children to ongoing surveillance.”

EPIC – along with Campaign for Commercial Free Childhood, the Center for Digital Democracy, and the Consumers Union – are working “to ban these toys from the marketplace.”

The internet-connected toys are designed “to record and collect the private conversations of young children without any limitations on collection, use, or disclosure of this personal information.” EPIC’s complaint (pdf) states, “The toys subject young children to ongoing surveillance and are deployed in homes across the United States without any meaningful data protection standards. They pose an imminent and immediate threat to the safety and security of children in the United States.”

Both the toy manufacturer Genesis Toys and Nuance Communications – which is the company responsible for the speech recognition technology used in the toys, are violating the Children’s Online Privacy Protection Act (COPPA), EPIC said, by “unfairly and deceptively” collecting, using and disclosing audio files of kids’ voices “without providing adequate notice or obtaining verified parental consent.”

Both toys use a Bluetooth microphone and speaker and come with a mobile app. Neither app fully makes the repercussions of allowing those and other hardware permissions clear; i-Que goes a step further by needing access to the device’s camera without explaining why.

Kids with Cayla dolls may start asking their parents for Disney products or to go on vacation to Disney World and Disneyland since young kids may not realize the dolls continued references among its “thousands of kid-friendly topics” are actually advertising worked into the toy’s conversations.

The Cayla companion app asks for the following “child’s information” – name, mom and dad’s names, favorites such as TV show, meal, toy and princess, as well as where the child attends school. The app also wants kids to set their physical location. The Privacy Policy says the personally identifiable information collected may be used for targeted advertising.

Additionally, Genesis’s Privacy Policy says that both the Cayla and i-Que app collect IP addresses. Terms of Service for the toys say that when a child speaks to the toy, their voice recording “is stored on a Nuance Communication or IVONA server in the cloud.” The collected audio files and text transcriptions are allegedly to enhance and improve services without exactly spelling out how the voice data will otherwise be used.

EPIC points out that “biometric solutions sold to military, intelligence and law enforcement agencies” are among Nuance’s services and products. In another ToS section for Cayla, it says the collected speech data will be used by the companies mentioned as well as third-parties “to tune, enhance and improve the speech recognition and other components of the Services, and other services and products.”

Users can request their data be deleted by Genesis, but the company may need to hang onto the data for legal or business purposes. Genesis doesn’t even promise that it will be able to delete all “residual” data.

As for Terms of Service for U.S. consumers, the Cayla app shows it once in a pop-up right after the app is downloaded. The Terms are about 3,800 words presented in tiny font which must be agreed to before continuing.

The Privacy Policy for Cayla and i-Que advises kids to check the website for any potential changes “so you may wish to check it each time you submit personal information to us.” Riiiight, like that is really going to happen each time before a child utters a word to his or her personal surveillance toy. Cayla’s Terms of Service also advise checking for changes regularly.

This is quite the kicker; Nuance’s Privacy Policy states: “If you are under 18 or otherwise would be required to have parent or guardian consent to share information with Nuance, you should not send any information about yourself to us.” Since the toys are made for kids, wouldn’t that pretty much mean its entire audience should not be sending the information which happens automatically by using the toys?

In another place, users under 13 are required to have parental or guardian consent, but downloading the app is enough to be considered as consent.

Before EPIC’s legal analysis which includes how the companies are violating COOPA and the FTC Act, there is a plethora of security and privacy issues listed such as lack of preventing unauthorized Bluetooth pairing and that any tablet or smartphone within 50-feet can establish a Bluetooth connection if the toys are not paired with a devices immediately upon powering them on.

Earlier this week, the Norwegian Consumer Council published a scathing “toy fail” report (pdf) about the privacy and security failures of the Cayla doll, i-Que robot and Hello Barbie. The 19-page technical analysis (pdf), which dives into man-in-the-middle attacks, included hardware and app permissions. You are welcome to read the report, or you can take about a minute out of your busy day to watch this video which shows how the toys can be used for eavesdropping purposes.

It remains to be seen what will come out of EPIC’s complaint to the FTC, but if you enjoy privacy, then it seems wise to steer clear of these IoT toys.

Copyright © 2016 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)