FTC complaint highlights growing threats from Internet-connected toys

By Kenneth Merrill

For years the Internet of things (IoT) has consistently been cited as one of the next big issues looming on the tech policy horizon. With a recent complaint filed by a group of privacy and consumer protection groups at the Federal Trade Commission (FTC) highlighting risks posed to children by Internet-connected toys, it seems the IoT’s time has come.

According to the complaint filed in December by a coalition of privacy and consumer groups, the My Friend Cayla and i-Que Intelligent Robot dolls, manufactured by U.S.-based Genesis Toys, eavesdrop on children by “recording and collecting the private conversations of young children without any limitations on collection, use, or disclosure of this personal information.” The complaint also charges Massachusetts-based voice recognition company Nuance Communications, which stores and processes the audio conversations, with using the data to market products and services to children as well as selling the data to third-parties for behavioral marketing purposes.

The dolls, which are available widely in the U.S. and abroad, instruct customers to download a mobile application that allows parents to listen and communicate with the child. But as the Norwegian Consumer Council discovered, following an in-depth legal and technical analysis of Internet-connected toys, the bluetooth enabled toys also allow strangers to covertly eavesdrop on children, creating “a substantial risk of harm because children may be subject to predatory stalking or physical danger.”

In particular, the complaint argues that the companies are in violation of FTC regulations and the Children’s Online Privacy Protection Act (COPPA), which regulates the collection of children’s personal information by online service operators. Here the privacy groups charge Genesis Toys with failing to provide adequate notice to parents regarding the collection and transmission of children’s audio conversations; failing to obtain consent for recording and collecting conversations; deceiving parents and children as to the nature of the recordings; and failing to comply with deletion and data retention regulations.

“With the growing Internet of Things, American consumers face unprecedented levels of surveillance in their most private spaces, and young children are uniquely vulnerable to these invasive practices,“ said Claire T. Gartland, Director, EPIC Consumer Privacy Project. “The FTC has an obligation here to step in and safeguard the privacy of young children against toys that spy and companies that exploit their very voices for corporate gain.”

But with an incoming president who vowed during the campaign to “cut regulations by 75%,” consumer advocacy groups are drawing on coordinated international consensus in an effort to establish norms regarding the IoT and children. “While it is unclear how the new Trump administration will handle any regulatory issues, we do have a tradition in the U.S. of protecting children from unfair and manipulative practices in the digital environment,” explains Kathryn Montgomery, Professor and Chair of the Communication Studies Department at American University (currently on sabbatical), adding that these protections include COPPA, “a law that has been in place for nearly a decade and that government and industry alike have embraced and continue to support.”

And of course it is not just children that are susceptible to violations of privacy and security at the hands of the ever-expanding IoT market. AU and the Center for Digital Democracy released a major study last month, funded by the Robert Wood Johnson Foundation, on the privacy and consumer protection concerns raised by the proliferation of health and fitness wearables.    

This comes on the heels of a massive distributed denial of service attack in October that harnessed an army of hacked internet-connected devices, including baby monitors, cameras, and routers, to flood the servers of Dyn Research, a DNS service that provides domain name resolution services for a host of Internet services, disrupting and in some cases halting Internet traffic on such services as Google Maps, Facebook, and Twitter. As The New York Times wrote following the attack, “It is too early to determine who was behind Friday’s attacks, but it is this type of attack that has election officials concerned. They are worried that an attack could keep citizens from submitting votes.”