The spy under your christmas tree


In the past few years, makers of internet-enabled toys have made the headlines multiple times, but not in a good way. Privacy and data protection clearly is not the highest priority in this sector. In Germany, the sale of some of those toys has already been banned after they were classified as concealed surveillance devices. Still, on Christmas day connected and smart toys are again going to be under many Christmas trees this season.

There has been little change to the trend this year. The demand for smart and interactive toys is still booming and toy makers do their utmost to meet those demands. To achieve this, they often have the best intention to include features which are useful and not at all bad or in any way negative as such. The baby monitor of old is crossed with a teddy bear so parents can make sure that the monitor is always close to their child. However, what started off as a good and noble idea, causes privacy advocates a lot of lost sleep. In many cases, Bluetooth or cloud connections are insecured properly so the teddy bear becomes a "spy without a cause". Furthermore, connected toys also upload data to a cloud platform of the toy maker - and some of those platform were shown to have  catastrophically bad security.
Many parents trust the devices to be sufficiently secure. The past, however, has shown ample evidence to the contrary - in a lot of cases the "internet of toys" turns out to be far less secure than parents would want it to be for their children.

The following information only describes the situation in Germany. According to German law, a "concealed eavesdropping device" is "any device which disguises its external appearance to look like a different item or an item of everyday use, and which is specially designed to covertly listen to any non-public speech" (§90 Telecommunications act).
Therefore, if you put a microphone or a camera into an items like a pen - or a teddy bear - you are contravening said law. The devisive factor is that those devices are designed to listen to someone speaking in another room. In Germany, spoken words enjoy special protection under the law, especially if that speech is not public (i.e. taking place in a public place with other people in attendance).
Violations of the Telecommunications Act are not investigated or prosecuted by the Federal Network Agency - this is the responsibility of law enforcement authorities. Should they become aware that a device which is illegal under the above law, they can start investigating the buyers and prosecute them.

Some countries have already taken action concerning toys that can be abused as eavesdropping devices. In Germany, the Federal Network Agency has categorized a particularly unsafe toy doll as a "concealed eavesdropping device", the sale and possession of which is prohibited under the Telecommunications Act (see text box). More and more toys and other items intended for children are coming to market and many of them have functionalities that could land them in hot water. The biggest problem in my opinion is that through those toys, young people are getting used to being under surveillance all the time, be it through their teddy bear or a „Smart watch for kids", (source in German), the sale of  which has also been banned. On a related note: there is one case from 2006, when authorities investigated individuals who purchased the "Teddycam" bear. This was sold via a TV home shopping network. 

Especially now, during a time where surveillance by the state and the effective outlawing of anonymity on the web in some countries are a hotly debated topic, buying such toys sounds like a very strange thing to do. Some measures are off limits for the state for a number of reasons and privacy advocates are constantly campaigning to bring this to the attention of the public. Yet at the same time, many seem to be perfectly fine with total private surveillance. The demand for those toys suggests that "all is fair" when it comes to children.

What parents should look out for in smart toys

Improperly secured cloud platforms are one of the biggest problems when it comes t internet-enabled toys. Therefore, parents should check and make sure that a "smart" toy meets the following criteria:

  • any data must be transferred using a sufficiently secure encryption method
  • a well-secured web portal is in place (if one is offered); steer clear of portals such as the one of Spiral Toys and their "Cloud Pets" 
  • Never use a password that is either too simple (e.g. "123456" oder "password") or has a preconfigured password
  • Carefully evaluate if and to what extent you want to put personal data into the respective cloud platform

For each smart toy the same rules apply as to any other mobile device: the device itself or the cloud platform behind it might be hacked and abused. In a worst-case scenario, criminals might know where a child lives, where it goes to school / kindergarten, the names of the parents etc - or even eavesdrop on the child and use the use that information for criminal purposes. Contrary to what you can do with your smartphone or PC, it is usually difficult to obtain and install security updates for a toy.
If you have no other choice but to get that smart teddy bear, connected doll or that funny talking bird: Do some research to find out about the maker's track record for provacy and data protection - even if this is not always the simplest of tasks.