Call for privacy probes over Cayla doll and i-Que toys By Chris Baraniuk

Technology reporter Published duration 6 December 2016

image copyright Getty Images image caption The My Friend Cayla doll has been shown in the past to be hackable

The makers of the i-Que and Cayla smart toys have been accused of subjecting children to "ongoing surveillance" and posing an "imminent and immediate threat" to their safety and security.

The accusations come via a formal complaint in the US by consumer groups.

They, along with several EU bodies, are calling for investigations into the manufacturers.

Genesis Toys, which makes the products, has not responded to a request for comment.

Nuance Communications, the firm that provides speech recognition software for the products, said it takes data privacy seriously.

The firm is a subject of the US complaint, filed with the Federal Trade Commission, but said it had "adhered to our policy with respect to the voice data collected through the toys referred to in the complaint".

"Nuance does not share voice data collected from or on behalf of any of our customers with any of our other customers," spokesman Richard Mack said.

In addition to the data protection concerns, a hack allowing strangers to speak directly to children via the My Friend Cayla doll is still possible.

image copyright Getty Images image caption Consumer groups also scrutinised the i-Que robot toys, made by the same manufacturer

The Norwegian Consumer Council also assessed the toys and their terms and conditions. They found the products lacking and potentially in breach of advertising regulations.

"It's quite disturbing because the company reserves the right to direct marketing towards kids," said Finn Myrstad, technical director of digital services at the council.

In January 2015, the BBC and security researcher Ken Munro, at Pen Test Partners, revealed the vulnerability in Cayla's software that allowed the doll to be hacked.

And Mr Myrstad said it appeared the problem had not yet been fixed, nearly two years later.

According to the US complaint, the doll prompts children to provide personal data verbally - including their parents' names, the name of their school and the place where they live.

It also says the toys allow unauthorised Bluetooth connections from any phone or tablet within 50ft (15m).

The Norwegian Consumer Council has now filed its own complaints to three authorities in Norway, including the consumer protection ombudsman.

Further complaints from other bodies are to be filed in France, Sweden, Greece, Belgium, Ireland and the Netherlands.

media caption Rory Cellan-Jones sees how Cayla, a talking child's doll, can be hacked to say any number of offensive things.

Mr Myrstad added that he was concerned the manufacturers also reserved the right to change the terms and conditions at any time.

"We think this is particularly worrying because we're dealing with recordings of voice - kids' data," he told the BBC.

"How the data's collected how it's stored and shared - all of that appears to be almost entirely unregulated," said Rik Ferguson, a researcher at security firm Trend Micro.

"And the parents are certainly not made aware in any comprehensible fashion of the extent of data that's collected or how it may be used in the future."