These Toys Don’t Just Listen To Your Kid; They Send What They Hear To A Defense Contractor

Kids say a lot of random, unsolicited, or just plain personal things to their toys while playing. When that toy is stuffed with just fluff and beans, it doesn’t matter what the kid says: their toy is a safe sounding board. When their playtime companion is an internet-connected recording device that ships off audio files to a remote server without even notifying parents — that’s a whole other kind of problem.

The TL;DR Version • The My Friend Cayla and i-Que toys listen, record & send voice data to a defense contractor specializing in voice-recognition.

• The terms of service & privacy policies for these toys are difficult to find, and can be changed without notice.

• These practices may violate rules governing the collection & use of online data obtained from kids.

• Researchers claim that the devices are easily hacked to either intercept data or to turn the toys into remote listening devices.

• A coalition of consumer and privacy advocates have petitioned the FTC to investigate these toys and put an end to these practices.

• More information about the #toyfail campaign can be found here.

According to a coalition of consumer-interest organizations, the makers of two “smart” kids toys — the My Friend Cayla doll and the i-Que Intelligent Robot — are allegedly violating laws in the U.S. and overseas by collecting this sort of voice data without obtaining consent.

In a complaint [PDF] filed this morning with the Federal Trade Commission, the coalition — made up of the Electronic Privacy Information Center (EPIC), the Campaign for a Commercial-Free Childhood (CCFC), the Center for Digital Democracy (CDD), and our colleagues at Consumers Union — argue that Genesis Toys, a company that manufactures interactive and robotic toys, and Nuance Communications, which supplies the voice-parsing services for these toys, are running afoul of rules that protect children’s privacy and prohibiting unfair and deceptive practices.

We’re Listening

These particular toys — basically a “girl” and “boy” theme on the same core idea — both use voice recognition tech to “listen” to the kids that play with them.

They connect via Bluetooth to a mobile phone app, usually belonging to a parent, and then from there access the internet in order to interact with kids and answer their questions. To accomplish that feat, the apps record and collect conversations between the toys and the kids, and use speech-to-text protocols to turn kids’ questions into searchable queries.

Getting Personal

When users first set up the app for their toy, they may be sharing data you don’t want shared. Cayla in particular asks for multiple pieces of personal information — the child’s name, their parents’ names, their school name, their hometown, among other questions — so it can converse more naturally. The app also allows for location setting, and both the Cayla and i-Que apps collect users’ IP addresses.

So far this is pretty straightforward. The Terms of Service for both toys say that they collect data in order to improve the way the toys work, and for “other services and products.”

Researchers studied the way the toys work, the complaint continues, and it turns out that they send audio files to a third party: Nuance Communication’s servers at the company’s headquarters in Massachusetts.



Who Is Nuance?

Nuance is a giant company best-known — to consumers, at least — for its Dragon-branded suite of speech-to-text dictation software. The company also has a significant presence in healthcare dictation, and is — like more large corporations than you’d think — a defense contractor that sells products, including “voice biometric solutions,” to military, intelligence, and law enforcement agencies.

And here’s where it starts to get more complicated: both toys are also governed under Nuance’s general privacy policy, which says, “We may use the information that we collect for our internal purposes to develop, tune, enhance, and improve our products and services, and for advertising and marketing consistent with this Privacy Policy.”

It continues, “If you are under 18 or otherwise would be required to have parent or guardian consent to share information with Nuance, you should not send any information about yourself to us.”

What Is COPPA?

If you suddenly find yourself thinking: “but wait! Aren’t toys marketed for ‘ages 4 and up’ mostly going to be used by kids under age 18?” then you and the complaint are on the same track.

Because yes, there is a law that governs how you can collect kids’ data and what you can do with it. It’s called COPPA the Childrens’ Online Privacy Protection Act of 1998.

That rule says, among other things, that companies gathering children’s data have to provide notice to, and obtain consent from, parents about their privacy practices; that they have to permit parents access to review their kids’ data or have it deleted; and that they need to give parents the option of letting their kids’ data be used internally but not shared with third parties. And those are things that Genesis and Nuance are not doing, the complaint alleges.

“Cayla’s Terms of Service… only show up once, as a pop-up, the first time you open the app — preventing anyone from going back and reading them later”

For starters, what privacy policies do exist for these toys are hard to find. The companion apps do not immediately link to the privacy policy, notes the complaint to the FTC, nor does the Cayla doll’s packaging make any reference to the toy’s privacy policy or terms of service.

Similarly, Cayla’s Terms of Service are not available on the website or in the app; they only show once, as a pop-up, the first time you open the app — preventing anyone from going back and reading them later.

Even worse: these Terms are subject to change without notice, the complaint continues. It quotes the privacy policy for both toys (Cayla, i-Queue) as reading, “This Privacy Statement may be updated from time to time, so you may wish to check it each time you submit personal information to us.” Which, yes, would be basically every single time anyone says something in the toy’s hearing range.

It also says “you should look at the website regularly to check,” if anything has been updated which, as the complaint points out, is pretty useless when the terms of service aren’t viewable on the website to begin with.

Even if you can by some miracle read the terms of service, the complaint points out, it’s still not in line with what COPPA actually requires.

The app does specify that “as required by law, parental approval is required for the download of the App by any persons who are under 13 years old.”

It continues, “By accepting these terms, you (as the parent or guardian) have provided your consent to all the terms and conditions detailed in these Terms, including the collection of personally and non-personally identifiable information.”

That’s in the giant wall of text (3,800 words) that users see with an “agree” button the first time they install the app, and never again. Other than that, the complaint alleges, “Genesis does not take any other steps to verify parental consent to the collection, use, and disclosure of children’s voice recordings or other personal information” by the toys.

Then the third parties come in: because of the other work Nuance Communications does, some of the 30 million voice prints it claims to have access to — for the purpose of enhancing its ability to parse and analyze audio files on behalf of law enforcement — may well be generated by eavesdropping dolls.

If true, that’s yet another COPPA no-no, the complaint alleges, because it has “actual knowledge” that it is “collecting and maintaining personal information from a child” when it pulls in the toys’ audio files, and it has not obtained parental consent to do so.

Talking To The Man In The Middle

And on top of all that, the toys’ connections are just plain insecure. Basically anyone searching for nearby Bluetooth devices can easily connect to them, as this video and report [PDF] from the Norwegian Consumer Council shows:

Living Up To Barbie Similar concerns have been raised about Mattel’s Hello Barbie. Here’s the NCC’s comparison of the three toys.

The Norwegian researchers’ technical report [PDF, in English] also found that some queries, like ones that made the toys connect to Weather Underground, were using insecure HTTP connections that can easily be subjected to a man-in-the-middle attack if someone were so inclined.

The researchers were able to use free apps in order to turn both the doll and the robot into recording devices, and were able to use the toys as a two-way handset by calling the phone to which they were connected. “This is very easy and requires little technical know-how,” the researchers added.

These aren’t the first toys to catch heat for spying on the children who play with them, of course; last year, Hello Barbie brought home the annual “TOADY” worst toy award over similar concerns.

But Hello Barbie, the technical report points out, at least requires the user to hold down and activate the microphone before it records. Cayla and i-Que, on the other hand, are basically always listening. (See sidebar at right for more comparisons of these three toys)

“With the growing Internet of Things, American consumers face unprecedented levels of surveillance in their most private spaces, and young children are uniquely vulnerable to these invasive practices,” Claire T. Gartland, Director of the EPIC Consumer Privacy Project, said in a statement. “The FTC has an obligation here to step in and safeguard the privacy of young children against toys that spy and companies that exploit their very voices for corporate gain. … It is extremely alarming that what a child says to her ‘trusted’ friend could end up in a voice biometrics database sold to law enforcement and intelligence agencies.”

“As more toys are connected to the Internet, we have to ensure that children’s privacy and security are protected,” added Katie McInnis, technology policy counsel for our colleagues down the hall at Consumers Union. “When a toy collects personal information about a child, families have a right to know, and they need to have meaningful choices to decide how their kids’ data is used. We strongly urge the FTC to investigate these companies, stop the deceptive practices, and hold them accountable.”

The complaint asks the FTC for “investigation and relief,” meaning that the petitioners are calling on the Commission to investigate what Genesis and Nuance are doing, immediately halt anything that’s unfair or deceptive, and possibly provide “other relief” (which could include refunds) as “necessary and appropriate.”

We’ve reached out to both Genesis Toys and Nuance Communications for comment on the complaint and the concerns it raises, but have not yet received a reply. We will update this story if we hear anything back from either company.