All I Want For Christmas Is Privacy

This holiday season, the most popular toys on the shelves don’t just talk or roar, or cry or transform. They listen and remember. Everyday affordable children’s toys are now a part of the Internet of Things, availing children and families of the joys of interactive playthings and the dangers of hacking, spying, and theft of personal information. Artificial Intelligence, or A.I., in toys can enhance the user experience for more enjoyable, educational, and imaginative play. It can also be misused to gain access to other devices on the Wi-Fi network, to obtain personal information about the child or the family, and for other types of criminal mischief.

Mattel and its entertainment technology partner, ToyTalk, are rolling out a Barbie outfitted with speech recognition and progressive learning technology just in time for Christmas 2015. “Hello Barbie” is being billed as “the first fashion doll that can have a two-way conversation with girls.” The technology is activated when Barbie’s belt buckle is held down and a child tells the doll information. From there, data is recorded and then transmitted via a Wi-Fi network to ToyTalk databases for analysis. This recording, transmission, and processing of information opens children to a world of hacking possibilities, endangering the most helpless in our society.

Mattel’s new toy can be used as a portal to access the child’s home system and endanger other home security devices used on the same network. The doll’s operating system has already been hacked by a professional security researcher, who was able to enter the network through the doll and obtain Wi-Fi network names, internal MAC addresses, account IDs, and MP3 files. This information could then be used to hack into the home network. Home security systems, baby monitors, and home monitoring systems are often elements of this network, and a criminal accessing those devices could misuse the network to gain access to the home.

Children often share personal information with their toys, from hopes and dreams, favorite colors and to names and addresses. Once a hacker gains the ability to listen to the recordings, a child’s playtime stories can be monetized. Information such as a child’s name, address, or school can all help to falsify financial documents. In this modern age, we are not naive to the dangers of identity theft, however when we talk about hacking, it is rarely in the context of children. Recent cyber-security failures at Target, Home Depot, and Neiman Marcus have hit home the cyber safety vulnerabilities of our personal financial data. But the victims have all been adults. This is not because children are immune from cyber hacks—children are particularly unsafe because of their lack of financial history. They simply don’t use credit cards, and thus haven’t been victims of the well-publicized department store cyber-attacks.

Identity theft, while alarming, is nothing out of the ordinary in light of the many cyber-security flaws on the part of our nation’s retailers. Home invasions through hacked security devices began long before Hello Barbie entered the market. A hacker using a doll to spy on a child or communicate with a child, however, is a terrifying thought. In January of 2015, a security researcher exploited a security vulnerability in British company Vivid Toy’s “My Friend Cayla.” As a result, the hacker was able to change what sounds the doll made, including playing music and using obscenities. The idea of a criminal hacking into a child’s toy to spy on and speak with a child is fodder for nightmares and horror movies. No parents would willingly avail their child to such a danger, so why is Hello Barbie relatively free of parental mistrust?

As a society, Americans have become trusting consumers of toys. We don’t use dangerous chemicals, we place warnings and age requirements, we protect against injuries from misuse. The United States Consumer Product Safety Commission (CPSC) has created expansive regulations to protect the most vulnerable in our society, including mandating “Children’s Product Certificates” for toys used by children other than 12 years. Bolstered by consumer confidence garnered from nearly half a century of legislative and regulatory toy standards, Mattel is able to enter Hello Barbie into the market without the degree of skepticism the new technology warrants.

The doll is where every innovator hopes to be: Ahead of the rest of society. Laws protecting cyber toys from irresponsible software programming haven’t been written yet. There are no industry best practices because Mattel is the industry. Rather than using this unique position to set a cybersecurity standard, Mattel limits its discussion of its responsibilities to simple assurances. In a Hello Barbie Privacy Policy document provided on Toy Talk’s Web site, the company promises, “We take reasonable measures to protect personal information in an effort to prevent loss, misuse, and unauthorized access, disclosure, alteration, and destruction. Please be aware, however, that despite our efforts, no security measures are perfect or impenetrable and no method of data transmission that can be guaranteed against any interception or other type of misuse.”

The most comprehensive cyber legislation to which Mattel had to adhere is the Children’s Online Privacy Protection Act, which “prohibits unfair or deceptive acts or practices in connection with the collection, use, and/or disclosure of personal information from and about children on the Internet.” While the statute establishes a reasonable first step towards toy safety, it was first effective in October 1998. The world was considerably less connected 17 years ago, and the idea of artificially intelligent toys and instant communication was still fodder for science fiction films. The law was created for a Jurassic Internet and is neither agile nor contemporary enough to regulate Wi-Fi-enabled children’s toys. In this technologically advanced society, it is no longer enough simply to protect against toy companies who may intentionally do harm. Mattel, by creating a doll connected to the Internet of Things, should be held responsible for protecting the stored information from software flaws that can enable hackers to exploit Hello Barbie’s users.

Mattel’s new Barbie heralds a new age in toy making, where corporate responsibility must be the determining factor in product quality. It is longer enough to solely innovate toys for enjoyment—toymakers must now protect the children who enjoy their products from adult harms. This issue is some receiving attention from consumer and technology groups, however missing from the toy-hacking narrative is a discussion of the total lack of best practice guidelines for toy cybersecurity. There is no mandated technology component to ensure that a company does all it can to prevent the theft of personally identifiable information it possesses. There isn’t even a law requiring a bare minimum level of protection. Standards can only be met if they are established and followed, from industry leaders to entrepreneurs.

- Written by Jacqueline Kappler