Declaring a doll that can record and upload children’s speech “illegal,” the German government is asking the manufacturer to pull the doll from stores and parents to “destroy” the doll’s “functionality.”
The toy in question is the My Friend Cayla doll, manufactured by U.S.-based Genesis Toys and distributed in Germany by U.K.-based Vivid GmbH. A similar toy, the i-Que robot, is aimed at boys.
My Friend Cayla connects to the Internet via a Bluetooth connection with a smartphone, then listens with its internal microphone for humans to speak. When one does, the doll uploads the person’s voice recording to a third party, Massachusetts-based Nuance Communications, which translates it into text that is then used to generate an appropriate response. The response is transmitted back to the doll, which then utters it.
“Items that conceal cameras or microphones and that are capable of transmitting a signal, and therefore can transmit data without detection, compromise people’s privacy. This applies in particular to children’s toys. The Cayla doll has been banned in Germany,” Jochen Homann, president of Germany’s telecommunications regulator, said in a statement.
The regulatory agency says it has already contacted the distributor and requested that the toys be removed from store shelves. It further asks that parents “take it upon themselves to make sure the doll does not pose a risk.” Although it claims “there are no plans at present to instigate any regulatory proceedings against the parents,” agency spokesman Olaf Peter Eul told CNN, “We expect people to act as lawful citizens and destroy the functionality of the doll.”
Notwithstanding the German government’s mildly threatening approach — not to mention its chutzpah in claiming to care about people’s privacy while maintaining a surveillance state that swaps data with the U.S. National Security Agency — there is actually good reason to be concerned about the doll’s capabilities. The toy has already been pulled from stores in the Netherlands over privacy concerns, and a consortium of privacy advocates in the United States, including the Electronic Privacy Information Center (EPIC), has filed a complaint about the toy with the Federal Trade Commission (FTC).
“The FTC should issue a recall on the dolls and halt further sales pending the resolution of the privacy and safety risks identified in the complaint,” Claire Gartland, director of EPIC’s Consumer Privacy Project, told CNN.
“The use of children’s voice and text information to enhance products and services sold to military, intelligence, and law enforcement agencies,” the complaint reads, “creates a substantial risk of harm because children may be unfairly targeted by these organizations if their voices are inaccurately matched to recordings obtained by these organizations.” (The same could be said for adults who happen to speak within the toys’ “earshot.”)
Upon learning of the complaint via the media, Nuance issued a statement saying it “takes data privacy seriously.” The company said it doesn’t “use or sell voice data for marketing or advertising purposes” or share it with its other customers. “We validated that we have adhered to our policy with respect to the voice data collected through the toys referred to in the complaint,” it added.
What Genesis, Nuance, and their affiliates do with the data from the toys is only one of the complainants’ worries. They note also that the Cayla doll is programmed to plug various Disney products such as movies and theme parks. This will likely cause children to plead with their parents for those products, though parents are, of course, free to deny such requests.
Far more worrisome is the fact that the toys’ Bluetooth apps are easily hackable with just a smartphone or other mobile device. The app does not require any sort of authentication, so any Bluetooth-capable device within 50 feet of a toy that is not already paired with another device can establish a connection with it. According to the complaint, “Researchers discovered that by connecting one phone to the doll through the insecure Bluetooth connection and calling that phone with a second phone, they were able to both converse with and covertly listen to conversations collected through the ... toys.”
The FTC, which is also part of a government that conducts mass surveillance, confirmed that it is looking into the complaint. “Companies that market smart toys and other connected devices directed to children need [to] take their privacy and data security obligations seriously and if they are collecting personal information from kids, they need to comply with [the law],” the agency told Florida TV station WPEC.
Meanwhile, in Germany, Cayla’s distributor, Vivid, isn’t giving up without a fight. The company told Reuters that while it takes the government’s allegations “very seriously,” the doll “is not an espionage device and can be used safely in every respect according to the user manual.”
“Vivid,” wrote Reuters, “will therefore legally challenge the decision by German authorities to ban the doll.”