FBI To Parents: Watch Out For Kids’ Privacy With Internet-Connected Toys

A basketball, a Lego set, or a box of crayons is largely what it seems, but modern “smart toys and entertainment devices” for kids have a lot of things in them that can collect sensitive data. And as more and more of a kid’s nursery fills up with gadgets that connect to Bluetooth, the web, or parent apps, the feds are advising parents to be wary.

The FBI’s public service announcement doesn’t outright say not to buy connected toys, but it does say that parents and caretakers need to be aware of the vulnerabilities “smart” toys present.

What’s the issue?

The moving parts that you don’t see, in your kids’ toys, include “sensors, microphones, cameras, data storage components, and other multimedia capabilities,” the FBI notes. All of those collect data in ways you may or may not be aware of.

That’s on top of any data a toy or its associated app may have asked you for right when it was first set up: parents’ and childrens’ names, addresses, email addresses, phone numbers, photos, and other identifying information.

Once that data is collected, you probably have very little idea how a company is transmitting, using, and storing it. And that’s aside from the issue that any sensor and database is hackable, and there are good odds that whatever company is transmitting and storing your kid’s personal data is not applying great data security practices to it.

What can I do about it?

Well, that’s a little trickier.

The FBI advises that, basically, you should read the manual. Look for, and carefully read, a company’s privacy policy and user agreement to see if the company does something you don’t want with the data it collects from your kids.

Also scour those policies for references to third parties that a company may disclose to — a toy’s data may go farther than you think.

Try to do some other research too, the FBI advises, to find out if the company that makes a certain toy has a history of data breaches, and what its policy with regard to data loss notification actually is.

But that’s not much.

A key problem with putting all of this information into a privacy policy is that most consumers won’t see it until after a product has been opened and activated and can’t be returned.

It’s not as if the product disclosure is on the box, after all; largely you have to go to a website or download a companion app to a device in order to activate a child’s toy, and the moment of activation is the first time you will be presented with the option to view and accept the toy’s terms and conditions.

It’s all well and good to say that parents should research a toy before they buy it, but that also needs to apply to basically every grandparent, aunt, uncle, cousin, or friend in a child’s life, too. And it’s not just about the toys your own children have at home; once your kids clear preschool age, they’re likely to be playing at their friends’ homes on occasion, too.

This is starting to sound kind of familiar…

The FBI’s warning is not merely hypothetical.

You may remember hearing about My Friend Cayla and the i-Que Intelligent Robot. These toys listen to kids, collect voice recordings, and then send them to a third-party processor.

In Dec. 2016, a number of consumer groups, including our colleagues at Consumers Union, filed a complaint with the Federal Trade Commission alleging that these toys were running afoul of the laws that protect childrens’ privacy, and that the makers were behaving in an unfair and deceptive way.

Researchers working around the world found that the toys were easily hacked, and that their privacy policies were all but impossible to find and could be changed and updated without notice to the consumers.

The toys have since been banned in Germany, where parents are ordered to destroy one if the have it or else face a steep fine.