Finn Myrstad makes his living reading the cryptic privacy policies that most consumers give merely a passing glance before opening an app or plugging in internet-connected gadgets.
And much of the language he encounters in those dense and lengthy contracts is the same whether it's for dating applications or fitness trackers. But when Mr. Myrstad, head of Norway's national consumer protection agency, examined the privacy policies for two popular internet-connected toys, he noticed something particularly striking.
The terms and conditions for My Friend Cayla and I-Que Intelligent Robot allows toymaker Genesis Toys to capture and store kids' voices while they play with the toys and share data from those recording with third parties. In turn, companies can use that information to target kids with ads. Myrstad says that information about the ad-targeting is buried deep in those terms – where most users can't find them.
"I'd love companies to be much more transparent in plain language about how they collect data," Myrstad says. "You pay once with your actual money, and you pay another time with your data. We think that’s unacceptable."
Using Myrstad's research, a group of consumer advocacy and privacy groups lodged a complaint with the Federal Trade Commission (FTC) claiming the two talking dolls violate federal privacy laws by collecting children's voices and data without parental consent. The groups put forward similar complaints to regulators in the European Union, France, the Netherlands, Belgium, Ireland, and Norway.
"This toy is essentially spying on children, recording their conversations, and storing their voices talking to the doll and sharing those conversations with unknown third parties," said Josh Golin, executive director of Campaign for a Commercial Free Childhood, one of the groups that filed the complaint. "When children play with a doll, they tend to reveal secrets – it’s very concerning that that information is being captured, stored, and shared."
The case illustrates growing concerns among privacy groups and technologists about the increasing number of children's products that record and store about kids. Although internet-connected gadgets represent just 1 percent of total US toy sales according to research firm the NPD Group, purchases boomed by 79 percent for the 12 months ending in October.
The rapid growth of that industry has led privacy experts to worry that as more toys seamlessly connect to the internet, those devices could begin collecting data before users have a chance to secure their privacy.
"There's not going to be a user interface – or there's going to be a very small or disconnected user interface," Julie Brill, a partner at law firm Hogan Lovells and until recently a Federal Trade Commissioner, said at a Passcode event on the future of connected toys in July. "All of the rules and laws we have will apply, but it’s a question of how will we get user permission? How will we obtain consent for collection of sensitive information and things like that?"
Campaign for a Commercial Free Childhood, one of the US groups behind Tuesday’s complaint, launched a petition last year calling on Mattel to halt sales of the popular internet-connected Hello Barbie toy, claiming the doll could share children's conversations with other companies or strangers.
"Mattel is committed to safety and security, and Hello Barbie conforms to applicable government standards, including the Children’s Online Privacy Protection Act," the company said in response to the petition. "Additionally, Hello Barbie’s technology features a number of safeguards to ensure that stored data is secure and can’t be accessed by unauthorized users."
The FTC can penalize privacy violators by initiating a civil administrative complaint to force them to change their practices. Congress updated the law in 2012 to expand the definition of children's personal information to include geolocation, photos, videos, and audio files.
COPPA violations can also lead to large federal fines. In September, Viacom, Mattel, and Jumpstart games paid out a total of $835,000 in federal fines – bowing to allegations from New York Attorney General Eric T. Schneiderman (D) that the companies had illegally allowed third-party vendors to track children’s activity online.
Genesis Toys did not respond to a request for comment regarding this week's complaint. It’s not the first time that the company has come under fire for flaws in its products, either. Last year, security researcher Ken Munro hacked the My Friend Cayla doll, programmed to recognize dozens of phrases from Disney movies and record and convert children’s questions into text in order to retrieve answers from Google, Wikipedia, and the weather forecasting website Weather Underground. Mr. Munro was able to alter the doll's interface to spew foul language and references to Hannibal Lecter.
And working with a team of white hat hackers from the Scandinavian firm Bouvet ASA, Norway's Myrstad discovered that hackers could intercept Bluetooth signals from My Friend Cayla, potentially letting snoopers talk through the doll or eavesdrop on people.
Last November, criminal hackers broke into the servers of Hong Kong-based toymaker VTech – designer of tablets, gadgets, and toys for kids, leaking the personal data of millions of customers – including the names, home addresses, and chat logs of millions of parents and children out in public.
It's not yet clear how the US government will react to this week's privacy complaint against Genesis. The FTC did not respond to requests for comment regarding the timing of a potential decision on the matter. But Sen. Ed Markey (D) of Massachusetts has already sent letters to Nuance and Genesis Toys requesting more information on the privacy features of their products.
Advocates are hoping that the complaint could lead to a recall of the toys in the US until they’re up to snuff with federal data privacy laws. Stores in the Netherlands and Belgium have already stopped stocking the devices.
But some digital toymakers are working hard to ensure they're COPPA compliant. Elemental Path, for instance, sells the internet-connected Cognitoys Dino, a toy dinosaur that anonymizes all user data that leaves the device. The company's chief technologist JP Benini says Tuesday's filing should be a warning for parents to stay vigilant when it comes to buying connected toys.
"Parents just have to be mindful of the toys they expose their children to," he says. "If a parent is really, really concerned about a toy listening to their child, they’re going to speak with their wallets and not buy the toy."