23 Feb 2018
Smart Toys Pose Risks Related to the Capturing of Personal Data, Claims Report Issued by German Ministry
The German Federal Ministry of Justice and Consumer Protection (the Ministry) has issued an announcement drawing attention to data protection concerns raised by increasingly popular smart toys.
According to the Ministry, the defining characteristic of smart toys – their ability to interact with a user – is what makes them exciting as well as dangerous. Smart toys are equipped with microphones, sensors and cameras, as well as Bluetooth and Wi-Fi connections. They come in different shapes and forms: these include dolls and teddy bears, stuffed animals or even robots. Their ability to interact with their user depends on the analysis of the signals they receive from specific software.
The Ministry recognises that a smart toy’s ability to adapt to the individual learning speed and progress of a child enhances the playing experience and may offer advantages, e.g., a child’s acquiring of foreign language skills without a native-speaking tutor and without classroom pressure. Such educational motives make smart toys equally attractive for parents.
However, the fear is that third parties such as marketers and hackers might misuse smart toys to their own advantage. The German Ministry indicated that the protection and security of data are not sufficiently guaranteed in every smart toy.
Hong Kong manufacturers of smart toys who export to the EU might want to develop a strategy for securing integrity and confidentiality of data. It is also advised to keep in mind the data-minimisation-principle according to which personal data have to be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed.
Sounds, images and movements recorded by “connected” toys are personal data, and therefore protected under EU data protection legislation. Regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the General Data Protection Regulation, or GDPR), which will apply EU-wide from 25 May 2018 notably states that children merit specific protection with regard to their data. This is due to their vulnerability in comparison with adults.
The Ministry referred to a study conducted by Stiftung Warentest, a German consumer organisation and foundation which is involved in investigating and comparing goods and services. Stiftung Warentest established a ranking of seven smart toys concerning transmission of data and safety of their connection to smartphones on a scale from “not critical” to “highly critical”.
To parents who wish to make informed purchases, the Ministry recommended that care be taken by, for example, checking any available rankings. It suggested favouring smart toys which process data locally, without a connection to a server, as they pose lower risks with regard to data breaches and security.
According to the study, three out of seven tested smart toys transmit sensitive data to advertising companies. Marketers can use this information for product placement through pre-programmed references. For example, a talking doll might indicate being a fan of a certain franchise. The practice of using such integrated responses targeted at children, who are unable to recognise and critically assess the practice for what it is, can be accused of being unethical.
Furthermore, in case data are transmitted to a central server or cloud, those have to be adequately protected against attacks, as well. The reported 2015 attack on the database of VTech (a Hong Kong based toy manufacturer) shows that data protection has to be taken seriously in the field of smart toys.
Another reason for privacy concerns relates to the connectedness of smart toys. Networked smart toys are not usually protected against attacks. Unauthorised persons could gain control of them quite easily via the Bluetooth connection. This can lead to strangers being able to observe children, using the camera function, eavesdrop on them using the microphone, or even contact them using the speakers.
The doll "MyFriendCayla" has widely been criticised as a spyware device. It was found that third parties could gain access to the voice files recorded with the microphone or camera recordings via Bluetooth. In February 2017, the German Federal Network Agency classified it as a "prohibited transmitter", banning it from the market and requiring owners to destroy their dolls.
A 2017 report of the European Commission’s Joint Research Centre (JRC) highlights other issues too. Besides the abovementioned ones, the report examines the parental monitoring of children through smart toys. The report also discusses effects of smart toys on the social development of children, and the potential opportunities and risks of interaction with robotic toys for their cognitive, socio-emotional and moral development. It raises the question of whether a child that gets used to having its everyday behaviour tracked and analysed, is likely to have its behaviour and development affected.