M2MMobile AppsMobilityNetworks

Nuance And Smart Toy Maker Faces Privacy Complaint

Tom Jowitt is a leading British tech freelance and long standing contributor to TechWeek Europe

Toys that spy? Formal complaint filed in the US against toy maker and Nuance Communications

Privacy concerns about so called ‘smart toys’ for children has once again been raised after campaign groups in the United States filed a formal complaint with US authorities.

The complaint centres on ‘toys that spy’ and has identified two firms, namely Genesis Toys, which makes the i-Que and Cayla smart toys, and Nuance Communications, which provides the speech recognition software for the toys.

This is not the first time that privacy complaints have surfaced about so called smart toys. And issues like this are only set to get worse as takeup of the Internet of Things (IoT) increases.

Friendly robot toys © charles taylorShutterstock

Official Complaint

The complaint filed with the Federal Trade Commission concerns two toys made by Genesis Toys, namely the My Friend Cayla doll and the i-Que intelligent robot.

Both toys are Internet connected, and talk and interact with children by capturing and recording voice conversations and analysing that data.

“These voice recordings are stored and used for a variety of purposes beyond providing for the toys’ functionality,” alleged the complaint. “The physical doll contains a Bluetooth microphone and speaker, and the companion app provides the data processing to facilitate the toy’s ability to capture the private communications of children.”

“Before playing with toys, users are required to download the Cayla and/or i-Que application on a mobile device, to which the doll connects using Bluetooth technology,” stated the complaint. It alleges the apps requests permission to access the hardware, storage, microphone, Wi-Fi connections, and Bluetooth on users’ devices, but fails to disclose to the user the significance of obtaining this permission.”

It also said the “i-Que companion application also requests access to the device camera, which is not necessary to the toy’s functions and is not explained or justified”.

“After establishing a Bluetooth connection with the Cayla and/or i-Que doll, the mobile application
connects the doll to the internet. The Cayla and i-Que applications record and collect conversations between the dolls and children,” said the complaint. “A child’s statements are converted into text, which is then used by the application to retrieve answers using Google Search, Wikipedia and Weather Underground.

“In addition to researching and providing factual answers to questions posed by the child, the application also allows the doll to provide appropriate responses to everything the child says, including conversational questions and comments. Cayla and i-Que encourage children to openly converse with the toys, as if chatting with a friend.”

The campaigners pointed that researchers have already discovered undisclosed product placement issues (i.e. advertising) with the toys, as the My Friend Cayla is pre-programmed with dozens of phrases that reference Disneyworld and Disney movies.

“For example, Cayla tells children that her favorite movie is Disney’s The Little Mermaid and her favorite song is “Let it Go,” from Disney’s Frozen. Cayla also tells children she loves going to Disneyland and wants to go to Epcot in Disneyworld.”

Concern has been raised that the Cayla companion application gathers personal information including their name, their parent’s names, their school, and where they live.

“The Cayla application also invites children to set their physical location,” said the complaint.

Nuance Communications told the BBC that it takes data privacy seriously. It reportedly said it had “adhered to our policy with respect to the voice data collected through the toys referred to in the complaint”.

“Nuance does not share voice data collected from or on behalf of any of our customers with any of our other customers,” spokesman Richard Mack was quoted as saying.

Spying Toys

Last December Antony Walker of techUK warned that kids toys could be remotely hacked by security services and then be used to spy on suspects.

He also warned that this hacking and spying risk could include driverless cars or household appliances connected to the internet – the so-called IoT.

And this is not the first time these concerns have been raised. In early 2015 toy maker Mattel triggered privacy worries for parents with the development of a Wi-Fi connected Barbie doll.

The ‘Hello Barbie’ is designed to remember what kids have said, and hold realistic two-way conversations with their owners. It used these “saved conversations” to discover what the kids are saying to their dolls, and what kind of responses need to generated.

This means that toy makers could be holding potentially sensitive data. Last year for example electronic toy company Vtech confirmed that its customer database had been hacked. This led to concerns that stolen data could be used to identify children, as names, dates of birth and even gender had been stolen.

Quiz: Are you a security pro?