The box says “It's amazing what she knows,” but security experts say the My Friend Cayla doll also makes it easy for strangers to know your child. The doll uses Bluetooth technology to connect to a device with no PIN or password required.
“On a scale of one to 10 this doll was definitely one to hack,” Ken Munro with Pentest Partners, who discovered the vulnerability in 2015, said. “I don't think anybody takes this seriously enough. What bothers me is we're expecting parents to become computer security experts and that's not realistic.”
Privacy groups are taking action. Last December the Electronic Privacy Information Center in Washington filed a complaint with the FTC about Genesis toys, the maker of My Friend Cayla and the robot I-Que. The complaint cites ease of access and how the app recordings were sent to a third party software company, Nuance Communications, without making it clear to parents.
The Children's Online Privacy Protection Act, or C.O.P.P.A, sets strict guidelines on how parents must be notified about information collected on their children.
“The parent has to actually know what is going on and then say, ‘Yes, I agree.’ The box cannot already be checked. It cannot be just hidden somewhere in the terms of service. It's supposed to be a moment where the parent realizes what's going on and says, ‘Yes, I'm OK with that,’” Munro said.
Even if parents are notified, understanding how the information is stored is key.
"It's going to the cloud. That's the basic thing for so many of our devices," said Munro.
Child user profiles and recordings collected by some other companies have also been compromised. In 2015, V-Tech Toys was hacked exposing over six million child profiles. Plus, security researchers recently discovered that people could access voice recordings of Spiral Toys Cloudpets. Munro said that the best way to make sure your children's privacy is secure is to not give out their information in the first place.
“It's really more of a problem of how we as Americans view our privacy, and we keep giving more and more information out,” Munro said. “Eventually, we're not going to have any more privacy if we don't stop.”
The FTC would not comment on their investigation of complaints against Genesis Toys and Nuance.