Researchers identify security vulnerabilities in internet-enabled toys like dolls that can expose the personal information of children and their parents
Jul 06 2016
Washington – U.S. Sen. Mark R. Warner (D-VA) today urged the Federal Trade Commission (FTC) to work with Congress to strengthen efforts to protect children’s personal information given the increase in apps and Internet-connected “smart toys” that can collect and store data on minors and their parents. In a letter to FTC Chairwoman Edith Ramirez, Sen. Warner expressed concern that children are vulnerable to identity theft as toys and apps gather personally identifiable information such as names, birthdates, and gender, and that hackers could exploit cybersecurity weaknesses within these devices as an entrance point to a family’s wireless networks.
“Over the past few years, security researchers have uncovered some startling vulnerabilities in a wide variety of connected toys. For instance, researchers have been able to gain control of dolls that respond to children’s questions and alter the doll’s responses. Security analysts have also shown that conversations recorded by toys and uploaded to the cloud are easily accessible to hackers,” Sen. Warner wrote in his letter to the FTC. “Meanwhile, the data breach at Hong Kong-based toymaker VTech exposed the personal information of 6.4 million children, including details like their names, genders, and birthdays, and demonstrated that even children are at risk of data theft. Finally, these connected devices present a risk to parents’ data and security as well, as hackers may begin to see connected toys as the weak-link in a family’s home network.”
The Children’s Online Privacy Protection Act of 1998, or COPPA, was enacted by Congress to protect the privacy and safety of children online by prohibiting the unauthorized collection, storage, and use of children’s personal information by child-directed sites and services. However, Congress and the FTC never envisioned in 1998 that the legislation would need to be applied to interconnected devices such as baby monitors, dolls and stuffed animals, all of which can now be connected to the internet and can pose appealing targets for hackers.
“Common Sense is particularly concerned about IoT’s privacy implications for families and children, as innovative toy and device makers often seem less focused on privacy and security than on developing the newest hit gadget,” said James P. Steyer, Founder and CEO of Common Sense Media. “Companies appear to be making privacy and security an afterthought and notices and terms of service are often buried on a website, unconnected from the physical devices. That is why we need comprehensive and strong regulations to guide companies and provide families peace of mind.”
“It is not always readily obvious to children, or especially their parents, that their information is being tracked or even stored. This has implications from what ads are targeting them to real concerns over information use for children’s safety and privacy,” the Virginia Poverty Law Center said in a statement. “For parents, they may not even know their children’s information is being collected and stored, or they may not be given a warning or the ability to opt out a company tracking their children’s information through their favorite toy or game. We applaud Senator Warner for bringing this issue to the forefront.”
“The members of Virginia PTA are deeply committed to the promotion of privacy and security policies that maintain the confidentiality of sensitive data that students and families provide to educational institutions, as well as the data that is collected while using online products and services,” the Virginia PTA said in a statement. “Federal and state laws must be modernized to better protect not just student’s educational records but also the collection of information gathered online to address the growing use of technology and data in education and throughout society.”
Sen. Warner applauded the steps the FTC has taken to update and reform enforcement of COPPA to prioritize children’s safety, and requested a response from the FTC to questions on current policies and future plans for interpretation and enforcement of COPPA. The questions focused on the FTC’S ability to regulate the Internet of Things under COPPA, the vital role of parental consent, and the need for adequate market incentives. Sen. Warner stressed the importance of ongoing collaboration to create effective policies.
“I urge the FTC to work with members of Congress to identify ways that we can better protect our children as technology changes the way they use and access the Internet,” wrote Sen. Warner. “As the Internet of Things expands to include millions of additional devices each day, more and more Internet-connected devices are making their way into children’s hands. This steady increase makes our efforts to protect children’s data even more imperative.”
Sen. Warner, a member of the Senate Intelligence Committee and former technology executive, is the Co-Chair of the Senate Cybersecurity Caucus and is spearheading a bipartisan proposal to establish a National Commission on Security and Technology Challenges, which would bring together stakeholders and experts to examine issues related to privacy and digital security and make recommendations to Congress.
A copy of today’s letter is available here.