In second letter to agency, Warner highlights high-profile examples of smart toys that have jeopardized privacy of children and their parents
May 22 2017
WASHINGTON – U.S. Sen. Mark R. Warner (D-VA) today sent a letter to the Federal Trade Commission (FTC) asking the agency about its efforts to protect children’s privacy following several high-profile instances of children’s data being hacked. This letter follows a letter that Sen. Warner sent to then-Chairwoman Edith Ramirez on July 6, 2016 urging the FTC to work with Congress to strengthen protections for children’s personal information given the increase in apps and Internet-connected “smart toys.”
“Recent events have illustrated that in addition to security concerns with the devices themselves, new data-intensive functionalities of these devices necessitate attention to the manner in which vendors transmit and store user data collected by these devices,” Sen. Warner wrote in his letter to Acting Chairwoman Ohlhausen. “Reports of your statements casting these risks as merely speculative – and dismissing consumer harms that don’t pose ‘monetary injury or unwarranted health and safety risks’ – only deepen my concerns.”
According to multiple media reports, CloudPets, a product line manufactured by Spiral Toys and marketed as ‘a message you can hug,’ stored customers’ personal data in an insecure, public-facing online database. CloudPets reportedly exposed over 800,000 customer credentials and more than two million voice recordings sent between parents and children. Subsequent reports have raised questions about security at the device level, with individuals able to hack CloudPets’ toys and remotely control the devices, including the microphone, if they are within Bluetooth range.
In his letter, Sen. Warner also asked Acting Chairwoman Ohlhausen about FTC action in relation to the children’s doll “My Friend Cayla.” In December 2016, privacy advocates filed a complaint with the FTC regarding the doll and concerns that it can be used for unauthorized surveillance. In February 2017, the Bundesnetzagentur, Germany’s equivalent of the FTC, pulled “My Friend Cayla” off the market due to concerns over the doll’s surveillance capabilities.
"We all know that many of these so-called ‘smart’ devices aren’t so smart at protecting the safety and security of our kids,” said James P. Steyer, Founder and CEO of Common Sense Media. “Children's toys with weak security can put not just kids' personal information at risk, but imperil even their innermost thoughts. We applaud Senator Warner for his efforts to ensure that our laws and rules keep pace with rapidly changing technology.”
“The expanding world of connected toys offers innumerable benefits to children through education and play. However, it is vitally important that parents can trust toymakers with their children’s most sensitive information. Companies must take their responsibilities to families seriously and ensure that data is protected to the highest industry standards,” according to Stephen Balkam, CEO of the Family Online Safety Institute (FOSI). “Congress, the FTC, parents, and industry all have a role to play. We are very grateful to Senator Warner for raising awareness of these important issues and look forward to working with him in the future.”
Sen. Warner asked Acting Chairwoman Ohlhausen a number of questions regarding how the FTC has responded to the hack of CloudPets’ database and its response to the complaint regarding the children’s doll “My Friend Cayla.” Sen. Warner also asked Acting Chairwoman Ohlhausen whether the Children’s Online Privacy Protection Act (COPPA) needs to be updated to keep pace with developments in data security and cyber security best practices. Finally, Sen. Warner asked Acting Chairwoman Ohlhausen about her comments dismissing consumer harms that don’t pose “monetary injury or unwarranted health and safety risks” as “speculative” and “subjective.”
Sen. Warner, the Vice Chair of the Senate Intelligence Committee and former technology executive, is the Co-Chair of the Senate Cybersecurity Caucus and a leader in Congress on security issues related to the Internet-of-Things (IoT).
The text of the letter appears below. A PDF of the letter is available here.
May 22, 2017
The Honorable Maureen K. Ohlhausen
Federal Trade Commission
600 Pennsylvania Avenue, NW
Washington, D.C. 20530
Dear Acting Chairwoman Ohlhausen,
I am writing to express my continued and growing concern regarding children’s privacy amid recent media reports further highlighting security vulnerabilities in a wide array of connected products directed at children. While I remain grateful for the work the Federal Trade Commission (hereafter “FTC”) has done to protect America’s children, I worry that protections for children are not keeping pace with consumer and technology trends shaping the market for these products. In particular, recent events have illustrated that in addition to security concerns with the devices themselves, new data-intensive functionalities of these devices necessitate attention to the manner in which vendors transmit and store user data collected by these devices. Reports of your statements casting these risks as merely speculative – and dismissing consumer harms that don’t pose “monetary injury or unwarranted health and safety risks” – only deepen my concerns.
In May 2016, I sent a letter to then Chairwoman Edith Ramirez in which I noted the “increasing prevalence of connectivity and data processing abilities in children’s toys and other household products.” In that letter, I raised a number of concerns regarding the security of internet-connected devices, known collectively as the Internet of Things (IoT). In particular, I was alarmed by the growth of connected devices marketed toward children, such as internet-connected dolls and toy cars, given security vulnerabilities researchers have identified in a number of these products. Recent media reports have raised additional concerns not only about the security of connected devices but also about the remotely stored data generated from these devices. This latter point is notable given the data minimization requirements of the Children’s Online Privacy Protection Act (COPPA), prohibiting service providers from retaining collected personal information longer than is necessary to fulfill the purpose for which the information was originally collected.
A timely example of the insecurity in some of these IoT devices is CloudPets, a product line manufactured by Spiral Toys and marketed as ‘a message you can hug,’ which according to multiple media reports was storing personal data in an insecure, public-facing online database. Ignoring the most basic elements of responsible data management, CloudPets reportedly exposed over 800,000 customer credentials and more than two million voice recordings sent between parents and children. Additional reports have subsequently raised questions about security at the device level, with individuals able to hack CloudPets’ toys and remotely control the devices, including the microphone, as long as they are within Bluetooth range. This one example demonstrates the importance of better incorporating security at the device level, on servers holding data collected by these devices, and across communications links.
Following the massive Distributed Denial of Service (DDoS) attack in October 2016 that flooded particular websites, web-hosting servers, and internet infrastructure providers with debilitating levels of network traffic from insecure IoT devices, I sent a letter to your agency in which I asked what the FTC would do to take harmful devices out of the stream of commerce. The agency responded that, among other things, the FTC has “urged companies to continuously monitor the threat landscape and update and release security patches throughout the lifecycle of their devices.”
Researchers have determined that in many cases IoT devices are, by design, not patchable. As I noted in my October letter, a lack of market incentives to design devices with security in mind or to provide ongoing support has allowed manufacturers to flood the market with cheap, insecure devices. In March, however, you seemed to downplay the existence of these risks, suggesting that “We don’t know if that risk [from insecure IoT devices] will materialize,” and contending that if it did, industry could sufficiently address the problem, obviating the need for FTC action.
In fact, there are reports that indicate that security researchers made repeated attempts to get in touch with CloudPets regarding the vulnerabilities they found, but were unable to reach company representatives. Companies should welcome feedback from experts and establish coordinated disclosure programs, where researchers can alert vendors of important vulnerabilities. While I understand some companies may be vary of establishing such programs, ignoring security researchers or waiting for notification from an agency like the FTC presents unnecessary risks to consumers by allowing vulnerabilities to go unfixed.
While instituting coordinated vulnerability disclosure programs would certainly help improve device and data security, more drastic actions may be necessary to address vulnerabilities in the deployed base of products purchased by consumers. As you may be aware, other countries have taken steps to remove insecure internet-connected devices from the marketplace or warn parents about the dangers of such toys. On February 17, 2017, Germany’s Bundesnetzagentur or Federal Network Agency, an entity responsible for regulating energy, telecommunications, post, and rail networks, pulled the children’s doll “My Friend Cayla” off the market due to concerns that the device could be used for unauthorized surveillance. The FTC received a complaint from privacy advocates in December 2016 regarding “My Friend Cayla,” but has not taken concrete action as of May 22, 2017.
Given these recent developments, I have a number of questions regarding the FTC’s actions to protect children’s privacy and respectfully request responses within four weeks of receipt.
- While the Children’s Online Privacy Protection Act (COPPA) has requirements regarding the security of children’s data, hacks of companies like CloudPets and VTech have shown that children’s data is still vulnerable. Do COPPA’s data security – including retention and data minimization – standards need to be updated? Are companies ignoring COPPA requirements, or are COPPA requirements not keeping pace with developments in data security and cyber security best practices?
- Does the FTC need additional authority from Congress to regulate the remote storage of data by operators or by third parties who store and handle children’s personal information?
- In the case of a civil enforcement action related to a violation of either Section 5 or COPPA, does the FTC’s injunctive authority extend to requiring defendants to recall insecure products designed for, marketed, and sold to U.S.-based consumers? Under what circumstances might the FTC require a ‘buy-back’ for insecure products, as it did in a recent Section 5 case involving an automaker’s deceptive marketing?
- Has the FTC been in contact with CloudPets or its parent company Spiral Toys? If not, why has the FTC not been in contact?
- What guidance has the FTC given to Spiral Toys or CloudPets? Has the FTC issued guidance or considered issuing guidance to consumers who bought products from Spiral Toys or CloudPets whose data has been compromised?
- As mentioned above, privacy advocates filed a complaint with the FTC in December 2016 regarding “My Friend Cayla.” Has the FTC taken any action with respect to “My Friend Cayla” or other products manufactured by Genesis Toys?
- Insecurities associated with IoT devices have been widely known for a number of years. On what basis are you concluding that these risks have yet to materialize, or that market solutions have successfully addressed these harms?
I thank you for your continuing cooperation in protecting the privacy and safety of children across the United States. I hope that we can work together to ensure proper oversight of this issue.
Mark R. Warner
United States Senator