What would you say if the doll you bought for Christmas was used to eavesdrop on your child, or if the conversation you have with the doll was used for targeted advertising and shared with unnamed 3rd parties?

Most of us would surely object, but unfortunately, these toys are already in toy stores all over Europe. A study we have undertaken shows that internet-connected toys fail miserably when it comes to safeguarding basic consumer rights, security, and privacy.

Join us in saying that we will not allow these companies to use our kids as guinea pigs for emerging technologies.

Entering the internet of toys

cayla2_i-que_someIn the last few years, an increasing number of devices have been fitted with different sensors and are connected to the internet. This phenomenon, often referred to as the internet of things (IoT), allows everyday household objects such as coffee makers and thermostats, to record usage data, communicate with each other, and adapt to the consumer’s preferences and needs.

On the other hand, the IoT has been criticized for sacrificing consumer rights, privacy, and security in the name of efficiency and convenience. Products with few security measures are flooding the market, and the world of connected toys appears to be no exception.

As part of a project looking at consumer challenges in connection with the internet of things, we have analysed the user terms and the technical properties of three connected toys.

Meet Cayla and i-Que

Photo by the Norwegian Consumer Council.

Photo by the Norwegian Consumer Council.

The dolls My Friend Cayla and Hello Barbie and the robot i-Que, use speech recognition technologies in order to simulate conversations with children. While the Barbie doll is currently only available in the U.S., Cayla and i-Que are popular products in many parts of Europe. These two toys use the internet resource Wikipedia in order to answer questions on a wide variety of topics.

In a technical test we commissioned, we discovered that Cayla and i-Que use basic Bluetooth technology with a significant lack of security measures. As long as the toys are switched on, anyone with two basic smartphones can connect to the toys in order to both listen in on and speak to the children.

When reading through the terms of conditions of the two toys, we also discovered a severe disregard for basic consumer rights. Consumers are not warned about changes to the terms, children’s data may be used for targeted marketing, and children’s conversations with the dolls can be shared with a wide array of third parties. Furthermore, this speech data is transmitted to a company in the U.S., which claims even further rights on the content. In our opinion, this constitutes breaches of several areas of European law.

Our children are not guinea pigs

Together with a number of other European and American consumer organisations, we are now lodging complaints with national data protection authorities and consumer ombudsmen.

What would you say if the doll you bought for Christmas was used to eavesdrop on your child?

It is completely unacceptable that products marketed for young children enter the market without any preventive measures taken regarding consumer rights, privacy, and basic security. Join us in saying that we will not allow these companies to use our kids as guinea pigs for emerging technologies.

This was a guest blog by Finn Myrstad who works on digital policy at the Norwegian Consumer Council Forbrukerradet, BEUC’s Norwegian member.

The Norwegian Consumer Council has looked at the terms and technical features of the connected toys ‘My Friend Cayla’ and ‘i-Que’. The findings reveal serious risks to children’s rights to privacy and security. The Norwegian Consumer Council launched the campaign #Toyfail and consumer organisations in Europe and the United States are filing complaints to relevant national authorities on what seems to be obvious breaches of several consumer laws.

Check out the Norwegian Consumer Council’s video, the campaign website and the BEUC press release.


Posted by Finn Myrstad