Shopping for toys during the holidays is no easy task. There’s a lot to consider- from age appropriateness to educational value, choking hazard, and even possible lead contamination.
But this year my usual concerns have been overshadowed by my worries of how the toy I buy may open my 7 year-old niece up to identity theft.
Yes, identity theft.
Just last month the personal information, along with pictures, of over 6 million children were stolen by hackers who gained access to the database of VTech, the manufacturer of electronic learning toys. Security experts say the data was “weakly protected” and flaws in encryption made passwords “easily recoverable.”From the information accessed, security experts were easily able to link to a database and figure out exactly who the kids were, where they lived, information about their parents, transcripts of chat messages, download history, encrypted passwords, and more.
But if you thought “tech” toys were the only thing to worry about, you’d be wrong- Barbie, one of the most iconic and highly sought after holiday gifts, may also leave children at risk for having their personal information stolen. The new, internet-connected “Hello Barbie” allows toy and children to interact with each other. Privacy experts are so worried, some have dubbed “Hello Barbie,” “Surveillance Barbie.” The Center for Commercial Free Childhood has started the “#HellNoBarbie” campaign on social media and Newsweek even called the doll “your child’s… riskiest Christmas Present.” They explain,
Before the chatting can begin, parents must download a mobile application and connect Barbie to a wireless network. When a child speaks to the doll, a recording of their conversation is transmitted over the Wi-Fi connection to [a third party] … Speech recognition software converts the audio into text, and artificial intelligence software extracts keywords from the child’s responses, triggering Barbie to reply with one of the 8,000 lines handcrafted by a team of writers.
… Barbie remembers every detail, building a cloud database of her owner’s likes and dislikes, which she can incorporate into future conversations…. But buyers be warned: Barbie doesn’t keep secrets…Keywords plucked from a child’s responses to Barbie are funneled into a ‘trend bucket,’ showing Mattel and ToyTalk which topics are most popular with their little customers at any given time.
Parents who have purchased VTech and Barbie toys have filed separate privacy class-action lawsuits seeking more security for their children’s data. In the Barbie case, they say that Mattel’s policies breach the Children’s Online Privacy Protection Act (COPPA), a federal law that enables parents to control data collected from a child under 13 years old. VTech is accused of providing “grossly inadequate information and network security oversight, [which] led to the disclosure of consumers’ sensitive personal information, including information about their children, to unauthorized third parties.” And now members of Congress- from both sides of the aisle- have even jumped in, sending a letter to VTech inquiring about their compliance with the federal law.
That’s because children’s privacy is a big deal. Many child advocates worry about the effect that targeted advertising might have on a child, who “do[es] not understand advertising’s persuasive intent.” In addition, David Dewey, director of research for Pindrop Security, explains that fraud against children can go on for years.
The worry is that even basic pieces of information could allow nefarious people to start building profiles of children, potentially setting them up for identity theft or worse down the road… [K]ids have no credit history and their parents generally aren't checking their credit reports, making them easy targets.
Aside from class action damages, statutory fines are possible in these cases and could be a motivation to provide better security of children’s information. According to the Federal Trade Commission,
A court can hold operators who violate the [COPPA] Rule liable for civil penalties of up to $16,000 per violation. The amount of civil penalties a court assesses may turn on a number of factors, including the egregiousness of the violations, whether the operator has previously violated the Rule, the number of children involved, the amount and type of personal information collected, how the information was used, whether it was shared with third parties, and the size of the company.
But although the FTC has the ability to fine corporations in violation of COPPA up to $16,000 per violation, most violations cost companies only pennies on the dollar. Analysis of recent fines handed down from COPPA violations shows that companies often end up paying less than $2 per violation. Some could speculate that a lack of full enforcement has led to companies not making security and privacy of children’s data a priority.
While the toy makers are racing to patch some of the flaws (and some have been fixed already), experts say that there are a few things parents, family members and anyone buying these toys can do.
“If you're a parent and you buy a V-Tech toy, put in a fake address. If the company doesn't need that address, you might want to not give it out. And that way, there's no damage there…The big takeaway here is that these things can happen, and as we connect more stuff to the Internet, we're going to lose data. That's unfortunate but that's the reality. So we have to accept it and find ways to limit the damage if it happens — and also, hold more companies accountable as well.”
As for the “Hello Barbie,” the Campaign for a Commercial Free Childhood has simple advice – “Don’t buy it! And let friends and family know why you don’t want them buying Hello Barbie for your child either.”