To support my firm’s corporate and social responsibility efforts, I volunteered to help NSPCC, a charity working in child protection, understand the Internet of Toys and its security and privacy implications.
I hope the efforts in this area will result in better policymaking and raise awareness among children and parents about the risks and threats posed by connected devices.
Toys are different from other connected devices not only because how they are normally used, but also who uses them.
For example, children may tell secrets to their toys, sharing particularly sensitive information with them. This, combined with often insufficient security considerations by the manufacturers, may be a cause for concern.
Apart from helping NSPCC in creating campaign materials and educating the staff on the threat landscape, we were able to suggest a high-level framework to assess the security of a connected toy, consisting of parental control, privacy and technology security considerations.
| Parental Control | 1. To what extent can parents control/restrict the privacy/security settings of the toy or application?
2. Can parents monitor usage? 3. Are parents adequately informed how personal information will be collected, used, disclosed, stored 4. Are there readily available contact details if parents have privacy concerns? 5. Do parents have information on aftercare? For example, the system restore of a toy which has been collecting data on a child before it is thrown away or passed on for second-hand ownership? |
| Privacy | Personal Data Use
1. What personal data and sensitive personal data is collected? 2. Is this personal data stored locally or transferred elsewhere? 3. Is personal data transferred internationally? 4. What third parties have access to this personal data? Notices and Consent 1. Is a notice provided to the consumer outlining what personal data is collected and why? 2. Can a child clearly understand the notice and identify what will happen to their personal data and to the rights they have? 3. Is consent requested for the collection of personal data? If so, is there also consent on behalf of the child? Your Rights 1. Is there clear information on how to contact the manufacturer for complaints about how personal data has been used? 2. Can a Subject Access Request be made for a copy of data? 3. How can data subject rights be exercised? (Right to erasure, rights to data portability) |
| Technology Security | 1. What data collecting hardware does the device contain (e.g. sensors, cameras, microphones)? What data is collected through these (e.g. photos, videos, location data)?
2. What cybersecurity standards have the manufacturers exhibited? 3. How and where is data stored? What data is stored locally/remotely? How securely is it stored? 4. What remote control functionality is there? 5. What is the contagion risk to other devices in the home? |
Here are some additional resources related to the Internet of Toys security:
- IoT Toys: A New Vector for Cyber Attacks
- German parents told to destroy Cayla dolls over hacking fears
- The Security Issues with Hello Barbie Security
- Are Smart Toys Spying on Children?
- Kid Friendly Alexa
- Retailers have dropped CloudPets from sale in the US & UK
- The ICO’s Age Appropriate Design Code
- Wearable Could Make Children Vulnerable to Cyber Crime
- Cyber Addiction
Cyber Security Leadership 