FTC complaint says kid's toys "spy" by recording, storing audio on remote servers

Exterminator

Level 85
Thread author
Verified
Top Poster
Well-known
Oct 23, 2012
12,527
An FTC complaint filed yesterday by four consumer advocacy groups has alleged that Genesis Toys - a popular "smart" toymaker with products on the shelves of Target and Walmart - has created two products with predatory privacy policies which collect and upload audio data to third-party servers without any disclosure as to how the data will be used.

Genesis Toys makes the "My Friend Cayla" and "i-Que Intelligent Robot" toys, which are marketed to children from the ages of 3-12. They're sold as "smart" toys; similar to barebones versions of voice recognition software used by Amazon Echo and Google Home devices, My Friend Cayla and the i-Que Intelligent Robot utilize a Bluetooth connection to a companion smartphone app (available on Google Play and the iOS app store) to parse and analyze children's queries via the internet. They can answer questions, provide historical facts, and play puzzle games with children.

But this software doesn't only serve as a core feature of the toys - it may also serve to provide a secondary channel of profit for Genesis Toys and Nuance Communications (which makes the voice recognition software used in Genesis Toys products).
The complaint, which urges the FTC to take action in investigating numerous alleged violations of federal law, asserts that "Genesis Toys and Nuance Communications unfairly and deceptively collect, use, and disclose audio files of children’s voices without providing adequate notice or obtaining verified parental consent."

The advocacy groups involved - the Center for Digital Democracy, the Consumers Union (which publishes Consumer Reports), the Campaign for a Commercial-Free Childhood, and the Electronic Privacy Information Center - have stressed the severity and potential privacy concerns associated with these popular toys ahead of the holiday season, as they effectively amount to "toys that spy."

"By purpose and design, these toys record and collect the private conversations of young children without any limitations on collection, use, or disclosure of this personal information. The toys subject young children to ongoing surveillance and are deployed in homes across the United States without any meaningful data protection standards. They pose an imminent and immediate threat to the safety and security of children in the United States."

The complaint alleges many concerns:
  • The Terms of Service for both toys is intentionally deceptive, accessible only on a smartphone or tablet in "extremely small font."
  • The companion app requires permissions to access hardware, storage, microphone, Wi-Fi connections, and Bluetooth on users' devices, but "fails to disclose to the user the significance of obtaining this permission [sic]. The i-Que companion application also requests access to the device camera, which is not necessary to the toy’s functions and is not explained or justified."
  • The toys are both pre-programmed with dozens of product placement references to Disney movies, parks, and products.
  • Both devices collect and upload packets of information to servers maintained by Nuance, which researchers suggest are sound files (as indicated by the size of the data uploaded).
  • Terms of Service indicate that the companion app may "collect and use the contact names that appear in your address book as part of the Services" to "enhance and improve speech recognition" as well as for targeted advertising.
Data uploaded from the toys to remote servers - which almost certainly includes snippets of recorded audio - may be stored indefinitely, and is further complicated by the privacy policy of Nuance, which is identified as hosting the servers which the data is being uploaded to:

“We may use the information that we collect for our internal purposes to develop, tune, enhance, and improve our products and services, and for advertising and marketing consistent with this Privacy Policy.”

Nuance is among the largest data services and software corporations in the world, and provides services to Apple's Siri and OS X voice recognition programs. It owns Swype and Equitrac, and holds a number of contracts with government and law enforcement agencies for use of its voice recognition services.

It is unclear whether these toys will remain on store shelves during the upcoming holiday season, or if retailers will face pressure from consumers and media to pull the products.

Source: EPIC via Consumerist
Is nothing sacred anymore :mad:
 

tim one

Level 21
Verified
Honorary Member
Top Poster
Malware Hunter
Jul 31, 2014
1,086
In this case audio data, and this is shameful!! But what will be the next move ?? Video data via toy's webcam ??!! Disturbing. :eek:
They must be stopped.:mad:
 
  • Like
Reactions: frogboy

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top