Connected Toys: What Device Documentation Explains about Privacy and Security

PETRAS has produced a white paper to investigate the amount of safety and privacy information that is publicly available about Internet connect devices that are targeted at children.

Key publication: ‘Connected Toys: What Device Documentation Explains about Privacy and Security’ [open access] white paper (2020)

The report has analysed the documentation and advertisements related to 15 prominently marketed devices for children. The report tries to determine how easy it is for the purchasers of the device to understand whether devices connect to the Internet, and if so, what security and privacy implications it has for carers and for the children themselves.

Sarah Turner, author of the report, recommends that as smart toy technology remains relatively new, parents should think about what they’re buying and why. “If it’s not clear from the product’s website what data is needed to make the toy functional, carry out a quick web search to see if there have been any past security issues or data breaches, and what the response from the manufacturer has been. Do you feel comfortable with it? If it’s not clear what the technology adds, are there non-Internet connected toys that do that same thing?” she said.

The investigation finds that it is hard to determine the nature of technology within any given device. Where devices do connect to the Internet, no information is provided to users regarding privacy and security best practices, and how functional the device is without connection to the Internet.

Similarly, there is limited explanation of the personal data that must be provided to make the device run as intended, and also of how to delete this information once the device is no longer in use. Children’s personal data has been poorly stored in the past; the lack of adherence to codes of conduct to explain the security measures adhered to means it is hard to be sure of the security of devices brought into the home for children to play with. In fact, requirements of the General Data Protection Regulation (GDPR – EU) and the Children’s Online Privacy Protection Act (COPPA – US) paradoxically seem to have created a series of products where, in order to meet the requirements of the law, the privacy of the child is often reduced. This may be an appropriate trade off, in order to secure children from the darkest issues that stolen personal information can create. However, there is little guarantee that impeding this privacy will lead to better outcomes.

The report comes up with a number of considerations for carers who have children with connected devices, and recommendations for device manufacturers, to promote a more informed purchasing process, and a less risky environment for children’s play and development.

“When you get the device – if at all possible, do not use your child’s real name, date of birth or other details. If there is a password, change it to a strong, unique one,” recommends Sarah Turner. “Spend some time understanding what the toy does, and then make sure your child knows how to enjoy it in ways your entire household is happy with. Figure out how to delete all the data you have provided to the toy, including your account information so that, when you decide to donate, give away or throw away the toy, you know exactly how to remove it so that you cannot be identified by future users.”