This article needs additional citations for verification .(July 2017) |
Connected toys are internet-enabled devices with Wi-Fi, Bluetooth, or other capabilities built in. These toys, which may or may not be smart toys, provide a more personalized play experience for children through embedded software that can offer app integration, speech and/or image recognition, RFID functionality, and web searching functions. [1] A connected toy usually collects information about the users either voluntarily or involuntarily, [2] which raises concerns on the topic of privacy. The data collected by the connected toys are usually stored in a database, where companies that produce connected toys can use the data for their own purposes, provided they do so in line with the protections outlined in the Children's Online Privacy Protection Act (COPPA).[ citation needed ]
Different information can be collected by children's connected toys, including information from both parents and children.
Information that can be collected from children includes: [3]
Information that can be collected from parents includes: [3]
The collection of information by the connected toys can happen either voluntarily or involuntarily. Common ways of information collection include: [4]
There are concerns that children's information is not secured properly due to previous data breaches. Information collected by the toy companies is usually accessible by the public with little encryption on the system due to the lack of awareness of information privacy. [2]
Connected toys have been at the center of several high-profile data breaches, which have raised concerns over the methods that toy companies use to protect children's information.
In 2017, CloudPets toys by the company Spiral Toys experienced a significant data leak on its database. CloudPets stores all its information collected from the stuffed toys in an online database. According to cybersecurity expert Troy Hunt, more than 820, 000 user accounts were exposed and over 2.2 million voice messages, from both children and parents, were leaked during the severe CloudPets data breach. The cause of the data leak was because of the insecure database that Spiral Toys used in order to store the information collected. The database was easily accessible by the general public before the data leak happened. [5]
Although the database is not publicly accessible anymore, Spiral Toys have not informed their users regarding the data leak, which is a violation of the security breach notification law in California. [6]
In November 2015, VTech suffered a severe data breach on their information storing system, where the hacker used SQL injection, which is “an injection attack wherein an attacker can execute malicious SQL statements (also commonly referred to as a malicious payload) that control a web application’s database server (also commonly referred to as a Relational Database Management System – RDBMS),” to get full authorization to the database where he can access children and parents’ personal data. [3] [7]
According to VTech's public data release, around 4.8 million parent accounts and approximately 6.4 million children-related profiles were leaked worldwide in several of their products. Data that were compromised during the breach included name, email address, password, secret question and answer for password retrieval, IP address, mailing address and download history; no credit card information or social security numbers were stored in the same database. [8] The United States suffered the most due to the data breach, with 2.2 million parent accounts and 2.9 million children profiles registered in the United States, followed by France, United Kingdom, and Germany. A 21-year-old man from Berkshire was arrested for the hack. [9]
Data sharing between toy producers and other companies has raised concern over the privacy of personal data collected by connected toys. Conversations and interactions between children and the toys are usually recorded by the toys and sent to the cloud server of the toy producer. [1]
The toy company that produced My Friend Cayla and i-Que Intelligent Bot, Genesis Toys, shares its voice data collected by the toys with Nuance Communications in order to improve their speech recognition technology. Nuance Communications have a record of selling biometric solutions to military, intelligence, and law enforcement agencies, which is put into consideration of privacy issues regarding connected toys. [10]
Similarly, Hello Barbie produced by Mattel, Inc. uses voice recognition technologies provided by ToyTalk based in California. The data collected by Hello Barbie are actively shared between Mattel and ToyTalk. [1]
Data retention of information collected by the connected toys is also a problem to consider. According to Children's Online Privacy Protection Act, "an operator of a Web site or online service shall retain personal information collected online from a child for only as long as is reasonably necessary to fulfill the purpose for which the information was collected. The operator must delete such information using reasonable measures to protect against unauthorized access to, or use of, the information in connection with its deletion." [11]
The Norwegian Consumer Council did an investigation on the terms of use and privacy policies on My Friend Cayla and i-Que Intelligent Bot in 2016. They found that the privacy policies do not specifically mention how long the data will be retained after the users stop using the service or delete the account. [1] Specifically, My Friend Cayla's privacy policy mentions that "it is not always possible to completely remove or delete all of your information from our databases without some residual data because of backups and other reasons." [12]
In early 2017, Germany's Federal Network Agency, Bundesnetzagentur, placed a ban on the sale and possession of the connected toy My Friend Cayla produced by Genesis Toys, claiming the toy to be an unsafe and unauthorized information transmission device. My Friend Cayla is the first connected toy that got banned by Germany. [13] The agency further states that any toy that transmits data, including features such as recording video and voice, without detection is banned in Germany. It is concerned about the potential use of the toy as a surveillance device. The president of Bundesnetzagentur, Jochen Homann, states that "items that conceal cameras or microphones and that are capable of transmitting a signal, and therefore can transmit data without detection, compromise people's privacy. This applies in particular to children's toys. The Cayla doll has been banned in Germany. This is also to protect the most vulnerable in our society." [14]
The agency is conducting further investigations into other connected toys. [14] No action has been made towards the families that have the toy. The Federal Network Agency advised the parents to immediately destroy the toy to avoid potential risk in comprising personal data privacy. [13]
Federal laws that are commonly associated with connected toys include the Children's Online Privacy Protection Act (COPPA) and section 5 of the Federal Trade Commission Act. Both acts are enforced by the Federal Trade Commission regarding the data collection of children's personal information. [3]
Toys that are able to connect to the internet in various ways are subject to regulation from the Children's Online Privacy Protection Act (COPPA). COPPA gives parents control over what information is collected from their children online. Websites are required to ask for verifiable permissions from parents before receiving any personal information online from children under the age of 13. [15] If the data is transferred to a third party, the third party is required to proceed the same steps to protect the data. [16] Violation against COPPA is subject to civil penalties of up to $40,654 per incident. [15]
Concerns have been raised regarding COPPA protection for connected toys, as toys that are bought in retail stores do not directly subject to the law protection of COPPA.
Other sources of concern relate to the compliance of connected toy companies regarding COPPA. The Electronic Privacy Information Center, the Campaign for a Commercial-Free Childhood, the Center for Digital Democracy, and Consumers Union submitted a complaint to the Federal Trade Commission regarding how My Friend Cayla and I-Que Intelligent Bot produced by Genesis Toys have violated the laws of COPPA. The complaint mentioned the data sharing between Genesis Toys and Nuance Communications. In addition, it concerns with how Nuance Communications does not directly mention compliance with COPPA. [10]
Privacy is the ability of an individual or group to seclude themselves or information about themselves, and thereby express themselves selectively.
The Children's Online Privacy Protection Act of 1998 (COPPA) is a United States federal law, located at 15 U.S.C. §§ 6501–6506.
Identity theft, identity piracy or identity infringement occurs when someone uses another's personal identifying information, like their name, identifying number, or credit card number, without their permission, to commit fraud or other crimes. The term identity theft was coined in 1964. Since that time, the definition of identity theft has been legally defined throughout both the U.K. and the U.S. as the theft of personally identifiable information. Identity theft deliberately uses someone else's identity as a method to gain financial advantages or obtain credit and other benefits. The person whose identity has been stolen may suffer adverse consequences, especially if they are falsely held responsible for the perpetrator's actions. Personally identifiable information generally includes a person's name, date of birth, social security number, driver's license number, bank account or credit card numbers, PINs, electronic signatures, fingerprints, passwords, or any other information that can be used to access a person's financial resources.
VTech is a Hong Kong-based global supplier of electronic learning products from infancy to preschool and the world's largest manufacturer of cordless phones.
Adult FriendFinder (AFF) is an internet-based, adult-oriented social networking service, online dating service and swinger personals community website, founded by Andrew Conru in 1996.
Protected health information (PHI) under U.S. law is any information about health status, provision of health care, or payment for health care that is created or collected by a Covered Entity, and can be linked to a specific individual. This is interpreted rather broadly and includes any part of a patient's medical record or payment history.
Security breach notification laws or data breach notification laws are laws that require individuals or entities affected by a data breach, unauthorized access to data, to notify their customers and other parties about the breach, as well as take specific steps to remedy the situation based on state legislature. Data breach notification laws have two main goals. The first goal is to allow individuals a chance to mitigate risks against data breaches. The second goal is to promote company incentive to strengthen data security.Together, these goals work to minimize consumer harm from data breaches, including impersonation, fraud, and identity theft.
A data breach is a security violation, in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen, altered or used by an individual unauthorized to do so. Other terms are unintentional information disclosure, data leak, information leakage and data spill. Incidents range from concerted attacks by individuals who hack for personal gain or malice, organized crime, political activists or national governments, to poorly configured system security or careless disposal of used computer equipment or data storage media. Leaked information can range from matters compromising national security, to information on actions which a government or official considers embarrassing and wants to conceal. A deliberate data breach by a person privy to the information, typically for political purposes, is more often described as a "leak".
RockYou was a company that developed widgets for MySpace and implemented applications for various social networks and Facebook. Since 2014, it has engaged primarily in the purchases of rights to classic video games; it incorporates in-game ads and re-distributes the games.
Edmodo was an educational technology platform for K-12 schools and teachers. Edmodo enabled teachers to share content, distribute quizzes and assignments, and manage communication with students, colleagues, and parents. It was shut down on September 22, 2022.
Since the arrival of early social networking sites in the early 2000s, online social networking platforms have expanded exponentially, with the biggest names in social media in the mid-2010s being Facebook, Instagram, Twitter and Snapchat. The massive influx of personal information that has become available online and stored in the cloud has put user privacy at the forefront of discussion regarding the database's ability to safely store such personal information. The extent to which users and social media platform administrators can access user profiles has become a new topic of ethical consideration, and the legality, awareness, and boundaries of subsequent privacy violations are critical concerns in advance of the technological age.
The 2012 LinkedIn hack refers to the computer hacking of LinkedIn on June 5, 2012. Passwords for nearly 6.5 million user accounts were stolen. Yevgeniy Nikulin was convicted of the crime and sentenced to 88 months in prison.
Sharenting is a portmanteau of "sharing" and "parenting" describing the practice of parents publicizing a large amount of potentially sensitive content about their children on internet platforms. While the term was coined as recently as 2010, sharenting has become an international phenomenon with widespread presence in the United States, Spain, France, and the United Kingdom. As such, sharenting has also ignited disagreement as a controversial application of social media. Detractors find that it violates child privacy and hurts a parent-child relationship. Proponents frame the practice as a natural expression of parental pride in their children and argue that critics take sharenting-related posts out of context.
My Friend Cayla was a line of 18-inch (46 cm) dolls which uses speech recognition technology in conjunction with an Android or iOS mobile app to recognize the child's speech and have a conversation. The doll uses the internet to search what the child said which then answers with what it collected online. My Friend Cayla was created by Bob Delprincipe, inventor of Cindy Smart and Tekno the Robotic Puppy. The doll is banned in Germany as a surveillance device.
Have I Been Pwned? is a website that allows Internet users to check whether their personal data has been compromised by data breaches. The service collects and analyzes hundreds of database dumps and pastes containing information about billions of leaked accounts, and allows users to search for their own information by entering their username or email address. Users can also sign up to be notified if their email address appears in future dumps. The site has been widely touted as a valuable resource for Internet users wishing to protect their own security and privacy. Have I Been Pwned? was created by security expert Troy Hunt on 4 December 2013.
Troy Adam Hunt is an Australian web security consultant known for public education and outreach on security topics. He created and operates Have I Been Pwned?, a data breach search website that allows users to see if their personal information has been compromised. He has also authored several popular security-related courses on Pluralsight, and regularly presents keynotes and workshops on security topics. He created ASafaWeb, a tool that formerly performed automated security analysis on ASP.NET websites.
CloudPets was an Internet-connected soft toy manufactured by now defunct Spiral Toys that was the subject of numerous security vulnerabilities in February 2017. The plush teddy bear-style toys used Bluetooth to connect to a parent's smartphone to allow distant family members to send voice messages to the toy, and allow children to send voice messages back.
Since its founding in 2005, the American video-sharing website YouTube has been faced with a growing number of privacy issues, including allegations that it allows users to upload unauthorized copyrighted material and allows personal information from young children to be collected without their parents' consent.
A kid influencer is someone under the age of 18 who has built or is building a presence on social media platforms creating content to generate views and engagements, that is often sponsored. Kid influencers operate in a similar fashion to adult influencers; they share their hobbies and personal activities with their audiences, while also marketing products that align with their brand through paid partnerships. Many social media platforms have an age minimum requiring users to be at least 13 years of age or older to hold their own accounts. This requirement results in many of the pages being run alongside the parent/guardian of the child when they are under the age requirement.