While interactive, connected toys may be attractive to children, they possess the same security and privacy vulnerabilities as any other internet of things device. Learn about the different security approaches two ASU researchers take with their own kids.
Banner illustration by Changwha Kyung.
By Pete Zrioka
Aug. 20, 2019
Just as it’s increasingly common to find a smart home assistant on a countertop or an internet-connected camera at the front door, smart toys are also becoming ubiquitous in the playroom. But along with all the entertaining and interactive features come the same security and privacy concerns.
“Kids can’t make these decisions for themselves,” says Jamie Winterton, director of strategy at ASU’s Global Security Initiative. “They don’t have a good sense of what personal information is and what it’s going to mean for them in the world that’s coming.”
With more and more interactive, connected toys coming to market, parents need to be especially vigilant about what kind of information these devices ask from children. For instance, many smart toys collect personal information in service of a customized experience.
“How delightful does your child find it when a device knows the name of their teddy bear and their dog and their best friend? But it’s all very personal information that is not necessarily being protected by toy manufacturers,” says Winterton.
In 2015, a security researcher discovered that millions of user profiles were easily accessible on the website of interactive toy company VTech. These accessed profiles, which contained photos, email address, names of parents and children, and chat logs, weren’t encrypted. As a result, VTech was fined by the FTC.
Formulating a “secret identity” for every device and internet account has become second nature for Winterton’s children. Before a new toy or device has even come out of the box, there’s a new name, birthday and personal details created for it.
“We started out by talking about why personal information is important,” says Winterton. “What could someone do with it? Does it feel right to share? Would you walk up to a stranger on the street and tell them your name and birthday? We talk a lot about physical safety with kids, and I think there are a lot of analogies with internet safety we can make to help them understand why it’s important.”
GSI Director Nadya Bliss is wary of the implications carried with smart, personalized toys. Toys that come equipped with microphones and speakers to talk to children are of particular concern.
“This essentially tells me, something in your child’s bedroom is recording your child and sending information back to a server, doing some analysis and responding,” says Bliss, a computer scientist and a professor of practice in the School of Computing, Informatics, and Decision Systems Engineering. “That creates all kinds of weird questions. For example: Who is listening to your child? Who can tap into that info and learn about your child? Also, if your child says they’re being hurt, is there a legal responsibility to report abuse?”
Bliss isn’t the only one troubled by the implications of smart toys. In 2017, the FBI released a consumer notice outlining privacy concerns surrounding toys with “sensors, microphones, cameras, data storage components, and other multimedia capabilities.”
Bliss is also focused on ensuring her daughter feels empowered down the line.
“I want her to have some control over her own digital footprint,” she says. “Right now, you can see the entire lives of some kids on the internet. By the time they get to the point where they can make their own decisions, they might not want that."