Internet of Things (IoT) or Toys (IoToys) - An overview

  • Awareness
  • 15/01/2018
  • Portuguese Safer Internet Centre

Following work that Pedro Gonçalves, International Relations at Portugal Telecom has done in cooperation with the Portuguese Safer Internet Centre (SIC), the SIC invited him to share an overview regarding the potential but also the risks regarding the Internet of Things (IoT) and the Internet of Toys (IoToys), with the ultimate aim of answering a final question: Is the Internet of Things/Toys also an Internet of Threats? 

Internet of Things (IoT) and Internet of Toys (IoToys) – is it also an Internet of Threats?
We live in a connected world where people spend more and more time online, through multiple screens and devices. The internet today is an inescapable reality, an endless source of information, a powerful tool for communicating, for education and for work, and also for entertainment. Children "lead" that global trend and are increasingly becoming "connected beings".

IoT is changing our live and it's expected to bring a whole new set of benefits, such as additional free and quality time, comfort, health, sustainable and economic gains, and new development opportunities. But it also brings new risks and challenges, in particular those related to privacy and safety.

Connected devices still present failures and may be vulnerable to hackers, and connected toys are no exception. There are examples of toys in the market that are spying on people, leaking personal data on the web and exposing kids to hidden advertising.

As for other aspects of internet and ICT responsible use, the main advice to parents and carers would be to be attentive, to get informed about what kids are using, how devices work and connect to the web, and what kind of information needs to be disclosed.

It's paramount that parents are part of the game and actively accompany children's digital and online development.

IoT and IoToys, what's that?
IoT is a technological concept in which the objects of daily life are equipped with electronic components, software and sensors and are connected to the internet and to each other. These objects act in an intelligent and sensorial way, and collect and transmit data.

IoToys is an emergent market within IoT ecosystem. Simplistically, it includes a set of interactive software-enabled toys, which are equipped with sensors and connected to online platforms.

The FOSI & FPF white paper on Kids and the Connected Home: Privacy in the Age of Connected Dolls, Talking Dinosaurs, and Battling Robots (December 2006) explores the landscape of toys including how toys connect to online platforms and servers (Bluetooth, 3/4G, WiFi) and the variety of types of connected toys by classifying them according to their "smartness" and connectivity (smart toys, connected toys and smart connected toys) and to their design and nature of interaction (toys to life, robotics, wearables, learning development toys).

Smart Toys are those interactive and educational toys that include electronic components (microprocessors), controlled by software and enabling interactivity with the user. Since data is not sent remotely, their privacy and security implications are more limited. Some early examples include Tamagotchi (1996) and Furby (1997).

Connected toys are those designed to connect to the internet and to remote servers that collect data and "power" the toy's intelligence. These toys may be equipped with voice-recognition technologies and typically use sophisticated sensor-based technologies to collect information and cloud platforms to process and interact with the user.

A toy can be smart but not connected (Talk-to-me Mickey) and a connected toy can be either smart (Hello Barbie, Dino) or not smart (SelfieMic, Grush).

The fact is that millions of objects, whether they are wearable (watches, bracelets, glasses), vehicles, appliances (refrigerators, washing machines…) or toys, join the "traditional" devices (PCs, tablets and smart phones), exponentially increasing people's exposure to the benefits of technology and of the internet, but also, and inevitably, to its risks.

According to Gartner Inc., in 2017 there are already 8.4 billion "things" connected to the internet and that number will rise to 20.4 billion by 2020. Juniper's research forecast that 224 million smart toys were to be shipped worldwide in 2017.

IoT and IoToys are trendy. Why is it an issue?
In January 2016, Dr Jutta Croll presented the study Let's Play it Safe; Children and Youth in the Digital World - assessment of the emerging trends and evolutions in ICT services which she undertook in 2015 for the ICT Coalition for Children Online: one of the three major ICT trends is precisely the "increase of use of smart devices and IoT by children", the other two being the "live streaming of audiovisual content" and "children starting earlier and earlier to use internet regularly" (1-6 years old). The paper considered two categories of smart devices: "familiar devices", such as smart and portable devices, smart TV, streaming apps and "smart devices targeted directly at children", like interactive and educational toys, dolls and others. The study noted that "often parents and children are not aware that a toy connects to the internet" and indicated some major risks stemming from the use of these devices: safety and privacy implications, as connected devices allow the capturing of data on children's activities, behaviour patterns and private and personal data (that children may involuntary disclose), and also the exposure to unwanted advertisements.

What are the main risks we are talking about?
They are certainly those related to privacy and security! The toys may capture and transmit images, sounds and other personal data, which might be processed, accessed, stored and shared dangerously.

Let's imagine that a stranger is able to talk to our kids through a toy (a doll, for example). And also, that our son's conversations with that toy may be recorded and sent to a company which can do whatever it wants with the recordings. For example, they can use them for commercial purposes, by sending unwanted, usually "negative", targeted, advertisements.

What about toys being accessed by pirates, potential predators, who are eager to get personal information from the child, about his habits, likes and even family? Or by a guy that "simply" wants to mock the kid, by saying bad things to him or by making the toy act strangely? Indeed, a toy might be an excellent source of information and means of interaction for bad people and thieves.

And also, what if personal data is leaked on the internet?

Unfortunately, all these "wonderings" derive from real cases. For instance, My Friend Cayla and i-Que robot (from Genesis Industries) have been on the spot after the detection of several security breaches.

The Norwegian Consumer Council reviewed these two toys and found four serious issues:

  • Lack of security - anyone with an internet/a Bluetooth enabled smartphone may well access the toy's microphone and speaker and thus spy and/or talk to the child! Apparently, this could have been avoided if there was a pairing button on the devices.
  • Illegal user terms - before using the toy, users must consent to the terms being changed without notice, that personal data can be used for targeted advertising, and that information may be shared with unnamed third parties.
  • Kids' secrets are shared - another serious issue is the sharing of children's secrets with Nuance Communications, an American company specialised in speech recognition technologies that reserves the right to share that information with third parties and to use it for a wide variety of purposes.
  • Finally, the kids are subject to hidden marketing. According to the technical people who tested Cayla, the doll promotes unhealthy food to children in a covert way. It refers to products such as Pringles, M&M's and Skittles, or Cheerios cereals in a favourable and encouraging way. For example, Cayla says that M&M's "have such beautiful colours" and that the Pringles are "delicious". It even claims that drinking water "is boring". The doll is also pre-programmed with some phrases that refer to Disney products.

Besides these already concerning examples of toy fails, there are also cases of user's data leakage. For example, the Hello Kitty (Sunrio) database was found available on the internet, compromising 3.3 million users, VTech's Learning Lodge also had a security fail affecting 6.4 million children and CloudPets (Spiral Toys) account information of 800,000 users and 2 million voice recordings was leaked on the internet.

International alerts and legal actions
Following its findings, in November 2016 the Norwegian Consumer Council launched the #toyfail campaign to raise awareness of Cayla and i-Que. There were reactions by BEUC, the European Consumer's Association, which issued letters to the European Commission, the EU network of national data protection authorities and the International Consumer Protection and Enforcement Network (ICPEN), and also in some European countries, such as Germany and France. The German Regulator, Bundesnetzagentur, banned Cayla from the market. It also warned parents that the possession of such doll is illegal and recommended its "destruction". More recently, already in December 2017, the French Data Protection Authority (CNIL) notified Genesis Industries to make its toys "safe" and to comply with the French law, within two months.

There were also legal actions in the USA and information requests. THE FBI even issued a Consumer Notice on Internet-Connected Toys which "could present privacy and contact concerns for children".

So, should IoToys be a "taboo"?
I don't think so. Like the internet itself, connected toys are here to stay and they should be seen as mainly positive and beneficial for children's development. We shouldn't stop innovation and the new opportunities it brings; on the contrary, we should adapt, learn, join forces and keep innovating in order to make connected toys better and safer.

Yes, there are also benefits and opportunities!
In February 2017, EC JRC published the report Kaleidoscope on the Internet of Toys - Safety, security, privacy and societal insights. This report explores topics from a societal perspective. It questions the changes and challenges emerging from the new ways of play and of being connected, and suggests possible ways ahead, including a more in-depth study and collaboration between stakeholders to minimise issues and make IoToys safer and more beneficial for children.

The study refers to IoToys risks and opportunities as per recent public discussions: besides the risks already referred to associated to privacy and security, connected toys raise health issues related to the increase of exposition to electromagnetic fields and overuse, and also societal issues connected to changes of nature of relationships and entertainment (possible lack of real "authentic" play and lack of parent-child interaction). The paper also suggests that implications of robotisation and datafication of children, and of "normalisation" of surveillance, are not totally known.

But fortunately, IoToys opportunities and benefits are visible in various fields, including education/teaching (is engaging, can teach code and languages), entertainment (fun, exciting, encourages more social play, fosters collaborative play) and diagnosis/monitoring (identifying learning difficulties, medical issues).

How to unleash IoToys potential?
Stakeholders like industry, policy makers, academia and civil society must continue to work together to expand the knowledge around IoToys, its risks and its opportunities, in order to actively promote the production of better designed and safer products, and a safer and more responsible usage. 

Tips for parents
Parents should know what's at stake and should be part of it. Understanding IoToys' benefits and risks is half way towards a better experience. Before buying a new toy, parents must know what kind of toy it is, what are its functions and characteristics (why is it good, is it appropriate to the kids age, is it educational?), how it interacts with the kid and others, if and how it connects to the internet, and what kind of personal data it requires to work. Information is "power" and leads to better judgment and decisions.

As for other ICT services and products, there are some "basics" one should follow in order to improve safety. More specifically, parents are encouraged to:

  • Change the username and password immediately after purchase and then change the password on a regular basis.
  • Chose a strong password (containing capital letters, symbols and numbers) or a PIN.
  • Turn the toy off when not in use.
  • Connect to a safe network (WiFi with password or VPN).
  • Provide only strictly-needed personal information; if possible use some imaginary information. 

GDPR – A crucial change in children's privacy policy
The new General Data Protection Regulation (GDPR), coming into force in May 2018, will certainly improve safety and user privacy, and represents a decisive change in children's privacy policy. For the first time, a European legal instrument recognises that children deserve specific protection of their personal data.

Relevant provisions include:

  • Mandatory parental (or guardian) consent for data processing of minors between the ages of 16 and 13 (depending on national laws, still being defined).
  • Obligation for companies that process data to provide information in a transparent and child-friendly manner.
  • Data Protection Authorities have the duty to develop activities to raise public awareness of these issues among children (risks, rules, safeguards, rights...).
  • The Regulation supports the development of Industry Codes of Conduct (on implementation of transparency and on obtaining parental consent).
  • It emphasises that the right to erase personal data ("right to be forgotten") may be particularly relevant if the data has been processed based on a children's consent.

This new approach to children's privacy will be crucial, but won't be enough to make internet- and connected-toys totally risk free. Even after industry complies with it, dangerous data processing and hacker attacks are still possibilities.

Let's keep in mind: promoting child safety is a combined effort where every stakeholder plays an important role and where information and awareness are of utmost importance.

As for parents, please, take the driving seat in this challenge!

Find out more about the work of the Portuguese Safer Internet Centre (SIC), including its awareness raising, helpline, hotline and youth participation services.

Related news

New report examines the impact of the Internet of Toys

The Internet of Toys (IoToys) is part of the growing world of the Internet of Things (IoT). While certain internet-connected toys are part of some children's daily lives (such as toys-to-life which connect to video games), they are yet to become an everyday experience for most young children. Nonetheless, the diffusion of internet-connected toys is expected to grow significantly in the next few years.