More warnings about the Internet of Toys

On Monday the Financial Times carried a report of a new warning from the FBI about the dangers to children and young people arising from

Smart toys made by a slew of companies …increasingly incorporating technologies that learn and tailor their behaviours based on user interactions…

These features could put the privacy and safety of children at risk due to the large amount of personal information that may be unwittingly disclosed.

Information such as the child’s name, school, likes and dislikes, and activities may be disclosed through normal conversation with the toy or in the surrounding environment.

The collection of a child’s personal information combined with a toy’s ability to connect to the Internet or other devices raises concerns for privacy and physical safety. Perhaps even more worrisome to parents, the potential misuse of sensitive data such as GPS location information, visual identifiers from pictures or videos, and known interests to garner trust from a child could present exploitation risks.

The answer to this and our call has to be Safety by Design, Security by Default. (SDSD). A neat strapline but how do we transform it into a concrete reality?

The FBI say

Parents should examine toy company user agreement disclosures and privacy practices, and should know where their family’s personal data is sent and stored, including if it’s sent to third-party services.

That sounds remarkably like the advice we get on everything. It is good advice but not good enough. Consumers, parents, and children need an interlocutor to act on their behalf to ensure that appropriate standards are in fact being met without requiring anyone to get out a magnifying glass to read the small print.

I am sure the big toy brands will be thinking about this very deeply. The risk, as ever, is that a small fly-by-night outfit  – invoking the name of the god of innovation – will rush to bring something to market, make a ton of money in a very short space of time thanks to clever marketing, then something dreadful happens because they haven’t paid enough attention to the security features. A child or children are seriously hurt and the whole market in connected toys takes a major hit. Maybe the well is poisoned for a very long time. We’ve already been perilously close to such a scenario.

There is an EU Directive on Toys from 2009 and it does include references to computers, games consoles and the like but as far as I could see it does not mention the internet or privacy. Maybe this needs updating, or perhaps the GDPR provides a sufficient legal basis. Either way there also needs to be a link to something like the CE marking regime so that parents and children have a ready way of knowing that what they may be about to buy or use meets certain basic standards.