If you’re thinking about putting the My Friend Cayla doll under the Christmas tree this year, you may want to think twice. That’s according to French data privacy regulator CNIL (Commission nationale de l’informatique et des libertés) who has issued a formal notice to the developer of the interactive doll, Genesis Toys.
My Friend Cayla does what a lot of ‘Internet of Things’ (IoT) enabled dolls do these days; connect to the Internet for a more interactive experience. Basically, a kid asks the doll a question – anything from maths to the weather – and the doll uses Bluetooth to connect to a nearby tablet or smartphone running either the My Friend Cayla or I-Que App, which in turn connects to the World Wide Web, fetches the answer, which is then fed back to the doll, which duly announces the answer through its inbuilt speaker.
That’s a pretty standard setup for these sorts of toys. While this allows a toy to potentially be able to answer an almost unlimited number of questions posed to it, it also exposes kids to the uncertainties and dangers of cyberspace. And if there is one lesson we’ve learned over the years, it’s that IoT toy manufacturers are really terrible at protecting their user’s privacy and security. Users who – incidentally – are usually children.
And that was the determination of France’s CNIL recently, who have claimed the My Friend Cayla doll was too prone to eavesdropping by unauthorised parties to be deemed safe. A CNIL investigation revealed that anyone with a Bluetooth device could connect their phone to the doll providing they were within around 9 metres in proximity, including from outside a building, and eavesdrop on conversations between the child and the doll.
Unlike other Bluetooth enabled toys, to pair with the My Friend Cayla doll, neither a PIN nor the pressing of a button on the doll were required for an unauthorised phone to pair itself with the doll. Not only does this mean strangers could eavesdrop on conversations, but with the right software, strangers could even send messages to anyone using the doll.
CNIL have said the toys were in breach of Article 1 of the French Data Protection Act, which provides that technology “shall not violate human identity, human rights, privacy, or individual or public liberties”.
It isn’t just in France where issues with the toy have come to light. It’s banned for sale in Germany because of the data it transmits and in the US has seen several complaints made against it to the FTC. Cayla is also listed in this year’s annual Trouble in Toyland report from the US Public Interest Research Group.
While Internet enabled toys like these may be great fun, it’s always worth remembering that they comes with privacy and security risks. Toy manufacturers are keen to get their latest gadgets out there, but in the process the key issue of security is often overlooked. This is just the latest in a long list of privacy faux-pas’ within the toy industry – an industry often struggling to keep on top of even basic security measures to ensure their customer’s safety.
Whether Genesis Toys will release an update to improve the security of the doll remains to be seen.