Don’t give kids holiday gifts that can spy on them, advises Ashley Boyd, vice president for advocacy at the Mozilla Foundation. The idea, she writes in The New York Times, is “…to keep seemingly innocuous Internet-connected devices that may compromise our privacy and security out of our home and especially out of our children’s hands.”
She notes that she is not opposed to connected devices, but in many cases—salt shakers, soccer balls, and rubber ducks—the connectivity seems to have been tacked on as an afterthought. Such products can, she writes, “…bring the worst parts of the web more intimately into our lives: hacking, surveillance, harassment.”
In fact, reports Rebecca Smithers in The Guardian, consumer groups have found flaws in Bluetooth- and Wi-Fi-enabled toys that would let hackers talk to children. Researchers found security flaws in four of seven toys tested. “With each of these toys, the Bluetooth connection had not been secured, meaning the researcher did not need a password, pin, or any other authentication to gain access,” Smithers writes. “Little technical knowhow was needed to hack into the toys to start sharing messages with a child.”
The situation is of such concern that, reports Soraya Sarhaddi Nelson at NPR, Germany has banned an American-made interactive doll called My Friend Cayla. “A proud young owner declares, ‘My Friend Cayla knows a million things.’ German authorities say that’s the problem,” she says. “The Federal Network Agency, which oversees German telecommunications, determined the doll is vulnerable to hacking and that it violates the country’s strict electronic privacy law. That’s because it secretly collects and transmits everything it hears, in this case to a voice-recognition company in the U.S.”
However, warns Boyd at Mozilla, “In the United States in particular, we don’t have very many rules or regulations defending consumers’ online privacy.” She expects that eventually, building privacy and security into connected devices will be as common as equipping cars with seatbelts. She credits the Electronic Frontier Foundation with providing cybersecurity training. See also my article “Initiatives aim to thwart hackers as IoT proliferates.”
Meanwhile, advises Boyd, avoid products where the risk of connectivity outweighs its value. For example, she asks, “Does your elementary school student really need a toothbrush with location tracking?” Unfortunately for German kids, connectivity is a big part of the value proposition for Cayla. When Nelson asks Olaf Peter Eul, a spokesman for the German watchdog agency, whether removing connectivity would make Cayla boring, he responds, “Yeah, we are not glad about this fact. But it is for the protection of the children themselves….”
If connectivity’s benefits outweigh its risks, Boyd advises due diligence. Determine what data is collected, where it is stored, and whether it is encrypted. Also ask whether a product can be updated to fix security vulnerabilities. If you buy a product that requires an account, create a unique password and enable two-factor authentication. Disable location tracking if it isn’t essential. And turn off products when not in use.
Finally, you can consult Mozilla’s holiday shopping guide.
