The joy and generosity we feel at Christmas has an unfortunate downside, with questions about giving tech gadgets and smart toys: is that gift safe?

Connected devices make up a growing part of the Internet of Things (the IoT), and smart toys make up a growing part of that IoT landscape. But any device that connects to the Internet is a two-way street: it opens up the distinct possibility that whether willingly shared, illegally hacked or not, data about the user is vulnerable.

Some of the gifts sold this holiday season can record children’s voices and capture video of them playing. Some collect location information and accumulate user activities and habits in an offsite database, and some even open communication channels with other people or devices outside the home.

According to policymakers, privacy advocates and security experts, there’s a lack of cyber-security standards for such connected devices and smart toys, along with an absence (so far) of serious coordinated efforts to tackle the issue by government, especially here in Canada.

In fact, a recent report from the country’s Standing Committee on Banking, Trade and Commerce serves up a scary scene of the dangers lurking online: its title is cyber assault: it should keep you up at night.

The report states plainly that “…over half of Canadian households have four or more Internet-connected devices, and each of these devices could potentially serve as a target for cyber criminals….”

“The theft of personal information is a violation,” Senator Carolyn Stewart Olsen, Deputy Chair of the committee, warned when the report was released. “Parents become terrified that photos of their children might be used to slake the thirst of online degenerates. People’s credit ratings can be damaged in an instant. You can lock your doors, but the Internet is a gateway for criminals to invade your home.”

Her warnings are dire, direct, but not unfounded: we know the security of many connected devices has already been breached: home security cameras have been compromised, unauthorized people have accessed baby monitors, and used connected toys to communicate directly with children not their own.

 

Naughty or Nice – Toys, Tools and Tips for Data Safety

So organizations dedicated to protecting our – and our children’s – online privacy and information safety continue to express concerns about the amount of data collected by IoT devices and smart toys. Thankfully, privacy organizations have prepared lists of connected devices that cause concern and assembled some helpful tips for parents, shoppers and users of smart devices.

The Electronic Frontier Foundation, which for nearly 30 years has been a leading nonprofit organization defending civil liberties in the digital world, has singled out products that, in its words, are “creeping us out”. For example, smart home monitors from Google and Amazon are on EFF’s “naughty list” because they can and do share user data collected by their products with companies that make so-called third-party apps we install on those devices.

Mozilla, the company that puts out the safety-centric Firefox Web browser, not only put together a list, it did some testing of smart toys and connected gadgets.

Mozilla and its partner cybersecurity researchers looked at connected toys called CloudPets. The research showed that the product’s Bluetooth vulnerabilities demonstrated a year earlier were still there, and that some 800,000 customer passwords and log-in credentials as well as more than two million user messages were unsecured and vulnerable to hacking.

“The company clearly does not care about their users’ security and privacy being violated and makes no effort to respond to well-meaning attack reports, further facilitating and inviting malicious actions against their users,” the researchers wrote at the time.

Mozilla’s current toy list uses different privacy protection criteria to assess which smart toys and connected devices are safe: some products, like Hello Barbie from Mattel (it uses strong encryption and there’s an extensive permissions process when setting up the toy) get a good grade; others get a very poor rating (the baby monitor called Fredi uses a default password of 1,2,3, which does not have to be reset to use the device) while still other products are in the middle somewhere: The Harry Potter Cano Coding Kit (recently reviewed for WhatsYourTech.ca by Christine Persaud) gets a nod for requiring users to change the device’s default password.

 

Third Parties a Top Concern to Privacy Protection

But the kit, which helps kids learn to write code and program other gadgets, loses privacy points for the rather high-level language in its privacy policy and the fact the manufacturer reserves the right to share collected data with third-party companies.

(Speaking of which: as we have reported here before, third-party partners pose a threat to privacy protection because, while many privacy agreements and regulations only cover the relationship between a consumer and a provider, the third-party partner is often not a part of the agreement.

A study of 5,855 of the most popular free children’s apps, conducted last year, found that most of the popular apps that were analyzed were potentially in violation of COPPA, the U.S. Children’s Online Privacy Protection Act, mainly due to their use of third-party SDKs (software development kits are a big part of any mobile application development process).

Nearly 20 per cent of these children’s apps were collecting personally identifiable information, a clear violation of rules which say no such data may be collected, used or disclosed from children who are under 13 years of age without verifiable parental consent.

Then, just as the holiday shopping season was ramping up, the Office of the New York Attorney General announced a record settlement with Oath, formerly known as AOL, for violating COPPA.

“AOL flagrantly violated the law – and children’s privacy – and will now pay the largest-ever penalty under COPPA,” said outgoing Attorney General Barbara Underwood. “My office remains committed to protecting children online and will continue to hold accountable those who violate the law.”

Oath will pay a $4.95 million penalty and it must put in place procedures to prevent “improper tracking” of children on the Internet, the Attorney General added.

Verizon Communications owns Oath, along with AOL, Yahoo and other Internet brands; last year, the company reported revenue of $31.7 billion.)

 

Education, Enforcement, Engineering Needed as Safeguards  

It’s been said that the best protection for our personal data and online privacy is our own education – but are IoT device-makers and marketers really inclined to tell consumers about the privacy and security issues that come along with their product? It’s been the non-profits and consumer advocates doing most of the heavy lifting so far.

And while awareness of privacy risks and how to avoid or reduce them is a good way to keep safe, there are more and more calls to impose cybersecurity standards on connected device manufacturers (and their partners) that can guarantee adequate safeguards are in place before the product hits the market.

By default, any connected device or smart toy should be patchable and upgradable. They should have no known vulnerabilities when released. They should make use of industry-standard protocols, and should never use hard-coded passwords that cannot be updated by the user.

And clearly, any regulations, standards or requirements for personal privacy protection in such devices must have real enforcement muscle behind them. A $5 million fine, as large and significant as it is, barely scratches the surface of a $30-billion+ operation. Here in Canada, the country’s Privacy Commissioner has repeatedly called for more ability to enforce privacy laws and penalize those who break them.

But in the end, perhaps what we really need is some positive engineering, not just on the connected devices but on ourselves as well. Sadly, we have long treated and targeted children as consumers, and now we seem to regard them as data resources as well. That should change.

Society seems all-too-ready to normalize surveillance, as trends on social media, street corners, shopping malls and baby cribs indicate. We are all too prepared to trade privacy for comfort and convenience.

That’s what should keep us up at night.

# # #

Top Tips for Safe Gifts

Don’t buy them. Despite the advertising, marketing and social pressures, no one is legally obligated to buy anything at Christmas! Particularly smart toys or connected gadgets. No matter what time of year, there are purchase and gifting options that do not put personal data at risk.

Limit what data you share. If you do make a tech purchase, remember that in many cases, even if the manufacturer asks for it, you do not have to provide a name, birthdate, eye colour or other data just because you are asked for it. Some sign-up or user profile questions can be skipped altogether. In a worst-case scenario, make up some harmless details that do not reveal your valuable data.

Use strong passwords. Yes, creating and remembering passwords can be a real hassle. But they are important, particularly with kids’ smart toys and connected gadgets; set a strong password when you first set them up. Never let a default password do the trick, and don’t use the same password across multiple gadgets. Think about using a passphrase (using several words) as opposed to a password (several letters).

Talk to your kids. It’s part of the education process, for kids and parents. Talk about – and be a good example of – what to share online and what to keep private. That includes words, pictures, sounds and contacts. Set some family rules about technology use, place, time and frequency. When possible, be a participant in your child’s tech play time so you can learn together what’s safe. There’s a two-way street for you!

-30-