On 17 February 2017, Germany banned both the sale and ownership of an interactive doll made by the U.S. company Genesis Toys called My Friend Cayla, alleging that it contains a “concealed surveillance device” that violates federal privacy regulations.

The doll is equipped with a microphone and uses a Bluetooth app to connect to the Internet, enabling it to converse and answer questions by exchanging data with a third-party voice recognition software company.

Germany’s Bundesnetzagentur (Federal Network Agency) announced the ban in a press release:

The Bundesnetzagentur has taken action against unauthorized wireless transmitting equipment in a children’s toy and has already removed products from the market.

Items that conceal cameras or microphones and that are capable of transmitting a signal, and therefore can transmit data without detection, compromise people’s privacy. This applies in particular to children’s toys. The Cayla doll has been banned in Germany, says Jochen Homann, Bundesnetzagentur President. This is also to protect the most vulnerable in our society.

Concealed surveillance device

Any toy that is capable of transmitting signals and that can be used to record images or sound without detection is banned in Germany. The first toys of this type have already been taken off the German market at the instigation of the Bundesnetzagentur and in cooperation with distributors.

There is a particular danger in toys being used as surveillance devices: Anything the child says or other people’s conversations can be recorded and transmitted without the parents’ knowledge. A company could also use the toy to advertise directly to the child or the parents. Moreover, if the manufacturer has not adequately protected the wireless connection (such as Bluetooth), the toy can be used by anyone in the vicinity to listen in on conversations undetected.

In addition to removing My Friend Cayla from store shelves, the agency urged parents who already purchased the product to “take it upon themselves to make sure the doll does not pose a risk,” presumably by discarding or destroying it.

Although it’s arguably a bit of a stretch to characterize the doll as a “surveillance” or “espionage” device, Germany is not alone in raising privacy and security concerns about it. A complaint filed with the U.S. Federal Trade Commission (FTC) by the Electronic Privacy Information Center (EPIC) and three other consumer groups alleges that My Friend Cayla and a so-called “intelligent robot” manufactured by Genesis Toys named i-Que violate consumer protection laws and “subject young children to ongoing surveillance and are deployed in homes across the United States without any meaningful data protection standards”:

As set forth in detail below, certain business practices by toy manufacturer Genesis Toys and speech recognition technology provider Nuance Communications violate both specific children’s privacy and general consumer protections in the United States. Both Genesis Toys and Nuance Communications unfairly and deceptively collect, use, and disclose audio files of children’s voices without providing adequate notice or obtaining verified parental consent in violation of the Children’s Online Privacy Protection Act (“COPPA”), the COPPA Rule, and Section 5 of the Federal Trade Commission Act.

What info is collected and how is it used?

COPPA requires that companies who collect personal information from children must provide “direct notice” of what is collected and how it is used, as well as obtain “verifiable consent” from the parents before collecting it.

Albeit not to the satisfaction of the petitioners above, Genesis Toys’ Privacy Policy does disclose some details about what information is collected and how it is used. In addition to logging IP addresses, e-mail addresses, and product registration data (including the date of birth of the user), the company uses a downloadable app to record and transmit interactions between the doll and its user:

The App provides users with voice-to-text and text-to-voice technology to enhance the play experience of Cayla. Once you have downloaded the App, you can start interacting with Cayla by asking Cayla questions. Cayla connects to the App using Bluetooth technology and then voice recognition technology converts the questions asked by a person to Cayla into text. This text string is used by the App to retrieve answers to the questions asked using the following pre-approved as Internet sources: Google Search, Wikipedia and Weather Underground (www.wunderground.com) (collectively known as the “Internet Sources”). When you ask the App a question, this information request is stored on a Nuance Communication (for Apple-based users) or Google (for Android/Google based users) server in the cloud. Cayla and its technology functions are equipped with filters to prevent the display, speech and recognition of words that would be considered offensive and inappropriate for children. Cayla is programmed to not utter, display or say words or images that would be inappropriate for children to see or hear. To better understand the privacy policy of our partners, please read their privacy policy statements for Apple and Android users.

The Cayla companion app also prompts children to share their parents’ names, what schools they go to, and where they live, according to the FTC complaint.

The company says they do the following with the information collected:

We use the information collected about and from you for a variety of business purposes, including for example, to:

  • respond to your questions and requests;

  • provide you with access to certain functions and features of the Services;

  • verify your identity and seek your consent;

  • communicate with you about your account and activities using the Services;

  • communicate changes to any of our policies or Services;

  • improve our Services;

  • to provide you with the most user-friendly navigation experience

  • for internal business purposes (including calculating statistics); process applications and transactions;

  • to meet our legal and regulatory obligations and protect our legitimate interests;

  • to carry out research and analysis, training and quality assurance;

  • if you agree, to contact you about other services and products that we think may be of interest to you; and

  • for any other purposes which we clearly explain to you at the time you provide your personal information or to which you otherwise consent.

The FTC petitioners found the Privacy Policy of Nuance Communications, the third-party voice recognition software company, especially concerning, inasmuch as it contains no specific references to COPPA and, indeed, specifies that their consumer products “are not directed at children.” Moreover, the policy stipulates that the company’s products “collect and process the speech data you input into the Nuance products,” continuing:

Nuance or third parties acting under the direction of Nuance, pursuant to confidentiality agreements, use the Speech Data to develop, tune, enhance, and improve Nuance services and products. Nuance will not use the contents of any Speech Data provided to us through your use of Nuance Products for any purpose except as set forth above. “Speech Data” means the audio files, associated text and transcriptions and log files provided by you hereunder or generated in connection with Nuance Products. Speech Data may include Personal Information.

Noting that “Nuance services and products include voice biometric solutions sold to military, intelligence, and law enforcement agencies,” the petitioners argued that this creates a “substantial risk of harm”:

The use of children’s voice and text information to enhance products and services sold to military, intelligence, and law enforcement agencies creates a substantial risk of harm because children may be unfairly targeted by these organizations if their voices are inaccurately matched to recordings obtained by these organizations.

In a statement dated 16 December 2016, Nuance Communications responded to these concerns as follows:

Nuance takes data privacy seriously.  With that in mind, we would like to share a handful of important points with our customers, investors, media and our employees.

  • We have not received an inquiry from the FTC or any other privacy authority regarding this matter, but will respond appropriately to any official inquiry we may receive;
  • Our policy is that we don’t use or sell voice data for marketing or advertising purposes;
  • Upon learning of the consumer advocacy groups’ concerns through media, we validated that we have adhered to our policy with respect to the voice data collected through the toys referred to in the complaint; and,
  • Nuance does not share voice data collected from or on behalf of any of our customers with any of our other customers.

We have made and will continue to make data privacy a priority.

In December 2016, the FTC confirmed to WPEC that there was an open investigation concerning the compliance of so-called “smart toys” with COPPA regulations.

Susceptible to hacking?

The My Friend Cayla and i-Que dolls access the Internet and transfer data via a Bluetooth connection with a smartphone. The FTC complaint notes that unlike many other devices with Bluetooth capabilities, the dolls do not require an authentication procedure (such as entering a code or pressing physical buttons on both devices) to pair with a phone, and this creates a security vulnerability:

As a result, when the Cayla and i-Que dolls are powered on and not already paired with another device, any smartphone or tablet within a 50-foot range can establish a Bluetooth connection with the dolls. Users do not have to enter an authentication code or have physical access to the doll in order to establish a connection with the dolls. Users also do not need to have the Cayla or i-Que companion application installed because smartphones identify the doll as a hands-free headset.

When a smart phone or tablet searches for Bluetooth devices, My Friend Cayla is discoverable under the name “My friend Cayla” and i-Que is discoverable as “IQUE.” The dolls are easily recognizable as a child’s toy.

The Cayla and i-Que dolls provide no indication of being connected to a device via Bluetooth. However, Cayla’s necklace and i-Que’s eyes light up when the microphone is turned on.

Researchers discovered that by connecting one phone to the doll through the insecure Bluetooth connection and calling that phone with a second phone, they were able to both converse with and covertly listen to conversations collected through the My Friend Cayla and i-Que toys. 

The above hack is demonstrated in this short video produced by the Norwegian Consumer Council:

 

Although Genesis Toys has not responded to privacy and security concerns raised about the dolls, their German distributor, Vivid GmbH, insisted in a statement to Reuters that the products are safe:

The German distributor of the doll, Vivid GmbH, said it was taking the allegations “very seriously” but did not share the view that Cayla was violating Germany’s espionage laws.

“She is not an espionage device and can be used safely in every respect according to the user manual,” the company said in a statement when asked by Reuters to comment on the ban.

Vivid will therefore legally challenge the decision by German authorities to ban the doll, it said.

Snopes.com reached out to Genesis Toys for comment but as of publication time had not received a reply.

Sources:

Bray, Hiawatha.    “Could Your Children’s Toys Be Violating Their Privacy?”
    The Boston Globe.    6 December 2016.

Howell, Melissa et al.    “Complaint to FTC: Interactive Doll Recording Children’s Private Conversations.”
    WPEC-TV.     21 December 2016.

Petroff, Alanna.    “Germany Tells Parents to Destroy Microphone in ‘Illegal’ Doll.”
    CNN.    17 February 2017.

Roberts, Jeff John.    “Privacy Groups Claim These Popular Dolls Spy on Kids.”
    Fortune.    8 December 2016.

Solomon, Feliz.    “Germany Is Telling Parents to Destroy Dolls that Might Be Spying on Their Children.”
    Fortune.    20 February 2017.

Bundesnetzagentur.    “Bundesnetzagentur Removes Children’s Doll Cayla’ from the Market.”
    17 February 2017.

EPIC, et al.    “FTC Complaint: In the Matter of Genesis Toys and Nuance Communications.”
    6 December 2016.

Federal Trade Commission.    “Complying with COPPA: Frequently Asked Questions.”
    20 March 2015.

MyFriendCayla.com.    “Privacy Policy.”
    23 February 2015.

Nuance Communications.    “Addressing Privacy Concerns with Speech Recognition.”
    6 December 2016.

Nuance Communications.    “Privacy Policy.”
    December 2015.

Reuters.    “German Company Says Talking Doll Is Not ‘Espionage Device.'”
      20 February 2017.