Dangerous Games: Connected Toys, COPPA, and Bad Security
Recent technological innovations have led to an increasing number of devices connecting to the Internet, which in turn collect and store user data. The expansion of the Internet of Things (IoT) industry raises new privacy and security concerns for users of these devices. One surprising area of concern is children’s privacy and security in the connected toys industry. Connected toys connect to the Internet using technologies such as Wi-Fi and Bluetooth, and typically operate in conjunction with companion apps to enable interactive play for children.1 According to Juniper Research, in 2015 the market for connected toys reached $2.8 billion and is predicted to increase to $11 billion by 2020.2 These toys collect and store personal information from children including names, geolocation, addresses, photographs, audio, and video recordings. The primary cop on the beat for children’s privacy and security online is the Federal Trade Commission (FTC), which enforces the Children’s Online Privacy Protection Act (COPPA).3 However, given the several recent security breaches of connected toys, it is clear that COPPA is not providing adequate security for children’s personal information, and new solutions are needed to improve the security of connected toys.
One of the most egregious examples of poor security exhibited by a toymaker comes from VTech, a maker of smart computing devices for children, which exposed 6.4 million children’s personal information when its database was hacked.4 In one of the largest data breaches in history,5 the hacker obtained children’s first and last names, genders, birthdays, photos, and chat logs.6 This hack could have been avoided if VTech’s data operators guarded against the hacker’s SQL-injection technique, which is decades old, well-known, and easily prevented.7
Spiral Toys, the makers of CloudPets—stuffed animals that allow parents, children, and other family and friends to record and send messages across the world8—had its vulnerable databases hacked, compromising 800,000 account credentials and over 2 million voice recordings, many of which contained children’s voices.9 Though Spiral Toys was first warned of its database vulnerabilities on December 31, 2016, and multiple times after that, Spiral Toys took no action to secure the exposed customer data.10 Finally, on January 12, 2017, hackers performed a ransom attack on the still-exposed database, meaning hackers captured all CloudPets’ customer personal information, wiped the database, and demanded ransom for its return.11 It was not until after this story broke to the public in February 2017 that Spiral Toys notified parents of their children’s compromised personal data and publicly acknowledged the breach occurred.12
My Friend Cayla, an interactive doll that asks and answers children’s questions, granted hackers an open door to the toys’ functionality by allowing anyone within thirty feet to connect to the toy via an insecure Bluetooth connection that did not require any form of authentication.13 In turn, hackers could take control of the doll and make it say anything to children, including asking personal questions and making inappropriate comments.14 Genesis Toys, makers of My Friend Cayla, could have easily combatted these types of attacks by simply requiring Bluetooth authentication when attempting to connect the doll to a device, thereby preventing hackers from easily taking control.
The above examples, among several other known breaches and vulnerabilities,15 have sparked widespread concern leading to members of Congress calling for better industry practices,16 the FBI issuing a warning to parents of the dangers posed by connected toys,17 the German government banning the My Friend Cayla doll and children’s GPS watches in Germany,18 toymaker Mattel cancelling its children-focused AI device under pressure from children’s rights advocates and lawmakers,19 and the FTC and Department of Education scheduling a workshop dedicated in part to improving children’s privacy relating to connected educational toys.20
Under COPPA, data operators are required to exercise “reasonable procedures” to protect the security of children’s personal information collected by websites or online services.21 Other than the recently updated guidance document entitled Children’s Online Privacy Protection Rule: A Six-Step Compliance Plan for Your Business,22 there has been little movement to compel toymakers to improve data security practices.
As shown by the glut of recent children’s data breaches resulting from companies’ egregiously poor data security, it is clear that neither COPPA nor the FTC’s guidance documents are doing enough to protect children’s data online. As it currently stands, parents, rather than companies, are left as the sole protectors of children’s privacy and safety. Rather, companies—who possess greater resources, technical know-how, and expertise than parents—should be responsible for providing reasonable security with vigilance to ensure maximum safety and privacy of children.
I. A BRIEF EXPLANATION OF COPPA
COPPA, enacted in 1998, carves out special requirements for data operators to protect children’s personal information online. These requirements are based in part on the idea that children’s personal information requires special care and protection from data operators because children have not developed the capacity to make informed decisions online.23 In this way, COPPA holds a unique place in the world of privacy regulations. Similar regulations do not exist for other vulnerable segments of the population who cannot make informed decisions related to privacy. The key question then becomes whether COPPA does an adequate job of protecting children’s personal information, given the particular concerns that arise when children’s information is collected and stored online.
A. What is Covered; What is Required?
To assess if COPPA is an effective means of protecting children’s personal information, it is important to understand what services fall under COPPA and what is required for compliance with its data security requirements. For an online service to fall under COPPA, it must be a website or online service, directed toward children24 under thirteen years old,25 which is collecting children’s personal information.26 In tandem with COPPA, the FTC has further clarified various requirements through the issuance of guidance documents.27 In July of 2017, the FTC updated its guidance document titled: Children’s Online Privacy Protection Rule: A Six-Step Compliance Plan for Your Business.28 Here, the FTC clarified what was long expected: connected toys qualify as online services covered under COPPA.29 Though connected toys were long assumed to fall within COPPA’s purview, the FTC’s update to its guidance erases any doubt that connected toys do qualify as “online services” under the statute.
In conjunction with the collection of children’s personal information, COPPA requires that companies collecting personal information from children “establish and maintain reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.”30 Neither COPPA nor the FTC precisely defines “reasonable security” practices. The FTC attempts to promote “reasonable” practices in its guidance documents by urging companies to minimize the amount of data collected from children, retain this data for as short a period as possible,31 and make certain that any third parties who access this data maintain strong security.32 Additionally, the FTC could further clarify what is required from data operators through enforcement actions by issuing consent decrees for particular violations of the “reasonable security” standard under COPPA.33 However, as of the time of this writing there have been no consent decree settlements specifically relating to toymakers exhibiting unreasonable security of children’s personal information. Therefore, other than the scant additional guidance offered by the FTC, toymakers are without a clear definition of the “reasonable security” required under COPPA.
B. Remedies for Parents
COPPA offers relief to parents of children whose personal information is collected by requiring data operators to allow parents to review all collected personal information, request its deletion, and forbid the data operator from further collection.34 Because the FTC does not elaborate on what “reasonable security” entails under COPPA, nor does it enforce these principles with consent decree settlements for companies not practicing “reasonable security,” deletion is the only remedy available to parents to restrict access to their children’s personal information. Electing parents as the sole protectors of their children’s data proves to be neither practical nor effective in practice.
II. CHILDREN’S SAFETY ONLINE SHOULD NOT BE SOLELY IN THE HANDS OF PARENTS
Relying on parents to maintain their children’s privacy and safety is unreasonable given the absence of parental notice of the collection and storage of their children’s personal information, the ineffectiveness of COPPA’s relief mechanism, and a lack of alternatives other than not buying the toy.
A. Parents Do Not Have Notice of Toymakers’ Data Collection and Retention Practices or the Deletion Remedy
In order for concerned parents to request that a toymaker delete and discontinue the collection of their children’s personal information, parents must first have notice that the personal information is being collected and stored and that deletion is an available remedy.35 As required under COPPA, data operators must obtain parental consent before collecting children’s data.36 Moreover, COPPA requires that data operators disclose how parents may request deletion.37 However, just because a parent is clicking “I agree” before allowing their child to interact with the toy, it in no way indicates that the parent has taken the time to look at, let alone read and understand, the toymaker’s terms and conditions detailing their privacy and security practices. It is well documented that the majority of Internet users never even look at the text of terms and conditions before clicking “I agree.”38 Parents with children anxious to play with a new toy might be even less likely than most users to take the time to read and comprehend privacy policies, making it very unlikely parents receive notice of security practices and the deletion remedy contained within the terms. In addition, given the societal distribution of parenting hours, the responsibility of protecting children’s security online will disproportionately fall on the mother, who generally takes on the majority of parental responsibilities.39 This not only further decreases the ability of the child’s guardian to receive notice of policies and remedies, it constitutes an even more unfair burden on the parent, adding another responsibility to the already-challenging task of parenting.
In the unlikely event that a parent does take the time to investigate the toymaker’s data collection and security practices, they will encounter terms that tend to be too long,40 hard to locate,41 written in a difficult and confusing prose,42 and sometimes non-existent.43 All of these factors ultimately push the high bar even higher, as parents are even less likely to receive notice of the toymaker’s collection and retention of data, making parents unlikely to seek the deletion remedy baked into COPPA.
The FTC has attempted to enhance parental notice by including innovative suggestions in its recent update to its COPPA guidance aimed at verifying that the actual parent is the person agreeing to the toymaker’s terms and conditions, rather than the child.44 These suggestions include requiring a parent to answer knowledge-based questions that only the parent could answer and using facial recognition technology to recognize that the parent is agreeing to the terms and conditions.45 While these innovations may solve the problem of parental notice, they do not address the problem of ensuring that the parent clicking to agree to terms has actually read and understood these terms and is aware of available remedies. Additionally, toymakers do not have the incentive to follow the FTC’s suggestions because they are expensive to implement and lack the force of law.
B. Even with Notice, COPPA’s Remedy Is Ineffective
If and when the rare parent who receives notice of the toymaker’s data collection and retention practices requests to review, delete, and stop the collection of their children’s data, their children’s personal information will continue to remain vulnerable to security breaches. Because many of the toymakers share children’s personal information with third parties, who often share this same data with even more third parties, fully deleting data is a difficult, if not impossible task.46 Full deletion of data would involve tracking all data collected, which has passed through many databases, and making certain that all of the data is deleted by the many data operators in control of the collected and shared data. Recently, the FTC attempted to curb sharing of some collected children’s data by issuing new guidance.47 This guidance prohibits data operators from sharing children’s audio recordings used to operate the toy with third-party advertisers and marketers and requires data operators to delete the data from servers before it is made public.48 While this guidance takes a step in the right direction of enhancing children’s security by discouraging the sharing of children’s data and encouraging deletion, it narrowly applies to only one type of children’s data and does not have the force of law.49 Additionally, even if toymakers heed the FTC’s guidance to share personal information only with third parties whose security practices are reliable,50 actually tracking and deleting the data remains an enormously costly undertaking beyond the capabilities of most toymakers.
C. Parents Are Left with the False Choice of Not Buying the Toy
Other than COPPA’s ineffective remedy for parents to protect their children’s personal information, parents have few alternatives to ensure children’s safety online but to choose not to buy the toy. Though some connected toys and apps do offer the option to turn off the collection of personal information, this usually results in the toy being unable to function as intended, while removing the toy’s “hook” of connectivity.51 Additionally, parents wishing to bring a complaint in court will face an uphill, if not insurmountable, battle to meet the “injury in fact” standing requirements for data breaches.52 Further, parents cannot rely on COPPA’s data minimization requirements, aimed at reducing the amount of data collected and the amount of time this data is stored, because the FTC has not enforced this clause to prevent companies from collecting surplus data. In fact, companies are currently incentivized to retain surplus data because retention is inexpensive, especially compared to the cost of maintaining a robust security mechanism responsible for data minimization.53
This leaves parents who seek enforcement of strong data security practices against toymakers with the false choice of not buying the toy for their child. The choice is false because their children’s personal information could still be collected and stored by a toymaker with poor data security practices when children interact with connected toys at friends’ homes or playgrounds.
III. POSSIBLE SOLUTIONS
To spur industry-wide improvement related to connected toys’ data security practices, the FTC can no longer rely on parents to be the sole guardians of their children’s safety and must place a heavier burden on the companies collecting and retaining the data. The following are some potential solutions aimed at starting the conversation for methods of enforcing stronger data security in the connected toys industry.
One option for the FTC to enhance data security would be to levy consent decree settlements against toymakers not practicing “reasonable security.” The issuance of these fines and conditions would help animate the industry’s understanding of what does and does not qualify as “reasonable security” under COPPA. Moreover, issuing a consent decree specifically addressing children’s data security would underscore the FTC’s dedication to consumer protection and invoke industry concern that if data security practices are not improved, operators will be penalized. Potential issues with this solution include the difficulty of the FTC in levying consent decrees given its heavy workload, tight budget, and diminished staff.54 Additionally, many smaller startup toymakers do not have the financial resources to create and maintain robust data security programs, which might discourage these toymakers from entering the market.
Another possible solution would involve the FTC continuing to update its guidance documents with specific examples of what qualifies as reasonable and unreasonable data security. Potential drawbacks to this solution are that guidance documents do not exercise the force of law, and creating a list of “check boxes” that represent “reasonable security” could result in companies meeting only these security requirements, while neglecting other prudent security measures unnamed in the guidance.
The FTC could also continue to hold workshops, like the aforementioned workshop relating to children’s privacy in educational toys,55 to brainstorm potential solutions for the poor data security endemic to the industry. Here, the FTC could invite cybersecurity professionals, toymakers, data operators, children’s rights and health advocates, and parents to the workshop to discuss solutions. Even though they would not guarantee immediate or effective action, these discussions could serve as a starting point for reducing security risks.
Other solutions would involve movement from Congress on new bills aimed at improving cybersecurity related to the IoT,56 and connected toys in particular. However, new bills could take an extended time period to be enacted into law, especially given the still-evolving IoT landscape. Moreover, maintaining better data security in connected toys might be low priority compared to other IoT devices, such as connected cars, that have a greater economic impact and more pressing safety and security concerns.
Despite several recent breaches and security vulnerabilities found in connected toys and COPPA’s ineffectiveness at protecting children’s privacy, there is hope for stronger cybersecurity in the connected toys industry moving forward. It is encouraging that Congress and the FBI have voiced concern with the current state of the industry, the FTC has updated some of its guidance and scheduled a workshop related to COPPA concerns, and the country’s largest toymaker, Mattel, has canceled the sale of a children’s AI device amid pressure from advocates and lawmakers. Additionally, the press has reported on children’s security concerns at length, increasing awareness among Congress and consumers. While there is no simple solution to the problem of maintaining robust Internet security, all sides continue to view children’s privacy and security online as a unique issue worth singling out for special protection.
GLTR Staff Member; Georgetown Law, J.D. expected 2018; Ithaca College, B.S. 2009. ©2018, Jeremy Greenberg.