A child sits down in front of a brand new toy for Christmas – a robot that can hold a conversation. The robot asks the child about their life, where they live and how they feel. The robot has a camera and a microphone. It can record and remember facial expressions and what games your child plays with it.
Data from a child’s playtime is stored in the cloud and used to develop metrics on how they are growing. Transcripts of what a child says sometimes get forwarded to OpenAI, the makers of ChatGPT, for processing.
The robot, named Moxie, is touted by its maker for using “pay-based conversational learning to support holistic skill development” for children aged five to 10.
But the ability of the toy, and many others that will be sold during the holiday season, has been flagged by the Privacy Not Included project, an effort produced by the Mozilla Foundation to evaluate privacy and security with toys, gadgets and smart home products.
“It gets tricky,” said Jen Caltrider, who leads the Privacy Not Included project and whose team examined Moxie’s function and privacy terms as part of a consumer advocacy project. “They say good things in their privacy policy… but there’s also a lot of red flags about where the data is going.”
Chaotic and confusing
The landscape of smart toys, and toys generally, is hard to pin down. As an industry, Caltrider described it as a “Wild West” of small companies appearing, bringing things to market, then disappearing.
Outside of the major toy manufacturers, this chaotic landscape can make it hard to trace who is making a toy and where toy data is going.
According to the US Federal Trade Commission, companies are required to abide by privacy policies or privacy claims they make under the Children’s Online Privacy Act.
In practice, companies like Amazon and Microsoft have been cited for violating the Coppa Act. The Act also doesn’t protect against poor digital security, which might leak information to bad actors online.
In 2023, the FTC accused Amazon of collecting children’s voice and geolocation data from Alexa and storing it in perpetuity, even if parents asked Amazon to delete it. Amazon agreed to pay US$25mil (RM117mil) to settle the claim, per the New York Times.
Moxie illustrates some of the confusing territory of smart toys. To function, Moxie needs Internet access, cloud storage, and third- party services from Google and OpenAI.
It records both voice and video. How all that data is handled and whether every company involved is behaving appropriately creates a minefield of potential privacy concerns.
Moxie is made by a company called Embodied, which makes companion robots for people of different ages. On its website, it points to several positive reviews of the robot, including Time, which named the robot one of the best inventions of 2020.
“In Moxie, children find a compassionate pal who encourages reading and drawing and sends them on missions meant to spur engagement with adults, siblings and peers, such as writing kind notes for their family to find or talking to a friend about feelings,” the entry reads on Time.
The makers of Moxie ask parents in their privacy policy to teach their child “to never provide personal information”.
“That doesn’t compute because you’re billing it as something your child is going to talk to like a friend,” said Caltrider. “Then, of course, children don’t know what personal information is.”
Smart toys often incorporate microphones, cameras, sensors, AI and Internet connectivity into interactive play.
While it isn’t necessarily a problem for toys to include “smart” elements, child privacy advocates say they can introduce unwanted surveillance into play.
According to the Public Interest Research Group, a non-profit advocacy organisation, smart toys introduce the possibility of unseen data collection and surveillance of your children by companies, hackers or other parties.
“You don’t have to be fanatical about privacy or child safety to imagine what kinds of conversations we might be having a couple years from now if this doesn’t get reigned in,” said Tracey Murray of the Public Interest Research Group.
“Even aside from safety issues, this represents a huge risk of identity theft for the family, depending on the kinds of data involved.”
PIRG released a report on dangerous toys that heavily featured smart toys this year.
Tech and toy companies, including Microsoft, Edmodo and VTech, have been cited by the FTC for child data privacy violations over the years.
Earlier this year, a child-focused table, The Dragon Touch, was discovered to have been shipped with malware by the Electronic Frontier Foundation. In 2017, CloudPets leaked the details of over half a million users.
According to Markets and Research, a market research firm, the global market for smart toys increased from about US$14bil (RM65.2bil) in 2022 to about US$16.6bil (RM77.3bil) in 2023 and is expected to continue growing for the foreseeable future.
Smart toys aren’t always obvious in their design. Murray said that many smart toys include features like microphones, Internet or Bluetooth connectivity that aren’t clearly indicated on the packaging.
“What we are seeing is that traditional toys, stuffed animals, dolls, board games, race cars – in all of these things, manufacturers are clamouring, trying to figure out how to make them into smart toys,” said Murray. “We’re seeing a lot of toys now that have a smart toy component that didn’t used to have it.”
The US Transparency Over Toys Spying Act, or TOTS Act, which would mandate that toy manufacturers disclose electronic or smart surveillance capabilities on the packaging, has been sitting in the US House Energy and Commerce committee since January of this year.
Caltrider pointed to some smart watches as potentially problematic as well, especially those with discrete monitoring. Billed as ways to keep tabs on your child, the Mozilla Foundation notes that it is not always clear what data is collected and how it is used.
Getting smart about toys
Murray at the PIRG said that if you were buying a toy for your child, or any child, you needed to seriously consider whether the toy was appropriate to bring into a home. Smart toys, in particular, require extra care.
“I would never buy a smart toy for somebody without checking with a parent to make sure it’s OK,” said Murray.
“They’re just like BB guns or a pet. Would you buy a pet snake for somebody as a holiday gift without checking with the parents?”
If you’re considering a smart toy for your child, experts say that a good rule of thumb is to make sure that the toy’s privacy policy is something you’re comfortable with.
Murray recommends searching for key terms like “data” or “geolocation” or “advertising” to spot check what a company intends to do with specific kinds of data.
Beyond that, the most basic way to keep yourself safe, Murray said, was to make sure you knew what the toy was doing and that you were comfortable with that.
Does the toy have a microphone or camera? Is the camera or microphone always on? Does the toy have an indicator light for when it’s recording? Does the toy connect to the Internet? Adults should know the answers to these questions before introducing a toy to a child.
“If a parent has a concern about a particular toy, they just shouldn’t buy it,” said Murray. – Connecticut Post, Bridgeport/Tribune News Service