New Senate Report Raises Concerns Over Privacy Risk Associated With Smart Toys

December 14, 2016

WASHINGTON, DC – With the holiday shopping season in full swing, a new report unveiled today by U.S. Sen. Bill Nelson (D-FL) is cautioning parents about the privacy risk associated with so-called smart toys.

Smart toys, which can interact with a child by connecting to the internet, can become a target for hackers and identity thieves looking to steal a parent or child’s personal information often stored by the toymaker.

These toys, and the companies that make them, often collect and store a wide range of personal information about the consumers.

The report noted that, if improperly secured, criminals can use the information stored on these devices in a variety of ways. For example: a child's Social Security number can be used by identity thieves to apply for government benefits, open bank and credit card accounts or apply for a loan. Additionally, a child’s name, home address, online contact information or physical location can be used to contact or even abduct that child.

The report cites three incidents in which smart toy manufacturers failed to adequately secure a child’s personal information. 

One such incident involved a data breach at VTech Electronics, a leading manufacturer of electronic learning toys and baby monitors. The breach, which occurred last year, reportedly exposed the personal information of more than six million children around the globe, including their names, genders and birthdates, as well as photographs and account passwords.  

The report went on to cite security flaws found in two other popular children’s toys - Fisher-Price’s Smart Toy Bear and hereO’s GPS watch – which could have exposed not only a child’s personal information, but in the case of the GPS watch, a child’s real-time physical location as well. 

“It’s frightening to think that our children’s toys can be used against them in this way,” said Nelson, the top Democrat on the Senate Commerce Committee. “The companies that make these toys have to do more to safeguard the parents and children who use them.”  

The report recommends several measures parents can take both before and after purchasing a smart toy to help secure their child’s information, including:

Before purchasing a toy:

•          Learn what personal information the toy will collect, how that information will be used, whether it will be shared and how long it will be retained. This information can usually be found in the device’s privacy policy. If a toy’s privacy policy is too long and confusing, parents may want to reconsider giving that product to their child.

•          Check whether the manufacturer of a particular toy has been the subject of a previous data breach and how the company handled that breach.

After purchasing a toy:

•          Change the default passwords that come with the toy and install any available updates to the toy’s software.

•          If possible, change the toy’s default privacy settings to limit the amount of personal information it provides to the manufacturer. Parents should allow a toy to collect only the information that is necessary for it to properly function.

A copy of the report is available here:

https://www.commerce.senate.gov/public/_cache/files/c9edea45-05a2-42ab-a9e4-22e5db7bc0ed/8B6F6A6FDCD06F07DE4352BE4505824D.12.14.16-ranking-member-nelson-report-on-connected-toys.pdf