Top of page
Global Site Navigation


Local Section Navigation
You are here: Main Content

I spy the internet of toys

The internet of toys can transform an ordinary toy into a smart, interactive playtime companion, but this increased connectivity can also carry hidden risks. Tiffany Fox looks at the ethics, security and trends behind the new generation of toys.

It is the cuddly spy in the cradle and their interactive digital friend. The camera in their bedroom and the gadget that brings their art to life. A springboard for their imagination — and potentially one of the biggest privacy and data security risks facing young children.

Welcome to the internet of toys – an offshoot of the so-called internet of things — in which almost any device can be connected to the internet, enabling children as young as toddlers to send and receive data.

For a parent trawling the toy aisles for a new and diverting plaything for a birthday or Christmas, the growing number of smart, interactive playtime companions and learning devices can seem like a dream come true.

But with technology outpacing policy development, this new generation of toys also carry hidden risks surrounding the security of the child’s data and privacy.

In January, it was revealed the popular CloudPets stuffed toys, which allowed kids and their faraway parents to exchange heartfelt messages, had exposed more than 800,000 customer emails and credentials, as well as two million voice recordings, online.

CloudPets were not the only toys targeted by hackers.

A 2015 hack of electronic toy-maker VTech revealed names, birthdays, addresses, chat logs, and photos of more than five million parents and 200,000 children.

In May, an 11-year-old at a security conference was able to ‘weaponise’ a teddy bear by hacking the phone of a participant and using it to manipulate the smart toy’s behaviour.

Policies needed

ECU DECRA fellow and researcher Dr Donell Holloway, who presented a research paper on the Internet of Toys with Professor Lelia Green at the Australian & New Zealand Communication Association conference last year, says research and updated policies are needed to protect children’s privacy.

“In the effort to get on to the market quickly, (developers) have not really thought about privacy by design or privacy by default in the toys they make,” Holloway says.

“Who owns this dossier of children’s data is a legal question that has not been answered yet, and how we can ensure that children and their parents can control and hopefully retain ownership of their data.

“It is not all doom and gloom. There are lots of benefits to these toys but it is just that the industry has moved along fairly quickly without pausing to think of some of those issues.”

In Germany, a voice recognition-enabled doll called My Friend Cayla was recently banned by the country’s communications watchdog because it was capable of transmitting signals and recorded images or sound without detection.

It prompted a similar warning by the FBI to American consumers.

“Children definitely just see these as just another toy, with special or extra abilities, and they are not necessarily thinking of privacy.” - Dr Donell Holloway.

Holloway said as well as My Friend Cayla, which was available to buy online in Australia, the popular Hello Barbie used voice recognition technology connected to the cloud to analyse, process and respond to children’s conversations and images.

Other internet-connected toys included app-enabled drones, cars and robots such as Star War’s BB-8 Droid, toys-to-life games such as Skylanders, which connected action figures to video games, and puzzle and building games like Osmo, which used a device clipped on to a tablet’s camera to bring objects or art to life on the screen.

Children’s tech wearables, such as smart watches, fitness trackers and sleep monitors, also collected “massive” amounts of data on infants and children.

According to the Office of the eSafety Commissioner, parents need to be aware of toys that connected to the internet through Wi-Fi, or Bluetooth and a mobile device, and store collected information on a server or in the cloud.

As children interacted with the toy it could collect data including the child’s name, gender, date of birth, their geolocation, photograph and chat and voice messages.

Holloway says that while some parents may be aware of the security risks, the toys were “flying under the radar” for others.

“Children definitely just see these as just another toy, with special or extra abilities, and they are not necessarily thinking of privacy,” she says.

“For parents, the problem is once they buy the toy, they own the toy, but to get it working they have to go online, connect the toy and tick off all the terms of service.

“In some ways it is not a privacy choice for parents. Once you have bought the toy, you want it to work.”

ECU researcher and grandmother Dr Donell Holloway says policies need to be updated to protect children's privacy.
ECU researcher and grandmother Dr Donell Holloway says policies need to be updated to protect children's privacy.

A global industry

ECU School of Science Associate Dean for computing and security Paul Haskell-Dowland says one challenge for policy makers and consumers is the global nature of the toy industry.

While manufacturers can meet their legal obligations by providing data processing, storage and privacy statements — which can often attempt to put the onus back on consumers — the terms and conditions are often not worded in a way easily understood by the average person.

“The manufacturers are typically multinational or global organisations so you are not dealing with an Australian manufacturer for toys targeting the Australian market,” he says.

"As a consequence they are operating in multiple jurisdictions. Even if they were to offer advice, or be clear on what their product is and how it works ... the company will aim for a level of disclosure that meets the minimum standards of wherever they are operating.

“It is unlikely to be in a form aimed at being understood by the end user.”

Potential backdoor

Haskell-Dowland says while internet-enabled toys are not necessarily a high-value target for exploitation, they potentially provide a poorly secured backdoor into personal home networks.

He says parents can take simple steps, including monitoring their children’s use of the toys, setting up a unique profile for toys that is separate from their personal profiles, and avoiding linking devices to payment information, in order to improve their data security.

“If you have a device that a child interacted with that posted to social media, then somewhere in the system there is a linkage between that device and a social media account,” he says.

“We know the end users will frequently reuse credentials so it may be that we have a route to accessing a set of usernames and passwords that could be used in other services, and if you are daft enough, it could be your online banking account.

“It is about hopping between accounts and devices.”

Educational opportunities

Educational technologist and ECU School of Education research assistant Zina Cordery says that while information security is a cause for concern, programmable digital toys and apps can have positive outcomes for children when used properly by parents and educators.

She says internet-enabled toys have the potential to teach 21st century life and work skills, such as coding and sequencing, engineering, building, creating and innovating, and allowed children to develop these skills through free play.

“They also teach students that it is okay to make mistakes, and it is okay to try things out and perhaps do things differently to other people,” she says.

“Unfortunately we are not in a position to say no to any technology, because to be able to function in the world that we live in currently, you have to know how to use the technology and know how it works.

“So long as parents are being responsible and making good decisions with the information they have, I think the benefits outweigh the risks.”


Skip to top of page