The KidKraft toy kitchen looks normal as kids toy kitchens go. There are all the trimmings you'd find in an adult sized-kitchen: a fridge, oven, stovetop and sink. Plastic and wooden utensils and foods are tucked away in drawers or in the small pantry.
What makes the kitchen distinct isn't obvious. Many of the items include RFID chips that allow sensors placed around the kitchen to register them. Say a child is pretending to fry something on the stove, a speaker might play a sizzling sound. The RFID capability can attach to Echo Dots, Amazon's Alexa-hosting smart speaker product.
When connected, Alexa plays with the kid using the kitchen, guiding them through recipes, pretend purchases from a storefront included in the toy set, all while telling dad jokes.
While playing cook is a benign activity, what happens to your child's data after Alexa collects it? What is it used for? Where is it stored? Who gets to see it and do parents have any control over it?
"They tell you they're not going to sell your child's data to a third party," said Shelby Knox, campaign director for Parents Together, a nonprofit family advocacy organisation based in Washington DC. "But that hardly matters when it's Amazon, a global consumer force, listening to your child play."
The KidKraft Kitchen is just one of many toys and gadgets that Parents Together highlight in a gift advisory report for possible privacy issues. The report features a diverse array of toys and gifts including a water bottle that collects geolocation data and a smart mirror that collects facial images from users that it sells to third parties.
"Unlike a toy that has small parts which you can see your kid playing with, things can happen on a phone, computer or tablet that you never know about until it's too late," said Knox.
Knox said that report isn't intended to be comprehensive, or a "don't buy" list. It doesn't feature every Alexa-enabled kids toy on the market, Fuzzible friends, an Alexa-compatible line of plush toys is a notable absence. Rather, the intent is to highlight tech toys they deem intrusive or problematic so parents, relatives and friends can be more careful. They've joined a growing chorus of safety advocates, including the FBI, warning about the dangers of smart toys.
Smart toys have history of scandal
The trouble with smart toys isn't completely new. Privacy issues in the smart toy space have periodically popped up since smart toys made their debut in the past decade. It's another form of what tech and privacy researchers call "surveillance capitalism," intrusive data gathering for hyper-targeted advertising. When toys gather data on kids, it threatens to turn innocent play into profit, advocates warn.
In 2015, Mattel caused an outcry with Hello Barbie, a WiFi-enabled doll that could have conversations with kids. Hello Barbie stored recordings of kids voices on remote servers run by Mattel and their partner ToyTalk. Security researcher Matt Jakubowski was able to hack Barbie to get access to user information, voice recordings and account IDs. He claimed that he could use this data to determine users addresses. Mattel tried to keep the line alive with a connected smart "Dream House" but the line was discontinued in 2017.
2017 was a bad year for smart dolls. Cloud Pets, a cuddly toy with a voice recording messenger app, leaked over 800,000 users voice recordings and personal data through an unsecured database. German regulatory authorities sentenced a doll to death, advising parents to destroy a smart, conversational doll called "My Friend Cayla". The manufacturer reserved the right to share data with advertisers.
"She was programmed to ask kids things like 'What's your name? What's your parent's name? What school? What's your favorite TV program? What's your favorite meal?'" said RJ Cross, director of the Don't Sell My Data Campaign and policy analyst. "A kid is going to view that toy as a trusted friend, not realising there's a company on the other end doing the listening and talking... It totally exploits the innocence of children."
Unlike My Friend Cayla or Hello Barbie, Cloud Pets are still online and available.
As late as last year, UK-based security consulting firm Pen Test Partners was able to turn the Fischer Price Chatter Bluetooth Telephone into a listening device capable of bugging a neighbor's house. While Fischer Price said the toy was intended for adults it looks exactly like a plastic, rotary Fischer Price phone and is capable of receiving calls from any smartphone capable of Bluetooth pairing.
"Have Fischer Price not learned from similar security issues exposed in children's toys several years ago?" wrote Pen Test Partners on their blog.
Privacy policies longer than A Christmas Carol
Jen Caltrider, leader of the Mozilla Foundation's Privacy Not Included project plows through privacy policy legalese for a living. She said that the burden of managing privacy is often shoved off on the parents.
"I've read enough privacy policies to know that they tell the parents 'It's your responsibility,'" said Caltrider. "It's kind of ridiculous how these companies have pushed the responsibility on to parents, and their children to protect their own privacy on devices that aren't designed to protect your privacy."
Parents are asked to check boxes, set up apps and opt in to long and confusing privacy documents for their kids.
Caltrider pointed to the Meta Quest VR Headset as an object of particular concern. The virtual reality device uses 16 cameras to immerse users in digital worlds. Five of those cameras are focused on the face. Other cameras focus on your hands and surroundings. Microphones record the environment. The location of the device is traced. But to find out what happens to the recordings from those cameras Caltrider had to read 14 different privacy documents and 37,700 words.
"It's longer than a novel and it's super complicated to understand," said Caltrider. "And you're giving up all this data to a company that has a really terrible track record at trying to collect as much data as they can and use that data to make as much money as they can."
Meta is the rebranded face of Facebook, Caltrider points out, which has been plagued by data leaks, privacy concerns and intrusive user tracking for over a decade.
Does the toy need to be smart?
So, what are parents supposed to do? Knox of Parents Together recommends that parents carefully weigh putting smart toys in the home, particularly because the onus for privacy will be put on them.
"When you do buy them, really look into the privacy policy," said Knox. "Think about whether you need to have a conversation with your kid about using them safely."
Optimally this should be done well before you're in the toy aisle, advocates advise against making decisions like this on the fly. If you're shopping for someone else's kid, or a relative, Cross recommends not surprising the parent with an intrusive toy.
"It's not uncommon for a relative might buy the coolest smart toy because they think their nephew will get a kick out of it," said Cross. "But it's more important to be careful with these toys than ever before."
One of the other things to keep in mind is that not all tech toys of the same type are created equally. Video game consoles, like Playstations or the Nintendo Switch are considerably more safe and secure than game-app-platforms like Roblox. Advocates advise steering toward tech toys from companies with good reputations.
A good rule of thumb, advocates say, is to really consider whether a toy or device needs to be Internet-connected or gather certain kinds of data at all. Why does the Hydroflask need your kid's location data? Should your kid's mirror collect and store images of your kid's face on the cloud?
"When it comes to children I think the right question is 'Does this need to connect to the Internet for my kids to have fun with it?'" said Caltrider. "Or is it just better if I get the dumb version?" – Connecticut Post, Bridgeport/Tribune News Service