Press release: Testing internet-connected toys raises security and privacy concerns

06 Dec 2016


My Friend Cayla and i-Que fail miserably when it comes to children’s security and privacy say consumer rights organisations across the globe. 

The criticism is based on Norwegian Consumer Council research which found these popular toys are:

• Dangerously easy for others to gain access, as physical access to the toy is not required in order to connect.

• Recording everything the child says around the doll and transferring it to a company which can sell this information to third parties. 

• Embedded with pre-programmed phrases endorsing commercial partnerships.

The issues of the lack of security of the toys was raised with the companies almost two years ago and they have not been fixed. 

This is not only a violation of children’s rights to privacy, it is also a major security risk for the rest of the household as the toy can easily record other conversations happening around it. 

Based on the research, consumer organisations in Europe and the United States have filed formal complaints to the relevant authorities on these worrying breaches of several consumer laws. 

“Children are especially vulnerable, and are entitled to products and services that safeguard their rights to security and privacy. As long as the manufacturers are not willing to take these issues seriously, Internet of things-technologies are not suited for toys” says Finn Myrstad, Head of section, digital services in the Norwegian Consumer Council.

“Innovation is vital to progress but it cannot come at the expense of the rights of individuals. Parents must be able to feel their children are safe when they are playing with their toys and that when they share their thoughts and feelings this won’t then be passed on to the highest bidder.” Amanda Long, Director General, Consumers International. 

The toys fail at several points

In their review of the toys, the Consumer Council has found several serious issues:

1. Lack of safety

With simple steps, anyone can take control of the toys through a mobile phone. This makes it possible to talk and listen through the toy without having physical access to the toy. 

This lack of safety could easily have been prevented, for example by making physical access to the toy required, or by requiring the user to press a button when pairing their phone with the toy.

2. Illegal user terms 

Before using the toy, users must consent to the terms being changed without notice, that personal data can be used for targeted advertising, and that information may be shared with unnamed third parties. 

3. Kids’ secrets are shared

Anything the child tells the doll is transferred to the U.S.-based company Nuance Communications, who specialize in speech recognition technologies. The company reserves the right to share this information with other third parties, and to use speech data for a wide variety of purposes. 

4. Kids are subject to hidden marketing 

The toys are embedded with pre-programmed phrases, where they endorse different commercial products. For example, Cayla will happily talk about how much she loves different Disney movies. Meanwhile, the app-provider has a commercial relationship with Disney.

The Norwegian Consumer Council, Consumers International and several Members are now calling on the manufactures to:

• Not collect more data than necessary for the functionality of the service, and this data should not be used for purposes that are not inherently required for these functions. 

• Prevent that these kind of issues resurfacing they should adopt a design-philosophy of privacy and security by design. This approach means that privacy and security-related risk assessments are undertaken during the entire design-process, and that sufficient privacy and security measures are worked into the product design itself.

• Make these toys safer by increasing security features in how devices are paired, to stop unauthorised people from connecting to the toy.

• Stop direct marketing to children

“These problems are emblematic of the increased spread of connected devices. In a growing market, it is essential that consumers, and especially children, are not being used as subjects for products that have not been sufficiently tested” says Finn Myrstad.

As an increasing amount of manufacturers and service-providers move into the digital field, they must be mindful of the security and privacy risks that the digital world opens up. 

Consumer tips

1. Due to the lack of security and privacy protection in these toys, you should think twice before buying them for your children.

2. If you have already bought the toy, you can try to complain and return it in the store on the grounds that it is not safe to use and does not meet consumer and data protection standards. 

3. If you want to keep the toy, remember to switch it off when not in use. This way you have control over who can connect to the toy, but it does not solve the other issues. Also, remember, your child might turn on the toy again, leaving the device vulnerable.

About the companies: 

Genesis Toys: Manufacturers of the Cayla and i-Que toys. Based in Los Angeles, California. Partners with Wal-Mart, Toys R Us, Amazon, Target, and K-Mart ( Distributes Cayla and i-Que in the US, Norway, Sweden, Denmark, Australia, Netherlands, and the Middle East

ToyQuest: Makers of the Cayla and i-Que companion apps. Partners with a wide range of licensors, including Disney, Nickelodeon, and Dreamworks ( Offices in Los Angeles, London, Hong Kong, Vietnam, and Shanghai. 

Vivid: The largest British toy company. Distributes Cayla and i-Que in the UK, France, Germany, Austria, Ireland, and Switzerland. 

Nuance Communications: Provides speech-to-text services for Cayla and i-Que. Receives voice data from the Cayla and i-Que companion apps. US-based company specializing in voice- and speech-recognition services in a broad variety of areas including biometric voiceprints for use in fraud-detection, health care, and intelligence services. Were certified under the Safe Harbor agreement (


comments powered by Disqus
GoView more options