A study by the University of Basel raises questions about the way many children’s toy manufacturers collect data, without making these procedures clear to parents. Some devices “silently” record every movement and choice a child makes, and then send the information to the company.
They have cute and simple names like Pictionary, Tiptoi, Camera, Tamagotchi and Osmo, and are connected to the internet, making them interactive and smart toys loved by children. For example, children can listen to a story by placing a Peppa Pig figure on the appropriate shape, or listen to a song by pressing a button, or go back and forward in a story by simply moving a button left or right.
But how should they be considered from a privacy point of view, when users are often only a few years old? What about their digital security when these smart toys are connected to the internet?
Researchers from the University of Basel, with a team led by Professor Isabel Wagner from the Department of Mathematics and Computer Science, asked themselves this question, conducting an investigation into 12 of the most popular toys, including: Tiptoi (smart pen), Tamagotchi (the popular virtual pet), Edurino (learning app), Moorebot (robot with integrated camera and microphone) and Kidibuzz (smartphone with parental controls).
For all of them, they verified compliance with the EU General Data Protection Regulation, data accessibility, encryption (i.e. data accessible only to those with the right codes) and transparency (the possibility for users to find out what information is held about them). As they later reported at the Annual Privacy Forum 2024, organised by the European Union on 4-5 September in Karlstad (Sweden), what they discovered was rather troubling.
Naming two toys, “Neither the Toniebox nor the Tiptoi charging station”, write the researchers on the University of Basel website, “come out well with respect to security, as they do not securely encrypt data traffic. The two toys differ with regard to privacy concerns, though: While the Toniebox does collect data and send it to the manufacturer, the Tiptoi pen does not record how and when a child uses it. Only audio files for the purchased products are downloaded.”
Other toys, which integrate the generative AI program ChatGPT, collect data, but then, after sharing it with the manufacturer, delete it, even if this in itself does not guarantee security. Other doubts remain: “Even if the Toniebox were operated offline”, Professor Wagner surmises, “and only temporarily connected to the internet while downloading new audio content, the device could store collected data locally and transmit it to the manufacturer at the next opportunity.”
For their part, companies claim that they only collect this data to help them optimize the toys (e.g. voice recognition programs), but for users the question is not so clear. Among other things, write the researchers, it is not clear why the apps that come with the toys often, if not always, ask for geolocation permission or access to the microphone. Therefore, as a minimum, clearer and more stringent regulations are required that place the security of children and protection of their privacy at the heart of the toy’s operation.
The Basel researchers added that it would be very useful for this type of toy to have a label on the packaging with the “ingredients” (a bit like those for food items), on which the manufacturer must specify how data processing is managed, as well as privacy and so on. In this way, parents would have all the information they need to freely choose whether to let their children have access to the various devices, because as it stands, they are unable to take informed decisions.
The researchers conclude that all this is necessary to avoid the creation of social inequalities. Some more informed parents are able to manage their children’s data without any difficulties, or choose only secure toys, whereas others may not have the knowledge to do so, thus involuntarily exposing their children to not insignificant risks. Finally, there is a question relating to the psychological development of children who, in some way or other, are under constant surveillance. No one knows what this could do to their developing minds.
The full data from the study will be published in the next edition of the Privacy Technologies and Policy book, published by Springer.