The Internet of Things (IoT) is growing rapidly, and the implications for children and parents are important. Most parents have no idea of the security issues surrounding toys and devices that are connected as part of the IoT, and this lack of understanding puts many children at risk in a real way. Even the FBI recently found it necessary to encourage people to be aware of cybersecurity risks before they purchase smart phones and internet-connected devices and toys for themselves and their children – and to make sure their children understand the risks, as well. From their consumer notice:

“These toys typically contain sensors, microphones, cameras, data storage components, and other multimedia capabilities – including speech recognition and GPS options. These features could put the privacy and safety of children at risk due to the large amount of personal information that may be unwittingly disclosed.”

What are the issues?

  • GPS components allow people to pinpoint where devices and toys are being used. The implications for children are especially alarming. If hackers targeted something they knew was a child’s toy, they could be able to determine where that child was at any given time – which obviously would be a major safety concern, particularly in situations like latch-key alone time between the end of school and the parent’s return.
  • Microphones could pick up and record conversations occurring near the toy that contain sensitive information. If the recordings are stored outside of the toy (like in the Cloud or on a physical server somewhere), all of the information on the recordings could be vulnerable to cyber-piracy and its accompanying issues. Theft of this sort of information also could create opportunities for child and parental identity theft.
  • Video technologies are part of some IoT children’s toys. These video technologies are unable to distinguish between safe visual content and images that could be used for nefarious actions. Visual identifiers of wealth, images of the child and parents, recordings of key codes for doors and safes, etc. could be compromised – and this information could pose threats of theft, kidnapping, and other exploitative actions.
  • Internet connection security varies widely within the IoT toy industry. Some companies encrypt data that is transmitted, but some do not. Some companies store all data received in the cloud, while others use traditional, physical servers. Some companies store all data themselves, but others use third-party servicers for the most complicated aspects of their toys (like voice recognition software) who also have some access to personal data. Also, of particular concern, many products are launched in a hurried manner in order to be first-to-market – and one of the casualties of this rush too often is cybersecurity protection.

There are laws in place to protect children, but it is difficult for the government to enforce these laws comprehensively due to the sheer magnitude of the data and extensive efforts to breach cybersecurity. For this reason, parents simply must be aware of the issue and talk with their children about how to use IOT toys and devices as safely as possible.

The following suggestions can help make you and your children safer and more confident in an increasingly connected world:

  • Research and understand the security measures of all toys and devices you purchase that connect to the internet.
  • Read and understand the privacy policies – and make the policies an important part of your purchasing decisions.
  • Research the data storage and cybersecurity practices of the companies that sell the toys and devices.
  • Make sure your toys and devices use encryption whenever they transmit data of any kind.
  • Make sure any updates and patches are installed regularly.
  • Provide only what information is necessary when purchasing any internet-connected item – and reconsider purchases that require sensitive, personally-identifying information (like birthdays).
  • Use unique passwords for these toys and devices – ones that do not match your personal or business accounts.
  • Turn off all items when not in use, especially if there is an audio and/or visual recording component.

Finally, it is important that you understand the legal responsibilities placed on companies that sell internet-connected devices and toys that are targeted to children (primarily under the age of 13). The Federal Trade Commission (FTC) has addressed this issue in its “Children’s Online Privacy Protection Rule” (COPPA) and a follow-up compliance plan that includes the following six requirements for producers of IOT devices and toys:

  1. Determine if Your Company is a Website or Online Service that Collects Personal Information from Kids Under 13.
  2. Post a Privacy Policy that Complies with COPPA.
  3. Notify Parents Directly Before Collecting Personal Information from Their Kids.
  4. Get Parents’ Verifiable Consent Before Collecting Personal Information from Their Kids.
  5. Honor Parents’ Ongoing Rights with Respect to Personal Information Collected from Their Kids.
  6. Implement Reasonable Procedures to Protect the Security of Kids’ Personal Information.

If you believe any of these requirements have not been met by a company whose product you have purchased, report it immediately.

Cybersecurity of all kinds is one of the most serious concerns of our modern, technological world, and the security of IoT devices and toys, especially those marketed to children, is one of the least understood areas within this technological world. Every parent must do his or her part to make sure their child’s internet interactions are as safe and secure as possible – and the simple, common sense suggestions above are a solid starting point.