The French Take Action Against Connected Toys Company Parents Should Think Twice About Gifting a Smart Toy this Christmas

The My Friend Cayla connected toy, already banned in Germany for privacy concerns, is now on probation in France, where the data protection agency has issued a warning to the manufacturer regarding the security risks that come with the product.

Cayla is not the only smart toy to draw the attention of the French National Data Protection Commission (CNIL). i-Que, a robot designed to engage children in interactive experiences, is in the same boat. Both products come from Genesis Industries Ltd, which collects from the toys audio content that could reveal personal information like names and addresses, the commission says.

The smart playthings include a microphone and a speaker, and they use Bluetooth to receive commands from a mobile app. The connection, though, is insecure: it does not require authentication or validation of the paired device. Cayla and the i-Que robot function as Bluetooth speakers so, if a phone connects to them, a stranger could hear and record what the child says to the toy or nearby conversations.

CNIL asserts that even if with obstacles in between, an individual would have to be within nine meters from the smart toy for successful pairing. The agency also said it was possible to communicate through the toy, either by using prerecorded messages or with the toys’ hands-free kit, just by calling the phone already connected to Cayla or i-Que.

The security gaps in these products violate the French Data Protection Act in two ways, CNIL said in a blog post this week. First, the two devices fail to protect private conversations by establishing a connection with any Bluetooth-enabled equipment without validating it first. Second, the toys do not seek user consent for the vendor to process personal data or to send audio content to a provider outside the European Union.

The French regulatory body gives the device maker two months to comply with the country’s data privacy law. The first act of the law states that information technology “shall not violate human identity, human rights, privacy, or individual or public liberties.” If the company does not act on the warning by the deadline, CNIL has the power to issue sanctions, pecuniary or of another type.

Concerns about My Friend Cayla and i-Que robot security faults have been reported since late last year by multiple parties. Four consumer groups filed in 2016 a complaint with the US Federal Trade Commission (FTC) raising privacy concerns. The Norwegian Consumer Council published a video around the same time about the spying potential of the two smart toys.

Although the smart toys could pose a threat to privacy, users can minimize the risk. They pair with one device at a time and connect with the most recently used one. Enabling Bluetooth first on the mobile phone or tablet and then on the toy, should ensure a link to the correct device. Also, parents should turn off the toys when they are not in use and make sure that their connected gear has the latest updates installed.

Image credit: Genesis Industries