There was a point in recent history, where a parent having been asked about securing their daughter’s privacy, thought first about their daughter’s locked handwritten diary, hidden under her bed’s mattress.
Almost 3 million American parents knew that day had long-gone, as they faced a potentially more serious Internet privacy breach last week. Their adult VTech account, along with their related children’s profile data, had been compromised because of cyber-attack, according to the Hong Kong headquartered company’s announcement. Stolen data included non-encrypted children’s’ names and birthdates, mailing addresses and e-mail addresses, security secret Q&A’s as well as device and software download history. VTech manufacturers baby monitors, smart watches, pre-school electronic learning and gaming tablet toys that download educational software from the company’s website Learning Lodge app store.
According to reporting by Lorenzo Francheschi-Bicchierai who has interviewed the anonymous VTech Hacker, the hacker’s intention was never to profit by selling the data to third-parties, rather he went to Motherboard for public disclosure “When I got the [database] dumps, I realized how serious it was. I just wanted issues made aware of and fixed.”
VTech has until January 8, 2016 to respond to a US lawmaker’s information request about the hacking incident and the company’s plan for parental notifications. VTech has also been asked to provide what data the company collects on children, its data security policies and practices and explain how the company complies with the US Children’s Online Privacy Protection Act (COPPA), a law updated in 2013 designed to help protect the privacy of kids under age 13 through limiting types of collectable data and requiring parental authorization for its collection. Although VTech does maintain a Press Room archive with recent press releases on the cyber incident at its e-commerce website, there is no prominent website notification of the reason that the Learning Lodge is off-line, nor any parental disclosures of the hacking incident with follow-up parental action steps.
During reviews of recent large-scale cyber-attacks, security experts have discovered two primary flaws: organizations keep too much data and utilize primitive security equipment and protocols.
“Toy companies are rushing to cash in on the changing nature of childhood in the Big Data era, where Internet connected toys are linking children to a vast surveillance network,” said Jeffrey Chester, executive director of the Center for Digital Democracy. “These playthings can monitor their every move, turning what should be innocent and pleasurable experience into something potentially more sinister.”
Concerned about the plethora of over 50 free Santa apps Google and Apple stores that have FaceTimed the handwritten Letter to Santa and local news weather forecaster monitoring of Santa’s Christmas Eve journey, the ad industry and BBB self-regulatory watchdog group ASRC, issued a cursory press release that reminded parents of their responsibility for safeguarding their child’s online privacy. There was no mention of privacy concerns about recently released IoT connected toys like Fisher-Price’s interactive learning buddy “Smart Toy Monkey” or Mattel’s Artificial Intelligence “Hello Barbie,” which have garnered published independent security analyst concerns during the past year.
Because of rapidly-changing cyber technology and complex technical security agreements that must be in place between connected toy seller’s and their third-party technology providers, have we reached the point where COPPA law should be amended to require standardized parental disclosures of children’s privacy risks on product labeling and in children’s advertising? I believe that the time has come, where new standards like those used on tobacco products and in prescription drug marketing, must receive serious consideration. What do you think? Let’s start a conversation, in the comments below.
To read more about Internet of Everything (IoT) and Children’s Toy Security
Jenna Wortham writes about “’Future Crimes,’ by Marc Goodman”
Lily Hay Newman writes about “Internet-Connected Toys Are Getting Hacked, and It’s As Creepy As We Feared It Would Be””