It was the dream of many children who saw the Walt Disney film Toy Story in cinemas in the 1990s: to have “living” toys as friends. They would have loved being able to go on fun adventures with Woody, the amiable wooden sheriff, or Buzz Lightyear, the fearless astronaut. The film made a killing at the box office, spark-ing the imagination of children everywhere. And now, more than twenty years later, living toys have moved a step closer to becoming reality.
Increasing numbers of toys are com-ing to life these days, so to speak. So-called smart toys are mini-computers that are increasingly connected to the internet and, thanks to sensors, can communicate and interact with people. They mark a new highlight in the development of networked devices and prove that digitization is advancing into almost every part of our lives — even into children’s playrooms.
In 2015, sales of smart toys across Europe generated revenues of 2.6 billion euros. Forecasts show that this amount could quadruple by 2020. “The market is enormous,” says Stefan Hessel, a specialist in legal aspects of information technology at the University of Saarland. One of his areas of research is smart toys.
Stuffed animals have an educational role to play — through language-recognition software they can respond to suggestions, answer and ask questions, and even suggest play activities, thereby guiding a child. These sorts of functions also make such smart devices interesting for children with learning challenges, such as autism or speech disorders. “However,” Hessel says, “the question is whether this best-case teaching factor actually always takes place, overcoming the problems. That greatly depends on the manufacturer.”
Only very few smart toys are above all suspicion.
Hessel has spent the past several years focusing on the data protection and data security features of smart toys. His research is what prompted the ban issued by the German Federal Network Agency in February 2017 on the doll “My Friend Cayla”—the possession of which may even constitute a criminal offense. The doll contains a hidden, transmission-enabled device along with a microphone—and thus has espionage capacities that aren’t allowed by the German Telecommunications Act. Doll owners were therefore urged to destroy the dolls in spring 2017. A lawsuit by the manufacturer against the ban is still making its way through the courts.
Such a radical ban as the one for the My Friend Cayla doll is rare—but the worry that smart toys spy on children’s rooms is increasing. In summer 2017, a spokesperson for the German Federal Network Agency confirmed that over the past several months it had sent out around four hundred requests to online retailers to remove certain smart toys from their range of prod-ucts. Hessel, an expert in this field, can confidently state: “Only a very few smart toys are above all suspicion.”
The strengths of smart toys — their connection to the internet, more extensive sensor technology and higher “intelligence” — are simultaneously their biggest problem. That’s because it isn’t always clear what really happens with the data that’s collected by cameras or microphones. Particularly if the toy’s IT security is too lax. “Take the Cayla doll,” Hessel says. “With a little bit of expert knowledge, I can connect to the doll with Bluetooth from about ten meters away and communicate with the child playing with it. I can give the kid instructions as if the toy were speaking.”
These security risks aren’t new, but rather are a general problem in our increasingly networked world. “From the basic logic of it, smart toys can be viewed similarly to wearables and home surveillance cameras,” says TÜV SÜD Chief Digital Officer Dr. Dirk Schlesinger. “These types of networked devices are always vulnerable to hacking from outside parties. And the topic of smart toys receives more attention because, in essence, we’re talking about defenseless children.”
Schlesinger and Hessel are therefore calling on lawmakers to extend protections in this area. EU toy regulations, for instance, only set standards for mechanical and chemical properties, but don’t mention anything about internet connectivity. “Today you can be fairly certain that a purchased toy is non-flammable and doesn’t contain any toxic materials,” Hessel explains. “But that no longer suffices. Now we have a completely different kind of toy for which IT security is becoming increasingly important.”
Testing toys only for flammability int’t nearly enough these days.
While data security regulations will be changing due to the new, compulsory EU basic data protection regulations coming into effect in May, lawmakers still have an obligation to pass legislation for IT security. “There need to be effective standards for all personal smart-home devices — or a quality seal,” Schlesinger says. “Then manufacturers would have to fulfill minimum standards for process security, technical security and data security. The quality seal would end up being an important selection guide for consumers as to which device they might purchase, and which they perhaps shouldn’t.” TÜV SÜD already has a certification system for smart devices that could also be used for smart toys. Schlesinger continues, “As of yet, however, it’s mostly the gateways to the outside, meaning the routers, that get examined.”
The central security authorities of the United States have also been looking at this topic for some time now. The FBI recently issued a warning about smart toys, noting that the technology installed in these toys increasingly endangers the private sphere and the safety of children. As Hessel explains, “That can usually be understood to be the last warning shot before legal regulation.”
It’s quite possible that the home country of the blockbuster Toy Story will be the first to pass laws for the safe use of smart toys. Sherriff Woody from the film would certainly be proud—he was always trying to ensure that law and order prevailed among his toy friends.