FBI Warns: Smart Toys are a Security Risk

John Lister's picture

The FBI has warned parents about privacy risks with 'smart' toys. It's more of a general warning rather than covering a specific product.

The agency says the warning covers a wide range of toys which "incorporate technologies that learn and tailor their behaviors based on user interactions." The key risk is when the toy has an Internet connection, meaning data can be passed on to a third party.

According to the FBI, the risks are particularly great given such toys may contain "sensors, microphones, cameras, data storage components, and other multimedia capabilities - including speech recognition and GPS options."

Data Could Be Used In Exploitation

The risk isn't so much that the company that makes the toy and provides the services will maliciously abuse the data collects. Instead there's a risk that it will be deliberately passed on to a third party for marketing purposes, or that it is intercepted and used for identity fraud or even as a way to exploit individual children. (Source: thenextweb.com)

The FBI notes that companies running online services connected to the toys risk breaching the Children's Online Privacy Protection Act, which severely restricts the collection and handling of personal data from people aged under 13.

FBI 10-Point Plan

The warning comes with a 10-point plan for parents to follow when buying such toys. Several of these relate to researching the toy, the company, and the way any data is stored. The FBI suggests checking the small print of privacy policies and asking questions such as where data is stored, who has access, and whether manufacturers will contact toy owners if there's a data breach. (Source: ic3.gov)

Other suggestions are more practical, including turning off smart toys when they aren't used and enabling all possible encryption such as on WiFi connections and requiring a PIN code on Bluetooth pairing.

The agency also says parents should use strong passwords when setting up accounts - such as mixing upper and lower case letters with symbols and numbers and not reusing the same passwords. Another suggestion is to only provide the minimum required details on registration and leave any optional fields blank, even if that means missing out on additional features such as providing the child's birth date to get a personalized greeting from the toy.

What's Your Opinion?

Do you have or know any children with smart toys? Is it realistic to expect parents to follow the FBI guidelines? Should laws and regulations of data handling and privacy be tighter when they relate to toys clearly aimed at children?

Rate this article: 
Average: 5 (6 votes)


matt_2058's picture

Again, I believe data collection should be an option for consumers, not a term of use. And specific permission for different aspects of data handling, not a catch-all. Like opting out of third-party dissemination.

Since the FBI has some ideas, why not publish a list of the risky products? Or are they keeping that hush-hush for possible exploitation?