Why smart toys are a dumb gift idea -- and how to protect your kids if they already have them

Giving a child a toy that can record sound, images and chat, which it can then upload to some server somewhere... What could possibly go wrong? The answer is, quite a lot.
Written by Adrian Kingsley-Hughes, Senior Contributing Editor

Mattel's talking Hello Barbie is a $75 toy that talks to children like Siri from an iPhone -- and it's hackable.

Smart toys look set to be a popular gift this holiday seasons, but the evidence points to them being a dumb idea.

Giving a child a toy that can record sound, images and chat, which it can then upload to some server somewhere... What could possibly go wrong? The answer is, quite a lot.

First off, how much do you trust the company that's storing and processing that data? VTech, the toy company at the center of a data breach earlier this month, admitted that their database was "not as secure as it should have been."

And I find it hard to believe that VTech is the only toy company that has been sloppy with the data it holds.

"Smart" is the latest buzzword to hit consumer electronics, and toymakers are, in a scrabble for profits, falling over themselves to bring connected toys to market. But as the VTech hack showed us, these companies might not be up to the challenge of keeping our children's data safe. Security is a complex and expensive undertaking, and it's something that toymakers haven't had to think about before.

On the face of it, any information that a kid could input into a smart toy might seem worthless, given that most kids don't have credit cards and such. However, there's a real risk of ID theft if users were required to register personal information, and children are particularly valuable to fraudsters because they have a clean credit history. Children's social security numbers and birth dates are also much sought after by criminals.

And to make matters worse, a child might not even know their identity was misused until well into adulthood, which would make sorting out the mess much more difficult.

Additionally, a breach could expose a wealth of highly sensitive information such as photographs (and in my experience, children can be pretty indiscrete photographers), the child's thoughts and feelings, communications with loved ones and so on.

And remember, once any data is leaked, it's then out there, forever.

Another problem is that many smart toys are, by nature, duplicitous. Children have historically confided in their toys, and "told" them things that they might not have felt comfortable telling others. But smart toys change that dynamic. The child might think that they are talking to a video game character or a doll or dinosaur, but they're in fact talking to some soulless server located who-know-where that's coldly collecting and collating all that information. The smart toy - or the cloud behind it - isn't smart enough to know when to turn a blind eye or ear to some bit of information, and can't exercise discretion when it comes to deleting something that shouldn't be stored.

Now you might think that the solution is for parents to be able to access all the information that the toy collects. The parents can then choose what data is preserved and what's deleted. The problem with that is not only that it makes all the data accessible over the internet - after all, how else is are the parents going to curate it - but it also leaves clearing up the mess to the parents, and that might be something that a lot of moms or dads might not don't have the time for. It also assumes that the parents understand what's going on with the toy in the first place. Most parents I've spoken to don't understand just how much data and sensitive information a child's toy can be collecting and sharing.

Also, I'm not sure about the ethics of an adult having access to a child's interaction with a toy. I can't put my finger on it, but something there feels wrong, especially given that most children won't understand what their toy is actually doing.

I really don't mean to be a Grinch when it comes to smart toys, especially since some of them seem pretty cool. But even before the VTech hack I was wary of the idea of data slurping toys kitted out with cameras and microphones. The kids aren't supposed to understand what's going on behind the scenes, most parents aren't clued up, and the toymakers don't seem ready for the battle with the hackers.

And don't get me started on the potential security risks to your network of having such devices connected to it.

If you have toys (and don't want to landfill them) then things get a bit more difficult. Because there's enormous variation between different toys and services, it's only possible to give broad-brush security tips.

  • Don't give toy firms your personal information. If you have to enter something, consider using inaccurate or fake date if at all possible. Don't use any of your main email addresses, instead create separate email addresses and accounts.
  • If your Wi-Fi router allows you to set up a "guest network," create one and connect the smart toy to it. That will isolate it from your other devices as well as giving you a kill-switch.
  • Try to get a clear idea of what any smart toy is capable of and what information it collects. Check to see if there are any settings that you can adjust. Perhaps it is possible to turn off or disable some of its features.
  • Taping over a lens or a microphone is quite effective.
  • Talk to your children about security. In my experience I've found that kids are smart and take quickly to the idea of being safe online.

Dumb toys seem to be the smartest choice.

See also:

Hardware 2.0 Holiday 2015 Ultimate Gift Guide

Editorial standards