The over-connected doll, a Toy Story gone awry
26 Sep 2018
Imagine a doll that listens to you, records you and forwards everything to a company in China. Imagine that it can also be hacked by a third party, who could listen to your conversations and talk directly to your child through it. Is this the script for a new episode of the television series “Black Mirror”? Not at all, it is a very real situation that France’s Data Protection Commission (Commission nationale de informatique et des libertés or CNIL) had to deal with on 4 December 2017 (decision no. MED-2017-073 of 20 November 2017).
Facing a cross between a horror film and a spy novel, the CNIL issued a formal notice to the Chinese company Genesis Industries Limited, the manufacturer of Internet-connected dolls, for a serious breach of privacy caused by poor security. It ordered the company to comply with France’s data protection act no. 78-17 of 6 January 1978, known as “IT and freedom”, within two months.
Breach of privacy
The connected dolls “Mon Amie Cayla [My Friend Cayla]” and “I-QUE” gather a considerable amount of information related to children and those around them by listening in to conversations via a microphone in the doll. More importantly, the manufacturer is not the only one able to collect data. Any person with a mobile phone, who is within nine metres of the doll, even outside the building, can connect to it by Bluetooth without having to authenticate themselves. In this way, they can listen to and record any conversations that take place near the toy.
In addition, once connected, this person can take control of the doll from up to 20 metres away and use its speaker to communicate with the child. This can be done indirectly, by playing previously recorded sounds or words into the phone through the doll’s speakers. It can also be more direct, by calling the phone connected to the toy from another phone: the person speaks into the first phone and the second phone “speaks” to the child through the toy’s speaker via Bluetooth. It is also possible for a person to connect to the doll via any wireless network with which the doll is synchronised, if the wireless network has not been properly secured.
The consequences are numerous and very concerning. If the “spy” is not part of the family, approaching a child in this manner unquestionably constitutes a safety threat. We’d rather not think of possible scenarios in which a child could be tricked by a hacked doll. On the other hand, it could be a parent, who wants to monitor her child by connecting to the doll and listening-in remotely. Although one can understand that the parent’s intention is to protect her child, this approach raises the issue of children’s rights to privacy. What impact can such interferences have on the parent-child relationship? If deprived of the right to whisper secrets to her favourite teddy, how is the child ever to construct her own personality when faced with an all-knowing parent?
To manage these risks, the CNIL can only conclude that such security failings constitute a breach of privacy and are therefore in violation of article 1 of the Data Protection Law.
According to the regulation 2016/679 of 27 April 2016, known as the General Data Protection Regulation (GDPR) – applicable since 25 May 2018 in all EU member states and transposed in France via the Data Protection Law – connected objects, a category that includes the doll, must meet new obligations in terms of security of personal data.
Under Article 25(1) of the GDPR, those objects must, from the moment of their design and for the duration of their use, comply with data protection principles by taking “appropriate technical and organisational measures”. This innovative principle introduced by the GDPR, called “Privacy by Design”, means that the doll must be designed to provide the security required by the regulations with regard to the processing of personal data in its interaction with a child. Rendering the doll secure must therefore take place during manufacturing, taking into account “the nature, scope, the context and purposes of the processing, as well as the risks […] the processing has for the rights and freedoms of natural persons […]”.
In this instance, because the consumers are children and the doll is used within a household, access to it should be secured with a password and the data encrypted. The transmission distance of the Bluetooth signal should also be reviewed. It should have a switch that can be used to disconnect the doll and thereby limit the risks of intrusion.
Connected dolls must also comply with the Privacy by Default principle set out in Article 25(2) of the GDPR, i.e. they must, by default, be configured so that there is as little intrusion as possible into the privacy of children and their families. Parents can change the default setting if they wish.
In addition, considering the nature of the data processing and the risks related to the rights and freedoms of children and their families, the data controller company must carry out an impact analysis in accordance with the GDPR. This will make it possible to assess the risks and present measures to tackle them.
Failure to inform the users of the toy
In the case of Genesis Industries, the manufacturer did not provide information to the toy owners, or more precisely to their family members, on the processing of personal data, particularly the transfer of such data to a third-party state.
However, informing users of such toys is now an important obligation provided for, and strengthened, by Articles 13 and 14 of the GDPR. These articles require mandatory information on several aspects, in particular the ultimate purpose of and legal basis for the processing of data, a statement on the rights of those persons whose data are collected, and the period of time for which such data are stored.
The serious nature of this case must be underscored as the activity affects children. Indeed, in addition to the invasion of privacy, it is particularly the vulnerability of those concerned and the need to inform people about this lack of security, which have led CNIL to publish the formal notice.
Follow-up to the formal notice
Issuance of a formal notice is not a sanction: if the company complies with the law within the given timeframe, it will not be in trouble. However, as we write this, the procedure does not appear to have been closed, while the sale of the doll has been banned in Germany since February 2017.
Should the company not comply with this formal notice, the CNIL may impose significant penalties. These penalties have been greatly increased and widened with the GDPR. In particular, a compliance injunction may be issued accompanied by a penalty until completion of EUR 100,000 per day of delay, by limits or bans on processing or the suspension of data flows to a recipient located in a third country.
The CNIL could also report these practices to the Public Prosecutor. These are punishable with a EUR 300,000 fine and a five-year prison sentence. Finally, the violation of the GDPR provisions is punishable with a fine of up to EUR 20m, or 4% of turnover, whichever is greatest. This is surely more than enough to ensure that children’s connected toys are secure.