Connected toys being played with by a girl with a teddy bear visible. Such toys can have privacy risks.

When children unwrap holiday gifts these days, they may find internet-connected robots and talking teddy bears alongside classic board games or Lego sets. These digital products can be fun and even educational, but they also present some privacy and security risks you don’t find in old-fashioned toys.

“Any product with a WiFi or Bluetooth connection potentially can get hacked, whether it’s meant for children or adults,” says Robert Richter, who leads privacy and security testing at Consumer Reports. As our researchers have seen in the lab, many digital products collect and store information that can later be used by companies for marketing or just to develop new products.

To assess how the new generation of smart toys addresses digital-age concerns, Consumer Reports bought and tested a small sampling of connected toys. Our test included a smartwatch for kids made by Kurio; CogniToy’s Dino, a child-oriented smart speaker in a dinosaur’s body; Anki’s Cozmo, a robotic toy; and the Sphero SPRK+, a robotic ball.

All of them are available for sale this year; all of them can share data with smartphone apps; and as a group, they are targeted at children 5 to around 8 years old.

CR's testing shows that such products can carry some risks for children’s data privacy and security. Based on our results, our experts have a few suggestions that parents can follow. 

Parents Need Better Information

“We found a number of security and privacy problems with the toys we tested,” says Richter. “None of them pose a major immediate threat to the safety of children, but they follow a trend we see elsewhere with internet-connected devices in that companies could be doing a better job protecting customer data.”

More on Privacy and Security

For instance, he says, the Kurio watch stores some information without encryption, a technique for scrambling data so that it can’t be read by hackers. Additionally, it uses an ID based on the child’s name to identify itself over Bluetooth. 

CR’s testing found relatively minor problems with the Anki Cozmo and Sphero SPRK+ toys. The Cozmo includes a camera to help it navigate, but there is no indication, such as an alert light, when the camera is on. And the Sphero uses an unencrypted Bluetooth connection, though the company points out that no sensitive information is being transferred.

“Unfortunately, it’s not simple for a parent to examine security and privacy practices on their own,” Richter says. “That’s why we encourage companies to do a better job securing their products across the board, and to clearly label them with important information about their data practices.”

Experts say many of the internet-connected products on the market have security flaws, whether the items are meant for kids or adults. “People who are entrepreneurial generally aren’t thinking in security terms—they’re thinking about their ability to get their product to the market quick,” says Terry Dunlap, CEO of ReFirm Labs, which specializes in internet of things security.

To conduct our investigation we used the Digital Standard, a set of criteria designed by Consumer Reports, privacy experts, and other nonprofit leaders to guide the design and development of consumer software, digital platforms and services, and internet-connected products. We’ve used it before to help us test home security cameras, peer-to-peer payments apps, and TVs.

Products and services meant for kids are covered by the federal Children’s Online Privacy Protection Act, which requires companies to get parental permission to collect personal data about children and to guard the data carefully. Consumer Reports didn’t evaluate the toys we tested for COPPA compliance, but parents who think a company has failed to live up to its COPPA responsibilities can notify the Federal Trade Commission

Here’s some of what our investigation uncovered, followed by tips for parents concerned when their children use connected toys.

Low-Price Toy, With Minimal Security

Kurio’s Kurio Watch 2.0+ for kids, which retails for about $40, lets kids play games, take pictures and video, pair their device with a friend’s Watch, or message their friends through a Bluetooth connection to their parent’s phone. An activity tracker and other smartwatch functions are built in.

CR's testing found that the watch uses personal information to establish a Bluetooth connection, creating an identifier based on the first names of both parent and child, along with their favorite colors.

That may not sound like vital data. But if the watch were lost or stolen, or if the Bluetooth signal was picked up by someone nearby, a stranger could end up with personal details that could help him gain a child’s confidence. That may be a remote danger, but it’s one that could easily be avoided if the company were to use a random identifier instead, our testers say.

Secondly, our testers note that there’s no way for Kurio to provide new firmware to the watch to improve security. “That’s something we always look for,” Richter says. “Security updates are a fact of life for nearly any digital product. No software is perfect out of the box.”

Kurio responded to CR’s concerns by pointing out that no information from the watch is transmitted over the internet, reducing the opportunity for a hacker to gain access to personal data. “The watch is not connected to the internet, and the app’s data is stored exclusively on a user’s Android device,” the company said in an emailed statement.

A Company Fails and a Toy Gets Stranded

CogniToys’ Dino, which uses IBM’s Watson artificial intelligence platform to converse with young children, was developed by a tech startup based in New York called Elemental Path. The toy received lots of positive buzz when it launched on Kickstarter in 2015, and the product eventually ended up on the shelves and websites of major retailers.

Then, just a few weeks ago, Elemental Path was forced to shut down due to a lack of funding. If you go on the CogniToys website now, you’ll find the Dino listed for sale. But if you click on the “Add to Cart” button, you get a notice that says "Page Not Found."

In an email to Consumer Reports, JP Benini, Elemental Path’s CTO and co-founder, confirmed that the company is no longer selling the toy through its website, and it won’t be able to support Dino toys sold by other retailers.

That means that, like the Kurio Watch 2.0+, Dino toys in consumers’ homes won’t be receiving software updates to protect against emerging security threats.

And CR did find vulnerabilities when we tested the toy—some important information was being transmitted and stored unencrypted, and testers discovered that motivated hackers might be able to steal personal data.

“We have actually remediated some of those vulnerabilities to the best of our ability,” Benini said, but that others couldn’t be fixed because of problems with the hardware vendor the company was using.

And, Benini said, he “would not recommend any further sales until the way through all of this is clearer.”

Nevertheless, the Dino is currently being sold at steeply discounted prices on the websites of major retailers, such as Amazon, Buy Buy Baby, and Walmart, with no mention of Elemental Path’s financial troubles or the acknowledged security flaws.

Uneven Privacy Policies

Consumer Reports' testers evaluated the privacy policies and terms of service for the toys, looking for easy-to-read language and clear instructions for how a parent could delete a child’s data.

(Like most websites, CR.org collects user data. The details are described in our privacy policy; our approach to privacy is outlined here.)

Testers credited the companies with following several good practices. For instance, Cozmo provides clear instructions on how to delete data collected by the manufacturer and clarifies that “Images from Cozmo or the Cozmo App are not stored or transmitted to the cloud.” Other policies tell parents how to opt out of some data collection and how to use parental controls.

Notably, the privacy policy for Kurio isn't displayed on either the Watch or in the companion app. When testers went online to read it, they found that the company’s privacy policy had not been updated since July 3, 2013, three years before the toy entered stores. The document didn’t make reference to the toy.  

Kurio told CR that the privacy policy is reviewed annually by the company’s legal team, but that it will start incorporating the privacy policy in next year’s version of the Watch and its companion app.

What Parents Can Do

Without the tools, training, and time to test it, there’s no sure way for parents to know whether a particular connected toy is taking strong measures to safeguard personal data. However, CR’s Richter says the following measures can help you and your kids stay safer.

Limit what data you share. Just because a manufacturer requests your child’s name, gender, birthdate, and favorite color during the registration process, that doesn’t mean you have to provide these details. Not the real information, anyway. In some cases, you can skip questions you don’t want to answer. In other cases, go with made-up details. In its emailed statement, Kurio pointed out, “Parents do not have to enter the child’s first name” when setting up the watch. “They simply need to enter at least one character or can choose any word or alphanumeric combination they would prefer.”

Set strong passwords. All connected toys should require a strong, unique password when you set up an online account or pair the device with your smartphone. But create one even if the toy doesn’t ask. Ideally, use a passphrase made up of several words, and make sure not to use the same one for multiple accounts. No, this isn’t banking data, but it’s still very important and worth guarding.

Talk to your kids. This is an early opportunity to start educating your children about what to share online and what to keep private. Explain that any message, photo, or voice command they give an internet-connected toy could be shared with a big company and stored for a long time. That doesn’t mean they shouldn’t have fun with the toy, but it does mean the device can't be trusted to keep secrets.

 

Editor’s Note: Our work on privacy, security, and data issues is made possible by the vision and support of the Ford Foundation, the Alfred P. Sloan Foundation, and Craig Newmark Philanthropies. Craig Newmark is a former board member of Consumer Reports.