Germany's official regulator of telecommunications has ordered parents to destroy a tech-enhanced doll called My Friend Cayla because of security risks that can transform the toy into an illegal, hidden surveillance device.
My Friend Cayla looks is a smiling-little-girl doll who can answer children's questions and play games, the result of technology that connects to a smartphone and utilizes the Internet. But, Germany's Bundesnetzagentur, the federal agency that overseas Electricity, Gas, Telecommunications, Post and Railways, warns that hackers can use Cayla to both listen to children playing with the doll and to say inappropriate things to children - the result of improper information-security in the design of the toy's Bluetooth connectivity. The agency has demanded that the doll be removed from stores, and has told parents who have already purchased the doll to destroy it.
The issue with Cayla is not just one of putting children at risk. It is illegal in Germany for civilians to possess most forms of espionage devices, and Bundesnetzagentur claims that because of the vulnerabilities in the toy, Cayla is an example of such outlawed technology. As a result, parents do not have the option of forgoing their privacy and taking risks by owning the doll - it is, technically, a crime to possess it. (While possessing a hidden surveillance device in Germany can earn someone a jail term of up to two years, the agency has said that, at least for now, it will not seek to prosecute parents who have already purchased Cayla - but, it is unclear how, over the long term, it will address any parents who disregard its instruction to destroy the doll.) Cayla's manufacturer, Genesis Toys, has not yet responded publicly to the Bundesnetzagentur's order.
It should be noted that the issues with Cayla are not new: a vulnerability in the doll's software was first revealed over two years ago, and complains have been filed by various consumer groups both in Europe and the United States. Concerns have also been raised about other offerings - but the present allegations in Germany, and the instruction to destroy the toy, do appear to show a new level of concern.
There are at least two important lessons to learn from this episode:
1. Toy manufacturers who are building tech-enabled toys must involve throughout the offerings' lifecycles (from conception to termination of support) people who understand information security. Governments are increasingly paying attention to information security in children's toys, and they may prevent the sale of items that they feel put children (and others) at risk. Poor information-security may also earn a toy significant negative press.
2. Parents - who should leverage tech-enabled toys to prepare their digital-native children for the world in which the kids will live - should understand the risks of inadequate information security, and must insist on proper information security in the devices which they purchase. Failure to do so could lead to problematic situations - in Cayla's case, parents will have to explain to children (some of whom may be attached to Cayla) why they must give up the toy. And, of course, having to explain situations of proactive destruction, as in Cayla's case, is among the smallest of the potential problems.