FBI Issues Warning on Internet-Connected Toys

• By Richard Chang
• 07/19/17

The FBI has issued a consumer notice warning that internet-connected toys could pose a privacy and contact threat to children, because of the large amount of personal information that may be unknowingly revealed.

The FBI is urging consumers to consider cybersecurity before introducing smart, interactive and internet-connected toys into their homes or private environments.

“Smart toys and entertainment devices for children are increasingly incorporating technologies that learn and tailor their behaviors based on user interactions,” the public service announcement states. “These toys typically contain sensors, microphones, cameras, data storage components and other multimedia capabilities — including speech recognition and GPS options.”

The consumer notice says microphones could record or collect conversations, and information including “a child’s name, school, likes and dislikes and activities may be disclosed through normal conversation with the toy or in the surrounding environment.”  

Similarly, “the collection of a child’s personal information combined with a toy’s ability to connect to the internet or other devices raises concerns for privacy and physical safety.” Personal information, such as a child’s name, date of birth and pictures, is often provided when creating user accounts. Furthermore, companies collect large amounts of data, including past and current physical locations, internet use history, and internet addresses/IPs. The FBI warns that the exposure of this kind of information can lead to child identity fraud. Plus, the misuse of data such as GPS location, known interests and visual identifiers from videos or pictures, could lead to exploitation or contact risks.

The FBI recommends that consumers should “examine toy company user agreement disclosures and privacy practices, and should know where their family’s personal data is sent and stored, including if it’s sent to third-party services.”

The FBI also recommends that parents should research toys and:

• See if there are any known security issues;
• “Only connect and use toys in environments with trusted and secured WiFi internet access”;
• Monitor children’s activities with the toys;
• Make sure the toy is turned off when not in use, especially if the toy utilizes microphones or cameras; and
• Use strong and unique passwords when logging in or creating user accounts.

The Children’s Online Privacy Protection Act (COPPA) does establish requirements for website and online service operators geared toward children under 13 years old. For COPPA rules, visit this site.

Also, on June 21, the Federal Trade Commission (FTC) updated its rules to comply with COPPA. Those rules can be viewed here.

If you think your child’s toy might have been compromised, you can file a complaint with the Internet Crime Complaint Center at www.IC3.gov.

To read the full public service announcement, visit this site. If you have questions, the FBI says you should ask your local FBI field office. A list of local field office locations is located here.