It has not been a good year for children’s privacy.
On Nov. 14, digital thieves breached two services at toy maker VTech, compromising the company’s Learning Lodge app store and Kid Connect servers and accessing information on more than 6.3 million kids and their 4.8 million parents.
While parents’ accounts included names, email and IP addresses, password retrieval information, mailing addresses, download history and encrypted passwords, most of the children’s data consisted only of their name, gender and birth date. In some cases, however, photos and unsent messages may have been stored as well, the company said in a statement.
“Upon discovering the breach we immediately conducted a comprehensive check of the affected sites and are taking thorough actions against future attacks,” the statement said. “The investigation continues as we look at additional measures to strengthen our Learning Lodge database and Kid Connect security.”
The breach has forced the Hong Kong-based toy firm to refocus on securing data. Yet, VTech is not the only company to fall afoul of privacy issues. Toy maker Mattel received loud criticism earlier this year for its marketing of Hello Barbie, a version of the well-known doll that converses with a child, but also sends the conversations to a third party for processing—and alleged data mining—and which apparently has wireless flaws that could allow a hacker to eavesdrop on the conversation as well.
Privacy advocates are also leery of major companies’ educational services and how much data they are collecting on young students. On Dec. 1, the Electronic Frontier Foundation filed a complaint with the U.S. Federal Trade Commission alleging that Google had violated its own privacy pledge by collecting information on students through the syncing service on Chromebooks sold or provided to schools.
Along with Apple, Microsoft and 100 other school-service providers, Google has signed the Student Privacy Pledge, in which the companies promised to not collect, use or share students’ information without parents’ permission or for legitimate educational purposes.
Google stressed that it continues to abide by the pledge and that the data from Chromebooks is only used to allow students to save their settings and, as anonymous data, to improve the service. The two organizations that authored the pledge agreed with Google’s interpretation, not the EFF’s complaint.
However, the incident, along with the VTech breach and Mattel’s Barbie missteps, highlights the privacy problems that manufacturers and online service providers will increasingly have to solve. As the Internet of things increasingly intersects with toys and children’s games, privacy issues will become more acute, Jason Hart, vice president of cloud solutions and data protection at Gemalto, told eWEEK.
Data Breaches Put Spotlight on Growing Threats to Kids’ Data Privacy
“Any time a child is creating data on a device, security should be the default on Day One,” he said. “Any consumer that is using a device or a technology or a Barbie Doll—certainly me (the company) as the custodian of the data—should give the parent the ability to protect the data.”
Mobile devices and the proliferation of apps aimed at kids add another layer of complexity. In a study of some 13,500 Android mobile applications, a research group at the University of California, Riverside found that almost 9 percent connected to Websites known to serve malicious code and nearly three-quarters connected to Websites containing material not suited for children.
Children do not have the skepticism to operate online and protect their privacy, and choices made during childhood could be stored by unethical companies for a lifetime, said Ted Collins, chief technology officer of kid-focused entertainment firm Playrific.
“Anything you put online is a digital tattoo; it never goes away,” he said. People think they “can post a photo on Snapchat, because it goes away. Wrong, other people are scraping the site and saving those pictures.”
The Children’s Online Privacy Protection Act (COPPA) has good defenses in place to protect children, but for the most part is aimed at online service providers. While protecting children’s privacy is mandated by laws in the United States, the European Union and other jurisdictions, it is not clear whether the laws will necessarily apply to VTech, which is based in Hong Kong, Collins said.
Also, unlike the European Union, the United States has a patchwork of laws regulating data protection, with different laws for health care, education, business and financial sectors, Alex Bradshaw, the Ron Plesser Fellow with Center for Democracy and Technology, told eWEEK.
“There is not a law for everything and no law for every sector,” she said. “I wish we had a basic standard for U.S. privacy laws to make it easier for companies and better for consumers.”
To some degree, technology can help fill the gaps left by policy and enable greater control of data, Gemalto’s Hart said. Pervasive encryption and the use of private keys, where only the parent has a key that can unlock the child’s data, could allow parents to effectively delete their children’s data and be confident that no one can access the information.
“We can delete the key, and then the data is deleted,” he said. “When I sign up any manufacturer now, surely, they can say, OK, do you want to own the padlock to the account?”
In addition, consumers need to be given more notification, Hart said. Just like nutrition labels or UL certification, toys and other products that pass data to the Internet should have a label that states what data they communicate and how that data is secured, he said.
“It’s a long way to get there, but to be honest, with the acceleration of IOT, we need it right now,” he said.