Maybe you've seen Cayla, the interactive talking doll, in the news lately. She's being accused of some pretty bad behaviour.
Cayla doesn't seem to learn from her mistakes. Almost 2 years ago security experts demonstrated she could be hacked, and that vulnerability still exists.
Cayla brings to mind the hackable Hello Barbie, another conversational doll on the naughty list last Christmas. Consumer groups started a campaign called Hell No Barbie in protest.
Cayla outdoes Barbie, who interacts with appropriate preset responses pulled from a database. Cayla converts audio to text and actually searches a number of sites, including Wikipedia, for replies. That IS pretty cool.
But having no security, Cayla connects with ANY bluetooth on a phone or tablet within 50 feet. After connecting, a simple hack lets users talk THROUGH Cayla and eavesdrop on conversations taking place near her. Those things can be done at a distance.
While the security issues reported in the news are certainly cause for alarm, those of us concerned with privacy law will find Cayla getting an F on a host of topics.
AN ALARMING USE OF VOICE RECORDINGS
She was born of 2 American based companies, Genesis Toys and Nuance Communications. Nuance, which provides the speech recognition software, is a leader in speech technology and voice biometrics.
Nuance has a database of 45 to perhaps as many as 60 million voiceprints, and their clients include military, intelligence and law enforcement agencies. That makes people nervous because the children's voice recordings are sent to Nuance to be converted to text.
Nuance states they use the voice and text information it collects to "develop, tune, enhance, and improve Nuance services and products." And that the information may be shared with third parties acting under the direction of Nuance.
Among the questions Cayla asks her friends are the names of family members, where they attend school, and where they live. IP address is also colected. In addition to the surveillance potential for any conversations about family, the collection of personal information from children younger than 13 is in violation of COPPA.
Parents must accept the Terms of Service BEFORE they can read it in order to set up the app that connects Cayla to the internet via a smart phone. The Terms are accessible only on a smart phone or tablet, are in a tiny font size, contain approximately 3,800 words, numerous repeated paragraphs, and excessive use of all-caps font.
AND, the Privacy statement says it can change at any time and so "you may wish to check it each time you submit personal information to us."
Seeing as its impossible to read it the first time, people don't realize they have agreed that Cayla "may collect and use the contact names that appear in your address book as part of the Services and to tune, enhance and improve the speech recognition and other components of the Services, and other services and products." Cayla also fails to Comply with Deletion and Data Retention Requirements.
Speaking of advertising, Cayla must be making some big bucks off product placement. She touts various disney products with pre-programmed phrases. Her vacation preferences say she wants to go to Epcot in Disneyworld and enjoys visiting Disneyland. Cayla gives no disclosure of any product placement.
COMPLAINTS HAVE BEEN FILED
Some think Cayla needs to go into a timeout. Groups in the US and Norway have filed complaints, and others are coming from France, Sweden, Greece, Belgium, Ireland and the Netherlands.
In the US the complaint was filed with the FTC and submitted by The Electronic Privacy Information Center, The Campaign for a Commercial Free Childhood, The Center for Digital Democracy, and the Consumers Union. See it here:
Don't miss this great video by the Norwegian Consumer Council. It's quick and it's scary.