Federal cybersecurity and privacy protections for children are not keeping up with the burgeoning data collection engaged in by “smart” toys and online games, Sen. Mark Warner said Monday, asking the Federal Trade Commission if the law needs to be changed.
In a letter to acting FTC Chairwoman Maureen Ohlhausen, the senator says he’s concerned the agency is soft-pedaling the dangers the Internet of Things might pose for children, citing a speech she gave earlier this year. “Reports of your statements casting these risks as merely speculative — and dismissing consumer harms that don’t pose “monetary injury or unwarranted health and safety risks” — only deepen my concerns,” the Virginia Democrat wrote.
He cites the recent example of CloudPets, a product from Spiral Toys that’s marketed as “a message you can hug.” The company turned out to be storing users’ personal data in an insecure, public-facing online database — reportedly exposing over 800,000 customer logins and passwords and more than 2 million voice recordings sent between parents and children. Security researchers have shown that CloudPets’ toys can be hacked and remotely controlled, including the microphone, as long as they are within Bluetooth range.
“This one example demonstrates the importance of better incorporating security at the device level, on servers holding data collected by these devices, and across communications links,” Warner writes.
The senator points out that other countries’ privacy regulators “have taken steps to remove insecure internet-connected devices from the marketplace or warn parents about the dangers of such toys” — citing a decision earlier this year by Germany’s Bundesnetzagentur or Federal Network Agency, to pull the children’s doll My Friend Cayla off the market in that country “due to concerns that the device could be used for unauthorized surveillance.”
He adds that although the FTC received a complaint from privacy advocates in December about the doll, the agency has taken no action.
Warner closes with a series of questions to the agency, including asking whether it needs additional legal authorities from Congress and whether its regulations for implementing the Children’s Online Privacy Protection Act, or COPPA, need overhauling.
“Do COPPA’s data security — including retention and data minimization — standards need to be updated? Are companies ignoring COPPA requirements, or are COPPA requirements not keeping pace with developments in data security and cyber security best practices?” he asks.