Shining a light on the privacy threat of Internet-connected toys, the Federal Trade Commission has started to crack down on companies that fail to protect data collected via kid’s toys and demand that parents get the chance to proactively approve privacy policies. The agency on Monday slapped a $650,000 fine on VTech, a maker of educational toys, for instance.
But it’s not just your kids’ toys that are spying on you and your family. “We have done well with protecting the privacy of children, but everyone is vulnerable,” said Dona Fraser, director of the Children’s Advertising Review Unit.
The rapid growth in the “Internet of things” has created dozen of household touch points where everything from personal conversations to passwords could be leaked into the vast and ephemeral reaches of “the cloud.” What happens to the data then is anyone’s guess, privacy experts contend.
“The internet of things is a growing concern,” said Alan Brill, managing director of Kroll’s cyber security and investigations practice. “We got here so quickly that a lot of people didn’t think about the fact that these devices might be insecure.”
So-called “smart” devices now freckle the average American’s home. Your phone, your “Nest,” the television, the kid’s toys, even the bluetooth enabled refrigerator, stereo or printer, are all gathering data from your home environment and sometimes sharing that data amongst themselves.
Your refrigerator, for instance, may want to access the contacts on your phone. The weather app on you phone, meanwhile, may demand to grab data from every other connected device on your network. Without a secure system — and limits on what each device might access — Americans could be broadcasting everything from their intimate moments to their bank account passwords.
Indeed, the FTC’s action on Monday was spurred by a 2015 data breach at VTech, which makes a host of internet-connected educational toys. The company’s customers had to register at its “Learning Lodge,” plugging in data on children’s ages and gender, as well as information about their parents and where they lived. However, the data, which was supposed to be encrypted, was hacked, exposing information about 5 million consumers, half of which were children. The FTC fined VTech $650,000 and is requiring outside audits of its data security, as well as other reforms that will better inform parents about the data they may be sharing.
Experts said it was a good first step and may spur consumers to think a little harder about the privacy they’ve sacrificed when they buy and use internet-connected devices.
“People aren’t thinking about security when they bring an internet-connected toy into the household. They’re just thinking that the kids want it and they want to give the kids what they want,” said Fraser. “But does it have a camera? A microphone? Can you turn those things off without eliminating the functionality of the toy?”
And the same holds true for all of the adult toys — Alexa and Google Home, for instance.
“Things like Alexa and Google Home have to listen to every word because they are listening for they key word that tells them to function,” said Heather Wagenhals, certified identify theft risk management specialist at MoneyCreditAndYou.com. “What they do with that information is not clear.”
How do you protect your privacy in an increasingly interconnected world?
Read the terms
No one wants to do it, but almost every internet-connected device comes with a set of terms and conditions that spell out what data is being collected and how it is used. If a product or app seems to be over-reaching, demanding access to data that has little to do with the functionality of the device, don’t buy it or enable it on your phone, suggests Wagenhals. To be sure, reading terms and conditions for every web-connected device is time consuming. “That’s a heavy lift that’s sometimes ignored,” Fraser acknowledges.
Where legitimate companies publish their collection and use of your data, knock-offs don’t necessarily publish policies or adhere to best practices, said Brill. “It’s the flood of products that come from other countries, where this kind of regulation is not necessarily enforced and that believe that they don’t have to comply, that pose a real risk,” he said.
Flip the switch
When a product is not in use, turn it off, suggests Wagenhals. That will at least temporarily stop it from collecting data while you’re sleeping — and before you have a chance to gather your wits with a cup of coffee.
If you have multiple devices working off your wifi, make sure to secure your network with a good password. The best passwords have 20 or more characters, including at least two capital letters, two numbers and two symbols, Wagenhals said. And be sure that all of your devices require a password to access the network. Those that don’t can create security holes in your system, she said.
© 2018 CBS Interactive Inc.. All Rights Reserved.