Privacy group wants to shut down "eavesdropping" Barbie
Naked Security Naked Security

Privacy group wants to shut down “eavesdropping” Barbie

It's worried about kids' voices being recorded by a corporation that will then target ads at them, but it should be far more worried about security and privacy.

Hello BarbieOn Valentine’s Day, toy maker Mattel introduced its Wi-Fi, microphone-sporting, speech-recognising, interactive Barbie doll.

“What could possibly go wrong?” we asked.

The Register also wondered what hijinx an internet-enabled doll might get into.

In fact, the publication took a deep dive into the news and wound up finding privacy concerns.

For one thing, it discovered that recordings of children’s voices are stored on remote computers so ToyTalk – the startup that developed the so-called “Hello Barbie” doll along with Mattel – can improve its voice-recognition engine.

Now, a privacy group, Campaign for a Commercial-Free Childhood (CCFC), has started a petition against Hello Barbie, citing The Register’s coverage.

As of Thursday evening, the petition had garnered 3297 signatures from those calling on Mattel to stop its “eavesdropping” doll.

The rationale:

Kids using "Hello Barbie"' won't only be talking to a doll, they'll be talking directly to a toy conglomerate whose only interest in them is financial. It's creepy - and creates a host of dangers for children and families.

Children naturally reveal a lot about themselves when they play. In Mattel's demo, Barbie asks many questions that encourage kids to share information about their interests, their families, and more - information advertisers can use to market unfairly to children.

Hello Barbie wakes up when you press a button on her belt buckle. The doll asks a question and turns on its microphone while the switch is held down.

ToyTalk CEO Oren Jacob says the child’s replies are recorded, encoded, encrypted and sent to the company’s servers, where they’re processed by voice-recognition software.

After ToyTalk’s systems puzzle out what was said, it then selects one of its scripts to read back. It could be a joke or something else a chatty friend might say.

Parents can sign up for weekly or daily emails in which Barbie spills the beans on what’s been said to her by a given tot.

While ToyTalk’s privacy policy isn’t clear on how long the recordings are stored, Jacob stressed to The Register that none of the recordings are used to play advertisements to children.

The Register is a bit bemused by all the kerfuffle.

Advertising at children is not the concern raised by the news outlet, writes Iain Thomson:

Although the group cites our story, the activists may want to read it again. Mattel's servers don't hold the conversations Hello Barbie records, ToyTalk does, and the startup has stated explicitly that the audio will never be used for advertising purposes.

What ToyTalk is really after is to enhance its voice recognition. That’s particularly desirable, given that kids use completely separate voice cadences, sentence structures and verbiage, making their voices a far less charted territory than adult voices.

What’s really at issue, he writes, is security and privacy.

After all, as one infosec commentator pointed out, all it takes is one renegade in the toy factory to blow a hole in kids’ opsec:

Barbie tweet

All it would take is a "rogue" employee and your child's interactions with Barbie are now the whole internet's business.