Data collection by smart toys makes the problem more pressing than ever.
Originally posted by: www.consumerreports.org
The digital lives of many children are born shortly after they are, when their parents start posting baby pictures on social media. Over the years a child’s digital trail lengthens, as the child and parents share more information online.
Safeguarding children’s online privacy should be a family priority, security experts say, but the challenge is becoming more complicated.
One new wrinkle is the advent of connected toys. It was recently revealed that one toy company might have left information from more than 800,000 user accounts highly vulnerable to hackers, exposing more than 2 million audio messages shared between children and their loved ones.
Meanwhile, the online risks presented by social media sites haven’t gone away. Here’s how parents can protect their children’s online privacy.
Be Wary of Connected Toys
Kids are more connected than ever. Even toys as simple as a teddy bear now often come with a Bluetooth or WiFi connection that can send information back and forth between the toy and a smartphone app or a server somewhere.
That was the case with CloudPets, a line of “smart” stuffed animals that lets family members record personal messages for a child using a smartphone app, then send them through the internet to the toy for the child to hear. Children can also record their own messages using the stuffed animal and send them to an approved list of recipients.
But researchers recently concluded that the toy’s makers didn’t adequately protect it servers, allowing hackers to gain access to user emails and secured passwords, along with audio recordings. The researchers complained that Spiral Toys, which owns the brand, had ignored repeated warnings about the problem.
According to a Spiral Toys statement, the company was notified of the problem on Feb. 22 and “took immediate and swift action to protect the privacy of our customers,” requiring all customers to create new, stronger passwords. The company said it hadn’t seen evidence that message data had been leaked.
It wasn’t the first time a children’s product was affected by security problems. In 2015, data stored by tech toy maker VTech was breached, compromising the profiles of 6.4 million kids, along with the 4.9 million parent accounts that they were connected to. The information in the children’s accounts included names, ages, and genders, the company, based in Hong Kong, said at the time.
How could such data be used? Experts say a terrifying worst-case scenario would be an attempted abduction, but a more likely outcome would be eventual credit card fraud or identity theft. Privacy risks recently prompted German officials to tell parents to get rid of an internet-connected doll called “My Friend Cayla.”
So what should parents do? Supplying toy companies with information about your child may help them provide a more customized play experience. But it’s up to you to decide whether that benefit is worth the information being shared.
One question to ask is where data is stored. If it’s just on the toy or in a smartphone app connected by Bluetooth, the risks might be relatively small. But the concerns are bigger in cases like CloudPets and VTech, in which data gets sent to a server somewhere where it can potentially be stolen by hackers.
Either way, there’s no harm in playing it safe: You can always enter a fake birthday or name. Or just pass on buying such toys in the first place.
Think Before You Post
Just like their physical security, your children’s digital security starts with you, especially when they’re too young to fend for themselves. So think before you post, and make sure you’re limiting who can see the information.
“I think trying to convince parents to not post photos of their newborn is probably impossible,” says Lance Cottrell, chief scientist at the cybersecurity firm Ntrepid. But parents may have unrealistic expectations of privacy. “It’s like I want to hire a skywriter for my marriage proposal, but for nobody else to read it.”
The mere act of releasing your child’s name, gender, hometown, and birthday to the world gives hackers something to work with. But there are common-sense ways parents can keep those posts from causing problems, mainly by limiting who can see them.
For instance, using Facebook privacy settings, you can set your posts to go to just your “friends,” rather than the entire world. If you want to limit that circle even more, create a list of “close friends” and set your posts to be visible only to them. A closed Facebook group, which requires you to approve everyone who requests access, can work, too. As a bonus, it will keep you from clogging the feeds of your non-baby-crazy friends.
Parents should also think twice before posting pictures that could reveals hints of a location, such as photos taken in front of their home or child’s school, says Mike Raggo, chief research scientist at ZeroFOX, a social media security company. On a related note, it’s also wise to wait until you get home before posting vacation photos. You don’t want to reveal to would-be burglars that you’re away from home.
Talk to Your Kids
“The talk” doesn’t just refer to sex anymore. Talking to your kids about proper internet usage and the consequences that bad online behavior can have is almost as important, but hopefully not as uncomfortable, a subject.
And it’s a wide-ranging topic, too. Just like their parents, kids need to know everything from how to set a strong password to how to spot phishing emails, as well as what can happen if they send an angry tweet or post a suggestive picture, says Michael Moniz, CEO and founder of the cybersecurity firm Circadence.
On top of that, kids can face cyberbullying and need to know what to do if one of their classmates posts a threat of violence on social media.
“We’re ships and travelers moving through the cyber world,” Moniz says. “If you’re anything of value, you’re going to be a target and parents have to be aware of that. We have to be good guides and give our kids the skills they need to navigate it.”
Most importantly, kids need to be reminded that what they post online becomes part of their “digital DNA” that will always remain online “no matter how much they try to scrub it away,” he says. Those posts will follow them when they apply to college or for a job down the road.