The Washington PostDemocracy Dies in Darkness

This pretty blond doll could be spying on your family

By
February 23, 2017 at 2:08 p.m. EST
The “My Friend Cayla” doll on sale at the DreamToys toy fair in central London. (AFP/Leeo Neal )

The My Friend Cayla doll seems innocent enough. She's pretty, with curly blond hair, big blue eyes and kicky Converse sneakers. Her necklace lights up. And Cayla is Bluetooth-enabled, which means she can connect to the Internet and chatter with her owners about horses and hobbies. The American-made doll can even respond to questions, Siri-style.

Like if you ask, say, “Can I trust you,” Cayla will respond (no joke), “I don't know.”

Out of the mouths of babes.

According to German officials, Cayla is a prime target for hackers, who can use the toy's technology to spy on families and collect private information. That's because the doll collects and transmits everything it hears to a voice recognition company in the United States. The threat is scary enough that the country's telecommunications regulator has advised parents to immediately toss the doll and destroy its internal microphone.

How to stop data collection on your Vizio (or other smart) television

“Ownership of this device is illegal,” Olaf Peter Eul, a spokesman for the country’s telecom regulator, told reporters. “We expect people to act as lawful citizens and destroy the functionality of the doll.”

The doll violates a German regulation against wireless devices with hidden cameras or microphones. Officials have pulled the doll from the shelves, though they say they won't penalize owners.

Genesis, the company that produces the toy, has not responded to requests for comment. In a statement, Nuance, which makes the doll's voice-recognition software, said the company does not share data collected with marketers or other customers.

Can anyone keep us safe from a weaponized ‘Internet of Things?’

Cayla is an example of a much broader phenomenon: More and more of our “things” are being connected to the Internet. One tech company estimates that by the end of this decade, 50 billion things will have Web connections, everything from refrigerators to cars to lightbulbs. That has an upside — one day soon, your car may be able to read your texts as you drive, and your fridge could assess what's inside it and carefully manage its energy use.

But many of these products are also vulnerable to cyberattack. And that can provide snoops, spies and other ne'er-do-wells access to our most intimate moments.

In Ohio in 2014, for example, a father was awakened one night to the sound of a man shouting, “Wake up, baby!” He rushed to his young daughter's room only to discover that the noise was coming from a Web-connected camera he had put up to monitor his kid. When he entered the room, the camera rotated to face him, and the person on the end of the camera screamed a string of obscenities.

Hello (hackable) Barbie

One team of researchers showed that it's possible to “hack” into a car and take over the vehicle. Another investigator discovered a couple of years ago that someone could remotely tamper with his computerized insulin pump. A malicious hacker could change the amount of insulin being administered without anyone knowing — and put the pump's user in danger.

Germans are particularly sensitive to these issues. It wasn't so long ago, after all, that the country was divided, with East Germany suffering under one of history's most repressive surveillance states. As a result, the country has some of the strongest data-protection laws in the world. For example, a “Hello Barbie” with voice recognition software was banned by Germany even though it was sold in the United States. The press dubbed the doll “Stasi-Barbie,” referring to East Germany's notorious secret police.

But other countries also share Germany's concern. Norway may also ban the toy; last year, the country's Consumer Council put out a video warning about the doll's vulnerabilities. Parents in the United States are wary, too. Consumer watchdog organizations filed a complaint in December with the Federal Trade Commission, claiming that the “toys subject young children to ongoing surveillance,” a violation of privacy and consumer protection laws.