The smart doll “Cayla” is a very creepy example of the ongoing data security and privacy concerns that hamper the widespread adoption of Internet of Things. German regulators (Bundesnetzagentur) have removed the smart doll “Cayla” from the market warning that hackers can use Cayla to access and misuse personal data of children through
an unsecured Bluetooth connection.
Privacy concerns also flow from the collection of personal data, habits, and locations. A built-in microphone and Bluetooth connection allows a child to talk to the doll “My Friend Cayla” who then answers questions and tells stories just like a real friend. The doll can be managed through a mobile application.
The application specifically asks children to provide personal data including their parent’s names, the name of their school, their favourite TV show and the place where they live. Anything the child says can be recorded and transmitted without the parent’s knowledge or consent. The Cayla application also invites children to set their physical location.
Through the unsecured Bluetooth connection, anyone in the vicinity of the doll can eavesdrop on conversations of the child or its parents which of course is a serious privacy concern.
The American manufacturer of the doll, Genesis Toys, states that it has sold at least one million of them since they first went on sale in 2015.
Any toy that is capable of transmitting signals that can be used to record images or sound without detection is banned in Germany. The Bundesnetzagentur is the authority responsible for enforcing the ban on surveillance devices.