Post graduate student Nicole Girvan was concerned the growing prevalence of smart toys was putting Kiwi kids at risk.
She investigated the situation in New Zealand for her Masters of Information Security and Digital Forensics.
“A look in any toy store or online toy sales will show a growing range of smart toys, from cute teddy bears and dolls targeted at preschoolers, to higher tech toys targeted at older primary school students. Activity trackers and watches are other categories with considerable connectivity that are becoming increasingly popular.”
Ms Girvan’s Master’s thesis in information security and digital forensics investigated the range of smart toys available in New Zealand, whether smart toys that had been banned internationally were available here, whether New Zealand parents were concerned about the risks posed by smart toys, and how much knowledge parents have about smart toys.
“The most notorious of the banned toys were not available here, which is positive. However, many smart toys that collect sensitive information and transmit it (often insecurely) via the internet to international locations are.
“My research identified a lack of awareness of the risks and an over optimistic faith in the degree of protection offered by New Zealand privacy law.”
Ms Girvan surveyed nearly 400 New Zealand parents, and while they were concerned about data privacy and security, their knowledge levels around the specific risks and how to reduce them was low.
“My research also showed that although consumers who buy these types of toys are primarily women – mums, aunties, grandmas –their level of understanding of the risks is particularly low.”
Toys sold in New Zealand must meet physical safety standards, but there are no specific digital safety standards for toys, says Ms Girvan.
“The toy market is self-regulated, which has worked in the sense that toys which have been banned overseas aren’t sold here. But there’s not enough done by retailers to ensure their customers understand that the toys are connecting and transmitting data, often over unsecured networks. Buyer beware is fine in principle, but for these toys, the potential risks are great and could extend far into the future, so more needs to be done.”
To understand the market in New Zealand, Ms Girvan took a random sample of toys for technical testing for security vulnerabilities. She was looking for strong authentication including strong passwords and only authorised users being able to connect to networks; secure data encryption and comprehensive data privacy policies, specifically looking to see whether the toys were collecting excessive data.
“None of the toys I tested were good all round. All had some vulnerabilities, and some were very poor in areas. Almost all of the toys collected excessive personal data, including user locations, voice recordings and images. And there were often no mechanisms for users to limit the types of data captured.”
The drive to offer more features at lower prices can lead to security flaws, says Ms Girvan. “In some cases manufacturers are prioritising features over security, which exposes kids and families to risk.”
“Consumers need to be more aware of what they’re purchasing, and what they’re agreeing to when clicking ‘agree’ to terms and conditions on toys, devices and apps. But, buyer beware only goes so far. There is space for our retailers to take the lead, educate their customers and make sure they’re selling the best toys possible,” says Ms Girvan.
Nicole Girvan was the top student in her Master of Information Security and Digital Forensics (MISDF) cohort, and received awards as top student in MSIDF and Computing, and a partial fees scholarship. She begins her PhD in 2020.
In Europe and the UK there has been a huge move to improve data security and privacy for consumers, via the General Data Protection Regulation (GDPR), implemented in 2018. This governs the transfer of personal data within and without the EU, protecting EU and UK citizens.
The New Zealand privacy laws are being reviewed, but currently don’t provide as much protection as consumers assume. Companies are not compelled to share information about data breaches and the New Zealand legislation doesn’t provide full protection when New Zealand residents’ data is sent offshore and/or stored offshore.