The Fraud Examiner

Santa’s Spies: The Privacy Risks of Internet-Connected Toys

Ron Cresswell, J.D., CFE  
Research Specialist, Association of Certified Fraud Examiners                                 

My Friend Cayla is an 18-inch, smiling children’s doll marketed to girls between 4- and 10-years-old. She knows millions of things, according to her promotional video, and she is happy to tell you about them. She can tell you her favorite food and remember yours. Give her a math problem and she can solve it. Ask her how to bake a cake and she will recite a recipe. My Friend Cayla is quite the conversationalist. According to the German government, she is also a spy. In February 2017, German regulators banned the sale of My Friend Cayla, calling the doll an illegal “surveillance device” and urging parents to destroy any models in their possession.

My Friend Cayla works by using an internal microphone and a Bluetooth internet connection to exchange data in real time with a voice recognition company in the U.S. That raised several issues for German regulators. First, the doll was able to surreptitiously record and transmit personal data, which violated a German law prohibiting concealed surveillance devices. Second, My Friend Cayla’s Bluetooth connection was unsecured (i.e., no password or other authentication method was required to access the network). Therefore, in theory, anyone could access the doll. In the worst-case scenario, hackers could use the doll to talk to the child.

While the German response to My Friend Cayla was unusual, it illustrates some of the dangers and fears associated with internet-connected toys.