This semester I have been researching security and privacy associated with smart toys. Security expert and privacy advocate Patrick Hung defines smart toys as a device consisting of a physical toy component that connects to one or more toy computing services to facilitate gameplay in the Cloud through networking and sensory technologies to enhance the functionality of a traditional toy. Smart Toys are capable of performing many exciting and interesting tasks that included video, voice recording, AI, and movement. These features may be capable of providing users with a satisfying experience but they come at cost, many the devices within the smart toys are vulnerable to security threats. Smart Toys are considered part of the “Internet of Things”, as the use of IOT devices has grown in recent years, many security and privacy experts have discovered vulnerabilities in these connected devices and revealed to the public that they are susceptible to hacking.
In recent years there have been many notable hacking attacks on smart toys resulting in the loss of millions of users accounts which included addresses, photos, and voice recordings of their users. As part of my research into this topic I have been looking into what the government is doing to assure that toy manufacturers are producing safe products. Government agencies such as The Federal Trade Commision are responsible for overseeing how business is conducted. The mission of the Federal Trade Commision is Working to protect consumers by preventing anticompetitive, deceptive, and unfair business practices, enhancing informed consumer choice and public understanding of the competitive process, and accomplishing this without unduly burdening legitimate business activity. In 1998 the federal trade commission established COPPA the Children’s Online Privacy Protection Act. The FTC website states that the The primary goal of COPPA is to place parents in control over what information is collected from their young children online. The Rule was designed to protect children under age 13 while accounting for the dynamic nature of the Internet. The Rule applies to operators of commercial websites and online services (including mobile apps) directed to children under 13 that collect, use, or disclose personal information from children, and operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13. The Rule also applies to websites or online services that have actual knowledge that they are collecting personal information directly from users of another website or online service directed to children. The following are the COPPA guidelines for online businesses.
- Provide direct notice to parents and obtain verifiable parental consent, with limited exceptions, before collecting personal information online from children;
- Give parents the choice of consenting to the operator’s collection and internal use of a child’s information, but prohibiting the operator from disclosing that information to third parties (unless disclosure is integral to the site or service, in which case, this must be made clear to parents);
- Provide parents access to their child’s personal information to review and/or have the information deleted;
- Give parents the opportunity to prevent further use or online collection of a child’s personal information;
- Maintain the confidentiality, security, and integrity of information they collect from children, including by taking reasonable steps to release such information only to parties capable of maintaining its confidentiality and security; and
- Retain personal information collected online from a child for only as long as is necessary to fulfill the purpose for which it was collected and delete the information using reasonable measures to protect against its unauthorized access or use.