This article was published on November 28, 2015

Here’s why privacy experts are concerned about Mattel’s new Hello Barbie


Here’s why privacy experts are concerned about Mattel’s new Hello Barbie

As an adult, most of us are painfully aware of just how often we’re tracked by marketers. Until now, children have been mostly immune from any means of invasive tracking by the things they played with.

This is all about to change.

‘Hello Barbie,’ a conversational doll from Mattel, is at or near the top of the Christmas/Holiday gift lists for many kids around the world. The doll uses smart AI in order to listen and respond to simple messages delivered by younger children, but it’s not what she’s saying that has privacy advocates concerned.

Instead, it’s the cloud-based listening mode that’s activated by holding down Barbie’s belt buckle. From there, everything a child says is transmitted to cloud servers and analyzed by ToyTalk, a technology partner that Mattel relies on to analyze the data.

68926f1d-6816-453f-b4cc-2a75275ddaa8.tif.w480

Employees of ToyTalk and their partners — whom they won’t name — listen to these recordings of children’s conversations with the doll and — according to their privacy policy — use them to “provide, maintain, and analyze the functioning of the Service, to develop, test or improve speech recognition technology and artificial intelligence algorithms, and for other research and development purposes.”

It’s the last bit that raises questions. What exactly is “other research and development purposes,” and could it include using this speech data to market to children?

According to the FAQ on the ‘Hello Barbie’ website.

Screen Shot 2015-11-27 at 2.20.57 PM

Of course, it seems that Mattel could have a very different definition of what marketing actually entails.

Just so we’re all on the same page, here is how the Oxford Dictionary defines marketing:

Screen Shot 2015-11-27 at 1.09.53 PM

Using this definition, the act of Mattel possibly collecting market research and selling that research is marketing. This marketing ultimately impacts children both directly and indirectly.

Its technology arm, ToyTalk, says as much in its privacy policy.

Under the “How Do We Use the Personal Information We Collect?” sub-heading.

  • to monitor and analyze usage and trends and demographic information, and to personalize and improve the Service, our technology and our users’ experiences;
  • to provide you with news and information about our events, activities, offers, promotions, products, and services we think will be of interest to you (with your consent where prior consent is required by applicable law);
  • to send you confirmations, updates, product announcements, security alerts, and support and administrative messages and otherwise facilitate your use of, and our administration and operation of, the Service;

Mattel isn’t alone.

A Google patent from May shows a child-friendly design idea featuring a connected teddy bear and a stuffed rabbit that could lead to similar privacy concerns. The patent abstract states:

An anthropomorphic device, perhaps in the form factor of a doll or toy, may be configured to control one or more media devices. Upon reception or a detection of a social cue, such as movement and/or a spoken word or phrase, the anthropomorphic device may aim its gaze at the source of the social cue. In response to receiving a voice command, the anthropomorphic device may interpret the voice command and map it to a media device command. Then, the anthropomorphic device may transmit the media device command to a media device, instructing the media device to change state.

The toys will include cameras, speakers, microphones and would upload spoken data to cloud servers where it would be stored, analyzed and potentially — much like ‘Hello Barbie’ — use this data to provide personalized marketing or at least track customer behavior.

Screen Shot 2015-11-27 at 2.03.14 PM

According to a recently published paper titled “Treading Beyond the Iota of Fear: eDiscovery of the Internet of Things“:

…by connecting multiple communication devices into a single automated ecosystem, one can create not only a very accurate data map about a person’s part and recent activity, but also dispense a sensory device – robotic or otherwise – to cater to the person’s anticipatory needs. But will you have control over your personal data map?

Google may already be doing this with its Nest thermostat, according to the paper, which was originally published in Bloomberg BNA.

Adding additional connected devices just makes sense. The toy market is reportedly worth $84 billion and remains mostly untouched by the marketing world, at least in a sense of tracking consumer behavior and interest in the same way we track these behaviors in adults.

Aside from marketing, the new generation of connected toys could lead to legitimate security threats from hackers. ‘My Friend Cayla‘ is a glorified Bluetooth headset masquerading as a doll that’s easily hackable. In fact, hackers have identified a number of vulnerabilities that led to relatively simple hacks to get her to cuss, or quote ‘50 Shades of Grey.’

Mattel’s ‘Hello Barbie’ has security vulnerabilities as well. Security researcher Matt Jacubowski claims to have hacked the doll’s operating system and was able to “get some data out of it that I potentially shouldn’t have.” The data included Wi-Fi network names, its internal MAC address, account IDs and MP3 files.

As the world moves toward an always-on lifestyle, the choices we make often trickle down to our children.

In this case, connected toys are proving to be the byproduct of this societal shift and what’s good for adults — who theoretically understand they’ll give up some privacy for connectivity — isn’t necessarily the answer for children.

Get the TNW newsletter

Get the most important tech news in your inbox each week.

Published
Back to top