Software vulnerabilities in a smart doll have prompted the Federal Network Agency (Bundesnetzagentur) to tell parents that their children may be spied upon by hackers — through the doll.

Cayla the doll might be a security vulnerability. Screenshot from the doll’s app.

We like being connected all the time. Have a question about something? Just Google it. Forgot to buy anything? There’s Amazon or Ebay. Check what your friends are up to? Facebook, of course. But any coin has two sides, and there is also a downside to this connectivity: we’ve pretty much given up our privacy. You may or may not be aware, but many websites have access to a trove of your personal data. When you search something on Google, the results are tweaked based on that data. Facebook serves ads based on your preferences and where you’ve checked in. As for online retailers… having access to your personal information is vital for product recommendations. In fact, your data is crucial to the business company of most online companies.

Subscribe to our newsletter and receive our new book for FREE
Join 50,000+ subscribers vaccinated against pseudoscience
Download NOW
By subscribing you agree to our Privacy Policy. Give it a try, you can unsubscribe anytime.

But that’s just part of it. Sometimes, using unsecured connections, people can hack into some devices and basically spy on you. More and more household objects are starting to have connections to the internet — this is called the internet of things. There are obvious advantages to this. You get smart houses which can be controlled from your phone, smart health monitoring, and even smart dolls. This is the case with My Friend Cayla, a talking child’s doll which connects to the internet to answer children’s questions. For instance, if a child would ask it ‘What is the baby of a kangaroo called?’ the doll would go online, search for the answer, and then say ‘Joey.’ But now, researchers say that hackers can use an unsecured bluetooth device embedded in the toy to listen and talk to the child playing with it.

This information has surfaced before, and producers Vivid Toy defended that there were isolated events carried out by specialists — in other words, they said that only hackers hacked, and only into some dolls — a pretty poor argument if you ask me. Still, Vivid Toy said they will consider this issue and tackle it as soon as possible. This happened in 2015, and it was recently revealed that the vulnerability had not been solved. This means that a malevolent and technically capable person could basically hack your doll and not only listen and see what your child is doing, but even talk to your child directly through it. Needless to say, this is a particularly worrisome situation.

In Germany and several other countries, it is illegal to sell or possess a banned surveillance device, and Bundesnetzagentur is saying this should happen here. The toy manufacturer has not yet responded to this.

The EU Commissioner for Justice, Consumers and Gender Equality, Vera Jourova, told the BBC: “I’m worried about the impact of connected dolls on children’s privacy and safety.” However, the EU is still investigating how it could intervene in this situation, as legislation is a bit blurry in cases like this one. Technology, it seems, tends to develop faster than we can adapt to it.