Is Cayla The Toy Doll A Domestic Spy?

On a campaign to promote digital privacy, authorities warn that “My Friend Cayla” makes children vulnerable to malicious surveillance—parents who fail to destroy the doll face a €25,000 fine; ‘destroy it with a hammer’. Is Cayla The Toy Doll A Domestic Spy?

Earlier this year, Lisa Harmann received a warning from the German government: A spy might be lurking in her child’s bedroom. She should find it and destroy it.

The Talking Doll “My Friend Cayla.”

With their 10-year-old daughter sound asleep, Ms. Harmann and her husband sneaked into the room armed with a flashlight and soon found the culprit sitting inside the cupboard, sporting a frozen smile and billowing pink skirt.

Despite her innocent looks, “My Friend Cayla” isn’t a doll—at least not in the eyes of German authorities—but an illegal eavesdropping device. On Feb. 17, after a lengthy investigation, the Federal Network Agency, Germany’s top telecommunications watchdog, issued an order to parents to find Cayla and destroy her. It also banned its sale, purchase and ownership.

“It’s about the protection of the weakest in our society,” said Jochen Homann, president of the body known as Bundesnetzagentur.

Privacy may be eroding around the world, but not in Germany, where encroachment is met with the kind of treatment reserved elsewhere for bank robbers. Armed with some of the toughest privacy protection laws on the planet—a legacy of blanket state surveillance under past dictatorships—the German state has been going after trespassers with unsurpassed zeal.

Is Cayla The Toy Doll A Domestic Spy?

In recent campaigns, the Network Agency sniffed out and neutralized data-gathering devices lurking in smoke detectors and credit cards. Now it is taking the fight to a new breed of all-seeing, all-hearing internet-connected toys—stuffed pandas, remote-controlled cars, robots and dolls—that are invading German children’s bedrooms.

And it isn’t kidding.

Parents who ignore the order to destroy Cayla could face a fine of up to €25,000, about $26,500, and two years in prison under paragraph 90 of Germany’s telecommunications law. On its website, the agency posted a template for a destruction certificate that should be filled in, signed by a waste-management company, and sent to the agency as proof of destruction.

The agency said it had no plans to take action against noncomplying adults.

“The Bundesnetzagentur assumes that parents will voluntarily render this doll harmless,” it said in a statement.

The Bonn-based agency is a child of the 1990s, when the state began selling off its former monopolies and opening their markets to competition. Its main, and more mundane, task is to oversee the telecommunications and postal markets and ensure network access for energy suppliers and rail operators. But it takes its counterespionage role no less seriously.

Before turning its sights on Cayla, the agency last year banned a panda bear with a camera hidden in its nose that operated as a nanny cam or baby phone and could connect to a mobile phone—the panda can’t be named for privacy reasons, according to the Bundesnetzagentur.

A toy robot was sent to the scrapyard because its head was embedded with an internet-enabled camera concealed behind a black visor. A tank replica shared the same fate owing to another hidden camera and because it was actively promoted as “a vehicle that could spy secretly, for instance, on somebody’s boss, neighbor or friend,” agency spokesman Olaf Peter Eul said.

Other connected toys, such as Mattel Inc. ’s “Hello Barbie” or CogniToys “Dino,” escaped the agency’s wrath because they didn’t operate in disguise and their communication features were better protected against outside intrusions by showing clearly when the microphone was on, consumer protection and legal experts said.

Hello Barbie, Dino And My Friend Cayla.

Internet-enabled toys, which can record children via microphones and cameras and make those recordings remotely available, have raised concern from privacy activists elsewhere. But while Norway, the U.K. and the U.S. have warned about Cayla’s nefarious potential, Germany is alone in making the doll illegal and ordering its destruction.

“It’s pretty bad bringing a doll on the market anybody in a 30-feet radius can connect to,” said Stefan Hessel, a law student at Saarbrücken University who penned the legal opinion used by the agency to ban the doll. “A regular Bluetooth loudspeaker is better protected.”

Cayla’s distributor, Vivid Germany GmbH, said it took the complaint very seriously but insisted Cayla didn’t break the law and said it would challenge the agency’s decision. Vivid declined to say how many dolls had been sold in Germany or whether some had been returned. “There is no reason to destroy Cayla or give the doll away,” the company said in a statement. “It isn’t a spying device.”

The producer of Cayla, China-based Genesis Toys, didn’t respond to requests for comment.

The doll can’t connect directly to the internet but can be accessed via Bluetooth by any mobile device loaded with the My Friend Cayla app. This access isn’t protected and any conversation a child might have with Cayla—or in her presence—could be eavesdropped upon by a concerned parent, curious neighbor or malicious outsider, the agency said.

“We thought it simply incredible that we could own such an awful thing… sitting in our child’s bedroom for two years without our knowledge,” said Ms. Harmann. “It’s simply unbelievable what parents have to deal with these days.”

She said her daughter, who found Cayla “stupid” and “ugly,” parted with the bugged doll without a tear. Still, Ms. Harmann was hesitant to destroy it and donated it instead to the German Spy Museum Berlin, which had launched an appeal for unwanted Caylas.

“I told the museum it would actually be much nicer for Cayla to have a purpose and warn other parents instead of simply destroy it with a hammer,” she said. “We now have a little celebrity in the museum.”

Florian Schimikowski Of The German Spy Museum Berlin With Its Cayla Exhibit.

The museum’s Florian Schimikowski said Cayla became the first toy in its collection, which houses a specimen of Enigma, the notorious Nazi encryption machine, and the “Fotosnaiper,” a gun-shaped camera used by spies to take long-distance shots of their targets.

“It sounds a bit like an overreaction to call on parents to destroy the doll,” said Mr. Schimikowski.

But Abby-Sue Mook, a 17-year-old Austrian visitor wandering around the museum, disagreed: “She can spy on households. I think it’s good that she had to be destroyed.”

Is That New Doll Spying On Your Kids?

What if strangers are using one of your child’s toys to spy on them? In the new world of connected toys, truth can be spookier than fiction.

You may have noticed the growing adoption of smart speakers and wearables. These connected devices swap our privacy for convenience.

These devices make up what’s called the internet of things or IoT. The IoT is a fancy way of describing the ever-growing number of objects that are talking to each other. And they’re collecting all sorts of information about us and the world around us.

The more we use them, the more it seems we’re OK with these devices watching us.

But what happens when these devices are used to watch our children? A team of researchers at Edith Cowan University has begun a 3-year research project investigating just that.

The Internet Of Toys

The team, led by Dr. Donell Holloway, is looking at what parents and children understand about connected devices like Hello Barbie and My Friend Cayla. Both are part of a growing trend of connected toys, which make up a subset of the internet of things, appropriately called the internet of toys. Just like other IoT devices, these toys work by collecting and sharing data about the people using them. In this case, children.

This data can include voice files of conversations a child has with their toys. It can also include demographic information such as a child’s birthday or even a child’s location.

Professor Lelia Green, who is on the ECU team with Donell, told me, “[Children] love playing with technology, but they are too young to realise the implications of data and data privacy. Parents haven’t really had a chance to think about [the implications of] this. They accept a lot of privacy implications with their daily mobile phone use and maybe don’t think this is substantially different.”

Unlike adults, who may be more conscious of what they share when using connected devices, Lelia told me, “Children are very confiding and trusting when talking about their life to their toys.”

An “Illegal Espionage Apparatus”

Parents may be surprised to know that this information can be used for marketing purposes or even product placement. For example, a ‘smart’ doll may need to be connected to a parent’s phone to work. Suddenly, their phone is lit up with ads for things the child talked to their doll about.

Since privacy regulations vary widely from country to country, it’s hard for parents to know how safe their children’s information actually is. Further, since these devices can (and have) been hacked, there are also some very real safety risks for children. German regulators at the country’s Federal Network Agency even described My Friend Cayla an “illegal espionage apparatus” that must be destroyed.

Australia vs The EU

As the reaction from the Germans suggests, the European Union takes privacy quite seriously. As Lelia described to me, “In Australia, the discussion has been far less wide ranging and robust, and consumers here have less protection [than the EU].”

For this reason, Donell and her team will be looking at eight Australian families and nine European families. This way, they can see how and why privacy cultures may differ across different countries.

All participant families will receive a Cozmo connected toy. The children participating in the study will be asked to share their thoughts and experiences using the toy. This will help the researchers to understand what children experience and think with regards to their privacy while using these toys.

The team aims to complete their research by 2021, which is when they will begin publishing their findings. As Australian regulators are move to increase privacy protections, this research could provide some much needed insight.

Is Cayla The Toy,Is Cayla The Toy,Is Cayla The Toy,Is Cayla The Toy

Google’s “Project Nightingale” Faces Government Inquiry Over Patient Privacy.

Which Password Managers Have Been Hacked?

DNS Over HTTPS Increases User Privacy And Security By Preventing Eavesdropping And Manipulation

Russia Steps Up Efforts To Shield Its Hackers From Extradition To U.S.

Barr Revives Debate Over ‘Warrant-Proof’ Encryption (#GotBitcoin?)

Should Consumers Be Able To Sell Their Own Personal Data?

Doordash Says Security Breach Affected Millions Of People (#GotBitcoin?)

Fraudsters Used AI To Mimic CEO’s Voice In Unusual Cybercrime Case (#GotBitcoin?)

Pearson Hack Exposed Details on Thousands of U.S. Students (#GotBitcoin?)

Cyber Hack Got Access To Over 700,000 IRS Accounts (#GotBitcoin?)

Take A Road Trip With Hotel Hackers (#GotBitcoin?)