Thursday, December 17, 2015

Your child's privacy is eroding



Internet-connected gadgets, aka mobile apps and the "Internet of Things," are all the rage right now. Home thermostats let me turn up the heat from my smartphone, or monitor my household electricity consumption in near-real-time. Networked door locks make it possible to give a friend or a service provider access to the home without giving them a key. Smart TVs with built-in streaming media apps reduce the complexity of a home theater.

There's a dark side though: Internet-connected means ... well ... Internet-connected. A device talking to a server on the Internet means a device talking to something I don't control, and thus means a degree of trust. The more sensitive the nature of that device, the more trust I must have in the provider.

When that device or service interacts with my kids, the required degree of trust is very high indeed.


In some cases, I have control over how my information is shared. Facebook, for instance, provides outstanding control over who can see my posts and pictures, as well as advice to parents and teachers for educating and protecting our kids. Even so, I see a great many people taking great care to limit access to their photos - and then using pictures of their kids as their profile photo. Guess what? The profile photo is (typically) public! Yes, it is possible to apply privacy restrictions to the profile photo - but I almost never see anyone do so.


Exhibit 1: The lead photo in this post is a collage of edited public profile pictures on Facebook ... several of which included street signs or address plaques that could easily be used to locate the child's home.

In other cases, once I choose to use a product or service, I am completely at the mercy of the provider's policies and security practices. Thanksgiving weekend - right in the midst of the Christmas shopping blitz that Black Friday and Cyber Monday have become - electronic toymaker VTech stepped into the spotlight with a serious data breach. In the following days, the news has gotten worse and worse.


As of this writing, reports are that some 5 million parent accounts, and 6.4 million children's accounts, have been stolen. If that were not enough, the stolen accounts include photos of many of the children, transcripts of their text message chats with parents, and audio recordings.

This is exactly the nightmare that security experts and privacy advocates worry will happen with Mattel's Hello Barbie, an Internet-connected, artificially intelligent doll that can hold conversations with children. It's not the interactivity that bothers us. Who didn't talk to their toys as a child?


The worry is that Hello Barbie records your child's conversations and sends them to a server on the Internet, where the artificial intelligence engine interprets what the child said and comes up with an appropriate response. Practically speaking, it makes sense - AI takes a lot of computing power and data storage. The tiny computer and batteries inside a $75 doll aren't up to the task.

But what other Internet-connected household devices record children's activities?

Wireless baby monitors. Which have been in the news several times this year when criminals hacked into them to listen in, or to say disturbing things to impressionable children. In fact, a hacked baby monitor was a key plot element in the premiere of CSI: Cyber.

Imagine a crook compromising Barbie, to invite your 4-year-old to walk down the street for a secret play date.


Security for Real People isn't about scaring you with bad news though. It's about providing practical security advice you can use. The best advice for parents (and consumers) is to be aware what you share. When signing up for online services, think about the information you provide. Does a child's watch need to have the child's real address and phone number?

Likewise when installing mobile apps, read the list of permissions requested by that app. Is it appropriate for a sandwich shop loyalty app to read your contacts and web browsing history?

Consider the reputation of a business. Netflix, Amazon, Google and Apple have been providing Internet-connected services for well over a decade, and while no one is "hack proof," they have many years of experience defending against cyber intruders. VTech and Mattel have decades of experience making children's products, but are new to the IoT scene.

Consider the maturity of the child. My kids are now teenage and preteen - impressionable, but also old enough to discuss privacy intelligently. A 12-year-old can comprehend that "dolly" is actually a computer and not a sentient being, and is likely to speak up when dolly makes inappropriate suggestions. To a 4-year-old, a doll that holds a conversation lies somewhere between magical and alive.

Consider that a child's identity is highly valuable to an identity thief. As adults, we tend to be at least somewhat aware of our credit. There are practical steps we can take to avoid or minimize financial and identity fraud, including favoring credit cards over debit cards, signing up for transaction alerts from our banks, and using a credit freeze or fraud alert to prevent criminals from opening new financial accounts in our name. Do the same with your child. Children's identities are often overlooked until college, giving a thief potentially years to use a pristine identity.

And one final word of advice for businesses and service providers: if you don't need it, don't keep it. You can't lose what you don't have. Why would VTech keep a year's worth of text chat logs between parents and kids?


This article first appeared on CSOonline