back to article Creepy Cayla doll violates liberté publique, screams French data protection agency

The French data protection agency has issued a formal notice to a biz peddling allegedly insecure toys, just in time for Christmas. The mass-marketed toys in question – Genesis Toys' My Friend Cayla doll and i-Que robot – are Bluetooth-enabled so they can capture and analyse children's speech through an app on – ideally – …

  1. Semtex451 Silver badge
    Coat

    Oh FFS

    Stop the Planet, I want to get off.

    1. Khaptain Silver badge

      Re: Oh FFS

      There's already a long queue, it might take some time... and no pushing to the front please..

    2. Anonymous Coward
      Anonymous Coward

      Re: Oh FFS

      Mind the gap.

  2. Forget It

    Beware of Geeks

    Bearing Gifts

    1. This post has been deleted by its author

  3. Lotaresco Silver badge

    Blimey

    Working as I do with French "security experts" I know that they are a long way behind the curve but this is old news. It was reported by Pen Test Partners in January 2015. Pen Test Partners have been meticulously wading through the Internet of Tat over the last three years and have unearthed multiple horrors.

    I suspect that the in-depth French research consisted of looking at this page.

    I'm also a bit surprised by El Reg here, because it was covered at the time by... El Reg.

    Even the Germans have been in on the act.

  4. GnuTzu Bronze badge

    Unconscionable

    I fear the worst, and find it so frightening that I can't bear to write it out. How could anybody dare to create such a product.

    1. imanidiot Silver badge

      Re: Unconscionable

      Someone smelled a quick money making opportunity. Make sure you're not personally responsible and you're all good.

  5. Aaiieeee
    Holmes

    Why though?

    Not having kids I don't quite get why this feature would be desirable to a parent. Just let them play, surely?

    1. imanidiot Silver badge

      Re: Why though?

      Some parents are simply mindbogglingly lazy. Anything to not have to get involved in little timmy's upbringing.

    2. Richard Jones 1
      FAIL

      Re: Why though?

      Agreed, many kids preferred the boxes to the contents last time I looked. Though noisy paper and other unsuitable items, think choking hazards, sharp wires, etc. usually appeal more than creepy dumb dolls.

  6. JennyZ

    Twilight Zone...

    My name is Talky Tina...and I'm going to kill you...

  7. Mahhn

    Echo

    Does the Amazon Echo and Google's talking trashcan fit into the same category?

    1. Richard Jones 1
      FAIL

      Re: Echo

      You might have several points there. Unless you are disabled, when such things might have value, what really useful thing would they add to life?

      1. Anonymous Coward
        Anonymous Coward

        @Richard Jones 1 - Re: Echo

        Not to your life or mine or to most of the people lives. But to somebody's life it doe$!

      2. Pascal Monett Silver badge

        @ Richard Jones 1

        I agree that some IoT products may indeed be of use to people who do not have the benefit of a perfectly functional body.

        I do however take exception to the idea that the handicapped do not need security and protection to obtain the convenience of such devices.

        1. hplasm Silver badge
          Happy

          Re: @ Richard Jones 1

          @ Pascal...

          er.. Woo$$$$H

    2. LDS Silver badge
      Devil

      Re: Echo

      Yes, but they are far more protected to ensure the huge trove of information they collect only goes to the maker systems. Amazon and Google don't like at all anybody nearby your device can get those data, otherwise how they could fully monetize it? Also, you have to pay Google and Amazon to train people into buying your products, you can't do it yourself just sending some vans around the city.... Genesis didn't really learn the ABC of the data hoarder and electronic behavioral modification.

  8. Anonymous Coward
    Anonymous Coward

    I often try to imagine when things like this happen about the meeting where they decided to do the thing that has gone wrong. What was discussed? Who would have raised what? Who would have warned others in the company of the mistakes they were making? Who decided to push on regardless? Did people argue?

    However in this case all I can picture is three screaming monkeys and two braying donkeys in a room thrashing it out on power point while a barking dog takes notes.

    1. heyrick Silver badge

      "However in this case all I can picture is three screaming monkeys and two braying donkeys in a room thrashing it out on power point while a barking dog takes notes."

      You've just described any every business meeting that ends up with:

      1. Stupid idea.

      2. ???

      3. Profit!

    2. Lotaresco Silver badge

      "I often try to imagine when things like this happen about the meeting where they decided to do the thing that has gone wrong."

      When the problems with the Cayla doll were first raised, the tester, Ken Munro, raised his findings with Genesis Toys before going public, so the company was well aware of the problems. The company chose to do very little to fix the problems. Given that the doll is cheap to produce and probably very cheap to fix the company's refusal to address the problems shows a cheapskate attitude and a complete lack of concern for anyone else's children.

      The problems reported by PTP nearly three years ago persist and are cause for concern. The Cayla doll uses a data dictionary to respond to a child. The database is easily hacked (details given in the PTP security blog) and the doll can be made to give *any* response to a child. The fact that it's a Bluetooth headset permits anyone within range to pair and talk to the child. The original demos of the security flaws (numerous conferences in the UK) had examples of Cayla talking dirty and in the closed sessions examples of how the doll could be used for "grooming". It's worth reading the PTP blog on this product.

      The sales website is also cause for concern. Firstly there are no company details given on the site, no way to contact the supplier. That is IMO always a sign of a company that doesn't want to see any complaints from the public. The website also claims that the "safety features" built into the doll protect the child "There are four levels of safeguards in place which makes playing with Cayla much safer than simply handing a tablet to a child" Given that the company knows of the security issues with the device these assurances are false (they are given in greater detail on the company website). These include statements such as "Additional words or phrases can be added to the blocked list via the app. Please note that once a word is added to the blocked list this cannot be undone and the list cannot be viewed." However the blog shows that the list can be easily viewed. There's also an indication that the "blocked list" is drawn up for middle class American Christian sensibilities. Woe betide any married UK gay couple who buy this doll for their kids. According to Cayla they don't exist.

  9. Pat Harkin

    Hmm.

    "Moreover, would-be dodgy characters don't even need the Cayla or i-Que app installed, because phones simply identify the doll as a hands-free headset."

    "The agency said the toys were in breach of Article 1 of the French Data Protection Act, which provides that technology "shall not violate human identity, human rights, privacy, or individual or public liberties"."

    Does that mean Bluetooth headsets are also in breach, if they're just the same tech in a different plastic shell?

    1. imanidiot Silver badge

      Re: Hmm.

      Pretty much all headsets I've encountered require some sort of pairing sequence so are more secure than this toy to begin with. On top of that we EXPECT a headset to work this way. A children's toy? Not so much.

    2. Lotaresco Silver badge

      Re: Hmm.

      "Does that mean Bluetooth headsets are also in breach, if they're just the same tech in a different plastic shell?"

      I think you may be missing something important here. It's not the tech but the piss-poor implementation that is the issue.

  10. sloshnmosh

    I wonder?

    I wonder if you could "pair unchecked" with the Toys in question with Google Chrome browser?

    Sure you can!

    chrome://bluetooth-internals

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019