Centre for Internet & Society

Despite their merits, connected toys raise a few concerns about data privacy and security.

The article by Abhijit Ahaskar was published in Livemint on November 22, 2018. Sunil Abraham was quoted.


In today’s connected world comprising the Internet of Things (IoT), smart tech toys are here to stay. These toys, for instance, can make learning fun for children and help parents keep track of their whereabouts.

CogniToys’ Dino, a case in point, uses Wi-Fi to stay connected and IBM Watson’s natural language processing (NLP) technology to tailor its responses to suit a child’s age group and skill level. The little connected toy can teach children how to spell words and even admonish them if they use expletives.

However, it’s this very prowess that can raise privacy risks too. A 2017 security audit cautioned that Dino transmitted information without using encryption, leaving a child’s information vulnerable. When Mozilla reached out to the company in 2018, the company claimed, “Dino uses encryption for all audio traffic and in fact, each one uses unique keys, which are also cycled per session per device.” However, experts at Mozilla could not determine if the toy actually uses encryption of any kind.

Another smart toy called i-Que Intelligent Robot by Genesis Toys, uses Bluetooth to connect to a phone via its app, but doesn’t encrypt the pairing process, allowing anyone in the same Bluetooth range to download the app on another smartphone, connect to the toy and start chatting with the child.

Flying drones are another fad with children these days. India’s new drone policy allows users to fly anything under 250g below 50m without requiring registration or license. Even if children are using something like the DJI Spark for fun and taking selfies, the privacy risks can’t be ignored. Not only have DJI Spark drones been reportedly hacked in the past, they also lack parental controls, do not encrypt user data and have been found to share information with third parties, according to Mozilla’s Privacy Not Included report.

Nevertheless, the market for smart toys is growing. According to a study by US-based Transparency Market Research, the smart toys market is largely fragmented but is expected to reach $69.9 billion by 2026.

In India, the market for smart toys is still small compared to generic plastic toys but the demand is increasing, particularly in cities such as New Delhi, Bangalore, Mumbai and Hyderabad, according to Vivek Goyal, co-founder of PlayShifu—a tech start-up known for its augmented reality-based smart toys such as the Orboot globe.

Experts point out that since these toys use microphones, cameras, Bluetooth, Wi-Fi and data collated from users is stored on a remote server, it makes them as vulnerable as any other connected device.

“As an individual user, when you buy such toys you are giving them the right to utilise that data. However, if there are laws and frameworks which can mandate toy companies to have stringent privacy policies, misuse of the data can be curtailed,” says Rohan Vaidya, regional director of sales, India, at CyberArk, an IT security firm.

To be sure, smart toys are “currently regulated under 43A of IT Act and when the new data protection laws are enacted, the new set of rules will apply to them”, says Sunil Abraham, executive director, Centre for Internet and Society, a Bengaluru-based research organisation.

Goyal, on his part, acknowledges the concerns that security experts and parents may have about such devices. He believes toy makers need to be more upfront about what data they are collecting through the app or the toy, which would make smart toys more acceptable to parents.

Filed under: