Insecure Cayla

By Anne Waldemarsen

Have you heard about My Friend Cayla?
She – or more precisely it – is a smart-doll produced by the American toy company Genesis, a company that in addition to producing an innovative and highly popular doll for children continuously receives much international attention due to undesirable characteristics in the doll. Lurking in the shadow of Cayla’s bright smile lies a threat to children’s rights to personal privacy, rendering them vulnerable to criminal activities.

The doll has an appealing design represented with big, bright eyes, shiny hair and neat clothes. Her core purpose: to become friends with your child. However, there is a hidden agenda in Cayla that enables a type of social-interference with children, far beyond what any parent prefers. White hat hackers and consumer groups discovered that this sweet little doll could be converted into something rather sinister and creepy, like a haunted doll from a horror movie. Cayla´s alluring appearance and obliging nature is designed to be highly desired. The doll is only one example of an increasingly prevalent phenomenon: Electronic devices given interactive qualities, connectable to both the internet and other objects, and to some degree intelligent, becoming a part of the Internet of Things. According to the company’s website, Cayla can talk and interact with children, tell stories, play games and share photos.

Smart doll

The doll is equipped with a microphone and connects to an app through Bluetooth in order to access the internet. It transmits audio recordings and exchanges them with a third-party software company. Cayla has two modes: offline and online. When online, Cayla can answer almost all sorts of questions; she can give you information from Wikipedia, tell you about the weather (because kids these days are known for being weatherphiles), or tell the time. In addition, Cayla is an educational toy, helping solve mathematical problems and spelling words correctly. Even in offline mode – she (I keep referring to it as a person) can answer over a thousand questions, though only about herself. It is easy to see the appeal. As a kid’s toy, My Friend Cayla seems incredible, and compared to the Furbies of only two decades ago, she is. That being said, the amazing characteristics of such products rarely come without a down side.

“Private” toys

It has been revealed that total strangers can exploit the technological traits and lack of barriers within the device; this has been demonstrated in several videos available online. The toy does not require Bluetooth authentication, leaving the doll vulnerable if the hacker is within a range of approximately ten meters. Even though Cayla is installed with filters to prevent uttering or displaying of content that is inappropriate for children, this filter also proved to be hackable. Imagine having strangers listen in on what the doll is recording, or use it as a speaker, to talk to the children. This is not the only alarming aspect regarding children’s safety and privacy: Children’s conversations are recorded through the microphone and sent to a third-party company, Nuance which specialises in voice recognition. It is uncertain how this data can be used, which is especially concerning considering that users are encouraged to reveal sensitive information when setting up the doll, spurring questions about the company’s motives. It is not just the dolls’ weaknesses that can be exploited by hackers and pedophiles. Can we blame the manufacturer´s for having bad intentions, or was it “just” heedless action? In December 2016, the Norwegian Consumer Council conducted a technical test on Cayla, claiming that the manufacturers violated both the Personal Data Act and the Marketing Control Act. They also concluded that the doll is vulnerable to be hacked and exploited, and they pushed for a closure on the sales in toy stores located in Norway. The Consumer Council points to Germany and the handling of the doll there. The German Federal Network Agency banned the doll in 2017, and demanded that parents destroy the doll held in their possession, calling it a device for disguised espionage. Instead of interacting with German children, My Friend Cayla now sits in a glass case in The Spy Museum in Berlin as a warning to visiting parents.

Children Toys in the Internet of Things

The case with Cayla is neither new nor unique. Microphone and camera recording is becoming a common feature in modern toys, along with the applications they interface with, eventually making a subsection of the Internet of Things – the Internet of Toys. When it comes to safety in toys, our focus has traditionally been to worry about loose parts or poisonous fabrics. So far, we can read a clear message from the international handling of My Friend Cayla: Personal security in digital devices must be prioritized. In order to keep up with technological advancements and benefit from them in all possible ways, we need to establish a firm and internationally standardized framework of regulations, as well as norms in informatics education concerning potential flaws in interactive technologies. After all, privacy is a right – not a privilege.

The Toys Yet to Come

Removing harmful items from the store as a response to public demand is comforting, and it is an example of how our societies do have a say in technological development. Yet, banning the doll is not the same as removing the problem. There will be other Cayla’s. Just think, such products can legally enter the market, our homes, and not to mention, our children’s bedrooms. It is a testimony of a society that has failed to focus on humans, human rights and human values in a world with cool, science fiction-like characteristics.