The hack of toy manufacturer VTech's computer systems, which was disclosed by the company in November last year, has highlighted various privacy concerns with, and vulnerabilities of, the Internet of Things (IoT) phenomenon. The allure and novelty of IoT, which allows us unrestricted access to remotely automate and control everyday objects, means that the range of products will expand as consumers demand greater control over various devices around the home. And as more of these products are introduced into our homes, the risk that potentially sensitive information may fall into the hands of unauthorised recipients increases. Accordingly, whenever we pick up a new device which transfers information through, or stores information on, the internet, we need to ask whether this information is being protected, and if so, how effective those protection measures are.
The hacker allegedly perpetrated the VTech hack by accessing customer data through the company's app store database. This reportedly resulted in the unauthorised release of personal information of over 4.8 million adults and 6.4 million children. Personal information accessed by the hacker included names, email addresses, passwords and home addresses of purchasers of VTech products. Luckily, the attack was reportedly the work of a 'benevolent' hacker (with a lot of time to spare), who sent the information directly to news site Motherboard. For their efforts, the hacker succeeded in exposing apparently inadequate security measures at the company.
In an era where many people are comfortable posting almost everything to social media, the public has become somewhat desensitised to the disclosure of potentially intimate details on the world wide web. Even in the face of numerous data breaches, consumers continue to flock to new devices and services with the potential for personal and private information to be accessed by an unauthorised person (some sources posted that Ashley Madison saw an increase in subscribers after a major data leak exposing the personal details of members). However, the reason why this data breach was different (and consumers have been particularly sensitive to it) is because it involved the release of personal information of young children, including their names and birth dates.
The VTech hack prompted a rapid response from US Senators Ed Markey and Joe Barton, both cofounders of the bipartisan Congressional Privacy Caucus. The senators, in a letter to VTech, set out their privacy concerns and posed various questions in relation to the nature of information collected about children and how that information is protected as required under US legislation. Whilst Australia's recently amended privacy regime is generally more robust than that in the United States, the United States has the Children's Online Privacy Protection Act which provides significant protection to the personal information of children. Australia does not currently have directly equivalent legislation.
VTech's contractual 'solution'
Since the hack, VTech appears to have made the decision to try to outsource the risk of a data breach back to parents through standard form contractual documents. VTech has inserted a new clause in the End User Licence Agreement for its Learning Lodge software stating:
You acknowledge and agree that any information you send or receive during your use of the site may not be secure and may be intercepted or later acquired by unauthorised parties. You acknowledge and agree that your use of the site and any software or firmware downloaded therefrom is at your own risk.
The legality of such a clause has already been questioned, with United Kingdom legislation (in particular the Data Protection Directive 95/46 EC and the Consumer Rights Act 2015 (UK)) potentially rendering the term ineffectual or void.
In an Australian context, such a provision may well be considered:
- an 'unfair term' in accordance with Schedule 2 to the Competition and Consumer Act 2010 (Cth). We have discussed the application of the unfair term provisions in a previous blog post. The key criteria we would consider in determining whether a court would find a term 'unfair' is:
- does the term cause a significant imbalance between an individual's rights and obligations and those of the business? The fact that parents are unable to mitigate against such breach (but the business is) means that an imbalance appears to be created (or at least worsened) by this term;
- is the term reasonably necessary to protect the legitimate interests of the business? Given that the business is required to use reasonable measures under the Australian Privacy Principles (as highlighted below), it would appear that attempting to outsource liability in this area is not reasonably necessary, nor should it be effective;
- would the term cause an individual detriment (financial or non-financial) if the business tried to enforce it? Clearly, if VTech was able to rely on this exclusion of liability, parents would be worse off (potentially, both financially and non-financially) as VTech would have no incentive to provide secure products and their children's details would be vulnerable; and
- how transparent is the term? Whilst the term appears clear in its effect, we query whether parents would understand the legal ramifications of such a clause; and
- inconsistent with VTech's obligations under Australian Privacy Principle 11 requiring it to take 'reasonable steps' to secure personal information.
'Cloud' Barbie If the idea of hackers accessing information from the databases of a toy manufacturer is enough to cause angst, then the idea of them having access to media from your child's toy where it has passively 'listened in' to your child's activities would be enough to cause a full scale audit of the toy box.
In this vein, security commentators have aired their concerns over potential vulnerabilities in Mattel's 'Hello Barbie' doll – a wi-fi-enabled toy capable of maintaining (reasonably coherent) conversations with people. The concept is straightforward: conversations with Hello Barbie are recorded and transmitted via a mobile app to a cloud server where the recording is analysed and stored. Press her belt buckle and she'll cheerily respond to whatever weird and wonderful speech is thrown her way (so think Siri, but with a little plastic body). This may seem innocuous enough in the hands of a fully-informed adult, but children are unlikely to grasp the significance of their private conversations being transmitted to an anonymous third party.
Internet of (every day) things There is little doubt that the IoT is cutting edge and has some pretty fancy uses – examples include controlling lights and appliances at home using your voice or smartphone, tracking luggage during transit, making sure your home is a toasty temperature when you get home from work and monitoring available city parking spaces. The expansion of IoT applications shows no sign of slowing down, with the number of devices connected to the internet by 2020 estimated to be between 26 and 50 billion (according to IT research group Gartner). Along with smartphones, tablets and personal computers, the appearance and use of connected televisions, watches, cars and kitchen appliances will soon be as unremarkable as (manually) switching on the lights.
So, in what would be Orwell's greatest nightmare, our appliances may be seeing and hearing more than we know. As ridiculous as it may seem, the idea of being spied on by your wi-fi enabled, voice-activated toaster is probably closer than you may think.
* The author wishes to thank vacation clerk Maddy Foote for her assistance in preparing this article.