On February 17, 2017, Germany's Federal Network Agency banned a doll called “My Friend Cayla” due to the fact that the toy is basically an espionage device that, under Germany’s data protection law, not only transmits everything it hears via the internet to a voice-recognition company in the U.S. whose other customers include intelligence agencies, but also is vulnerable to takeover by third parties. This ruling places “My Friend Cayla,” or simply “Cayla,” into the core data protection and cyber security issues of the Internet of Things (“IoT”).
Even though Nuance, the U.S. company making the doll's voice-recognition software, claims that it “does not share voice data collected from or on behalf of any of our customers with any of our other customers,” consumers and data protection authorities in the U.S. and Europe are concerned because of the special obligation to protect the privacy of children. In addition to the ban in Germany, “My Friend Cayla” faces legal troubles in the U.S. as well, where privacy and consumer advocates filed a complaint with the Federal Trade Commission in December 2016.
The fact that “Cayla” does not require an authentication procedure (such as entering a code or pressing physical buttons on both devices) to pair with a phone, which creates a potential security vulnerability, puts “Cayla” into the category of IoT devices used by hackers in October 2016 to launch the distributed denial-of-service (DDoS) attack via home DVRs and webcams by means of the Mirai virus.
The issue with “Cayla” was best summarized by Norway’s Consumer Council when it urged consumers not to buy the doll through a compelling video titled “Watch how the toys fail,” in which Norwegian Consumer Council's technical director Finn Myrstad asks the doll, “Can I trust you?” to which “Cayla” replies, “I don't know.”
As if this wasn’t enough already, there is yet another issue with “Cayla”: the doll has a habit of praising certain commercial products. For example, “Cayla” will happily exclaim how much she loves different Disney movies, which seems less-than-genuine, particularly since the app-provider is known to have a commercial relationship with Disney. The user manual or website does not disclose such commercial relationship.
Despite all the issues, the doll remains on sale at some (online) stores in the U.S. and Europe. The good news for unsuspecting parents is that even though the law generally provides fines of up to 25,000 Euros for anyone who insists on selling or owning the equipment, the German data protection agency clarified that it does not plan to pursue actions against parents who bought the doll. Instead, the agency says it assumes parents will take it upon themselves to make the doll harmless by removing the offending electronic parts.
At the time of this publication, “Cayla” is still for sale online and there has been no update to the FTC complaint.