French DPA demands security fixes to connected toys

The French data protection regulator, the Commission Nationale de l'Informatique et des Libertés (CNIL), has issued a formal notice to Genesis Industries Limited, the maker of the connected toys My Friend Cayla and I-QUE. Genesis has two months to bring the toys into compliance with data protection law. CNIL says that based on the security flaws found by a consumer association (presumably the Norwegian Consumer Council, which did this work in 2016) its chair decided to perform online inspections in January and November 2017, and also sent the company's Hong Kong headquarters a questionnaire. This research found the same security failures as others had found, and also that the toys and associated apps collect a multitude of personal data about children and their families and friends.

CNIL identified two breaches of French data protection law: violation of the right to privacy because of a lack of security; and failure to inform the toys' users of the data processing the companies carry out. CNIL decided to make the notice public because of the vulnerability of the relevant population and the obligation to inform individuals of security failures.

What is Privacy International calling for?

Devices, networks, and services and insecure yet they process more data

As computing becomes embedded everywhere, privacy, security and safety issues converge. In the future, our infrastructure will be insecure and unsafe due to insecure devices and components that are not patched.

As more devices become ‘connected’ and services become ubiquitous, they may generate and collect massive amounts of data in excess of what is necessary for the provision of the specific service or function. For instance, the “always on” nature of connected or smart devices and the granularity of data collected potentially enables the provider and other parties access to vast types and volumes of data.

A mere software update or change in business practice can change the frequency of sharing and the parties to whom data can be transmitted can change at any point in time.

Securing these technologies becomes even more challenging as they are embedded in complex systems, difficult to alter or update for security purposes, and control by the individual is limited.  Too often companies decide for business reasons they will no longer support the software or hardware, including for security updates when vulnerabilities are found, leaving consumers unprotected.

This creates an unsafe environment. Unpatched, insecure, and unmaintained systems and infrastructure leave us vulnerable.

Responsible security

Manufacturers and/or vendors must be responsible for the security and privacy design in the products they manufacture and sell, throughout a clearly identified period.