The Mozilla Foundation's Privacy not Included list for 2018 gives a great rundown of the privacy pros and cons of several popular connected toys this year.
But even toys that meet the foundation's minimum safety standards carry risks.
To understand the risks to any connected devices, it's important to understand the Internet of Things -- a term for all of the devices we own that connect to the internet, but that aren't computers, smartphones or tablets. That includes devices like smart watches, Amazon Alexa microwaves, baby monitors and security systems -- and many connected toys for children.
IoT devices are, as a rule, inherently insecure. They often come with default passwords, or no password at all, which means even a novice hacker can connect to one of these devices. Many of them rely on firmware instead of software, so updating these items to get rid of security bugs is problematic. Sometimes it's impossible.
Finding many of these insecure IoT devices can be relatively simple, using publicly available search engines like the Shodan network, which can be used to pinpoint IoT devices running around the globe. The search engine is often used by cyber pros doing vulnerability analyses, or companies that can identify vulnerable devices. But it can also be used by criminals looking for wide-open webcams or other equipment.
If you want to be as safe as possible, treat your family like a company. Do a personal risk assessment, by considering the risks of whatever device or app versus the value to your child. Once you have an idea, you can use that formula to decide whether or not a product is valuable enough for the trade-off.
For instance, coding is rapidly becoming one of the most valuable skills for kids, so I place a high value on what a good coding toy can offer to my kids and am less stringent on what data it might be collecting.
By contrast, my kids also love puzzles -- but it's not worth the trade-off for the location and information tracking associated with many puzzle apps. They still make puzzles that come in boxes, and I can live with picking all the pieces up off the floor.
Lastly, you can enable passwords and change settings to disable microphones or videocameras on any device your children use that connects to the internet. In a pinch, you can always use Mark Zuckerberg's favorite method and stick piece of tape over any camera.