Toys and apps often track your kids and collect information about them — here's how to keep them safe

Be careful shopping, some connected toys can be a security nightmare
Be careful shopping, some connected toys can be a security nightmare
Key Points
  • Protecting children's data is one of the biggest, most important critical cybersecurity responsibilities any individual can undertake. 
  • Privacy violations and hacks against children's toys are just one part of the picture. Legal collections of children's data are also concerning. 
  • Parents can do a corporate-style risk assessment of their family's privacy and security stance. 

Many kids' toys, even those made for toddlers and babies, come equipped with video cameras and audio recorders, and those recordings may be transmitted over the internet, often into a hackable, searchable cloud database in a far-away location.

Applications that come alongside these connected toys often track children's movements, habits, preferences, friends and other adults and children who they come into contact with. It's likely that much of this data will follow your children for their entire lives. Facebook has even launched a social product for the under-13 set.

There have been true horror stories involving connected toys. My Friend Cayla was banned in 2017 by Germany as an espionage device. Also last year, Cloudpets got hacked and sensitive messages between parents and children held for ransom. Numerous toys, apps and websites have been cited for privacy violations in the U.S. and abroad for the way they have handled kids' data.

What to do?

The Mozilla Foundation's Privacy not Included list for 2018 gives a great rundown of the privacy pros and cons of several popular connected toys this year.

But even toys that meet the foundation's minimum safety standards carry risks.

To understand the risks to any connected devices, it's important to understand the Internet of Things -- a term for all of the devices we own that connect to the internet, but that aren't computers, smartphones or tablets. That includes devices like smart watches, Amazon Alexa microwaves, baby monitors and security systems -- and many connected toys for children.

IoT devices are, as a rule, inherently insecure. They often come with default passwords, or no password at all, which means even a novice hacker can connect to one of these devices. Many of them rely on firmware instead of software, so updating these items to get rid of security bugs is problematic. Sometimes it's impossible.

Finding many of these insecure IoT devices can be relatively simple, using publicly available search engines like the Shodan network, which can be used to pinpoint IoT devices running around the globe. The search engine is often used by cyber pros doing vulnerability analyses, or companies that can identify vulnerable devices. But it can also be used by criminals looking for wide-open webcams or other equipment.

If you want to be as safe as possible, treat your family like a company. Do a personal risk assessment, by considering the risks of whatever device or app versus the value to your child. Once you have an idea, you can use that formula to decide whether or not a product is valuable enough for the trade-off.

For instance, coding is rapidly becoming one of the most valuable skills for kids, so I place a high value on what a good coding toy can offer to my kids and am less stringent on what data it might be collecting.

By contrast, my kids also love puzzles -- but it's not worth the trade-off for the location and information tracking associated with many puzzle apps. They still make puzzles that come in boxes, and I can live with picking all the pieces up off the floor.

Lastly, you can enable passwords and change settings to disable microphones or videocameras on any device your children use that connects to the internet. In a pinch, you can always use Mark Zuckerberg's favorite method and stick piece of tape over any camera.