From games and dolls to model cars and stuffed bears, the toys available do not differ significantly from those used by previous generations apart from one caveat – the connection to the Internet. Dolls make conversation, stuffed bears send messages and smart watches allow parents to locate their children at all times. Games can serve as educational tools by introducing new skills, such as coding, as well as interactive play.
The popularity of toys connected to the Internet is growing. According to the market research firm Zion, the global smart toys market, valued at USD 3,87 billion in 2017, is expected to grow to USD 5,41 billion by 2024. And it is not only the purchase of smart toys that is driving the growth. Juniper Research predicts that in-app purchases will become a key driver for growth within smartphone-connected toys.
But while these toys can bring many benefits, their safety remains questionable. Several countries have issued warnings to consumers about threats to privacy and security.
In Germany, government officials banned the sale of a talking doll connected to the Internet since it could be hacked easily and used to spy on children. The database for a stuffed animal that can send and receive audio messages suffered a massive data breach that exposed millions of messages sent between parents and children. And, more recently, security researchers found that a location-tracking smart watch used by thousands of children could be hacked with ease thereby providing access to personal information as well as the ability to track and listen to the child.
In addition to hacking, parents may also be concerned about the data collected by many of these toys and made available to manufacturers. Some toys will gather data by default and, for many parents, it is not clear what data is being collected much less how it is being used. In Europe, the General Data Protection Regulation (GDPR) places stringent requirements on the collection, storage and sharing of personal data. However, such regulations have not been implemented in other parts of the world.
How much trust can parents place in the ability of a manufacturer to take the necessary measures to secure data and privacy? Ultimately, trust will be the overriding issue in determining whether parents can or should buy an Internet-connected device for their child. As a first step, they will need to educate themselves about products to determine if the manufacturer has put in place sufficient safeguards.
International standards provide a framework for gathering, storing and processing sensitive data in the context of different regulatory requirements. Manufacturers can benefit from the many cyber security and data protection standards, including the well-known ISO/IEC 27000 Standards, that have been developed by experts in the joint ISO/IEC subcommittee on IT security. Specifically, they identify potential risks to data and ensure that organizations implement the relevant controls to mitigate them. They provide not only a complete toolkit and methodology for data security management, but also demonstrate best practices from the real world.
To ensure that all of its standards taken into account cyber security issues, the IEC has set up the Advisory Committee on Security (ACSEC) which provides guidance to all IEC technical committees in the areas of information security and data privacy. ASEC not only advises technical committees but also follows closely research activities and trends in academia. In June 2018, it published IEC Guide 120 to provide guidelines on cyber security issues that should be addressed in IEC publications and how they can be implemented.
While toys can never be fully protected against hacking and privacy invasions, the adoption of international standards is an important step in making smart toys safer.