German Consumers Face $26,500 Fine If They Don't Destroy Poorly-Secured 'Smart' Doll

from the internet-of-broken-things dept

We’ve noted repeatedly how modern toys aren’t immune to the security and privacy dysfunction the internet-of-broken-things has become famous for. A new WiFi-enabled Barbie, for example, has come under fire for trivial security that lets the toy be modified for use as a surveillance tool. We’ve also increasingly noted how the data these toys collect isn’t secured particularly well either, as made evident by the Vtech incident, where hackers obtained the names, email addresses, passwords, and home addresses of 4,833,678 parents, and the first names, genders and birthdays of more than 200,000 kids.

Last fall a lawsuit was filed against Genesis Toys, maker of the My Friend Cayla doll and the i-Que Intelligent Robot. The lawsuit accuses the company of violating COPPA (the Childrens’ Online Privacy Protection Act of 1998) by failing to adequately inform parents that their kids’ conversations and personal data collected by the toys are being shipped off to servers and third-party companies for analysis. A report by the Norwegian Consumer Council (pdf) also found that a lot of the data being transmitted by these toys is done so via vanilla, unencrypted HTTP connections that could be subject to man-in-the-middle attacks.

In Germany, where surveillance fears run a little deeper for obvious reasons, regulators last February went so far as to urge German parents to destroy the My Friend Cayla doll, highlighting that hackers can use an unsecure bluetooth device embedded in the toy to listen to and to talk to the child playing with it. Since then, Germany’s Federal Network Agency has clarified its position further. It’s not only banning the sale, purchase, and ownership of the toy, but it’s warning families that they face fines up to $26,500 if they don’t comply with demands that the toy be destroyed:

“The agency has now laid out just how parents are to destroy the doll. Parents are asked to fill out a destruction certificate that must be signed by a waste-management company and sent back to the agency for proof. While the agency says it has no plans to take action against those who don?t destroy the doll, it certainly could. Under German telecommunication laws, those who don?t comply with Federal Network Agency directives could face a fine up to $26,500 and two years in prison.

How very…thorough. One mother, amusingly, felt bad destroying the doll — so she came up with a novel solution:

“One mother tells the WSJ that she was surprised to have had the doll sitting in her daughter?s room for two years. She says she was hesitant to actually destroy the doll, so instead she donated it to the German Spy Museum Berlin.”

Germany’s decision is certainly unnecessarily excessive, but it’s a step up from the outright apathy on many fronts to the problems raised by connecting everything to the internet without prioritizing security and privacy. Researchers continue to argue that the IOT is creating thousands of new attack vectors into every home and business on the planet every day. Given the rise in the use of IOT devices in record-setting DDoS attacks, it’s only a matter of time before these devices contribute to an attack on essential infrastructure, potentially at the cost of human lives.

It’s obviously not their intent, but these devices continue to function as advertisements for the “dumb” technologies of yesterday. At least until parents collectively realize that Barbie and Ken need a better firewall.

Filed Under: , , , , , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “German Consumers Face $26,500 Fine If They Don't Destroy Poorly-Secured 'Smart' Doll”

Subscribe: RSS Leave a comment
aerinai says:

Destroy it... or else...

Criminalizing a ‘toy’… I can’t wait to see that armed-to-the-hilt SWAT raid…

*flash bang* “DROP THE BARBIE! GET ON THE GROUND!” *flash bang* *smoke grenade* *taser* “That’ll teach you to have contraband toys! It could spy on you! We are doing you a favor!”

Or… the more sensible option… remove the batteries… *gasp*

Seems Germany has the Furby-Crazies of China right now.

Ninja (profile) says:

I don’t really think ‘bricking’ the toy is a problem at all. What I do think is that the parents are the ones entrusted with the task ‘or else’. They should be after the toy maker forcing it to remotely brick the toy and refund every single sale. IoT and other Internet connected devices that fail at basic security should get the same treatment. Unless lousy security starts costing real money to the companies involved this will not stop. Sure we have to clearly define the security needed there (ie: device storage encryption and data transport encryption, data collection must be opt-in etc) but the ones responsible for the screw ups must be punished.

So the only issue here is the Govt should be hitting the makers, not the parents.

Frog Legs (profile) says:


Absurd stuff. First, to remotely brick something I paid for is a violation of my property rights. Second, securing the internet isn’t the responsibility of anyone except IT guys who work at companies that want to be secure. Funny that tech guys want to get on the welfare gravy train and have the government do their work for them.

Christenson says:

Re: Re: Not a simple problem

Frog Legs:

Please consider that in 1918, influenza was “a poor people’s problem”. Just like IOT security is for IT guys….or clean water for Flynt, Michigan was for the water department.

What happened next was it became everyone’s problem and millions of people died of that influenza…because rich people had property rights they didn’t want trampled.
Same here: You won’t feel the same when your neighbor’s dolls now DDOS attack your internet connection, or his toasters break into your bank account.

It’s a complicated problem that requires action for the common good.

Destroying the dolls that appear to be illegal under the law seems like a simple first step.

btr1701 (profile) says:

Re: Re: Re:3 Not a simple problem

This doesn’t remove it’s capability of being an espionage
> device the same way a gun without bullets can be used to
> kill people once you find the right bullets.

Yeah, because evil cyber hackers with backpacks full of AAA batteries are gonna be breaking into suburban homes and covertly refilling the empty battery slots of little girls’ dolls so that they can spy on the moppet’s daily tea party with Mr. Bear and Mrs. Frog.

You and German government are insane.

GristleMissile says:

Re: Re:

Hmmm. While I grant that this is a poorly designed toy, any programmer with a shit’s bit of sense is going to do everything they can to make sure their device is not remotely brickable.

Forcing a company to attempt remote brickings is not much better than fining the toy owners. (It is SOMEWHAT better, but it’s still really damned stupid)

Anonymous Coward says:

Re: Re:

The us has the LEAST backward government of others.

Sure America ‘just like all the rest’ have abused its authority, but USA is a super power for a reason!

That said, it really is more a matter of opinion on which government is the best, because MOST people don’t care about liberty, just about which laws they prefer. It’s just simple math.

Christians will naturally enjoy a Nation of Judeo-Christian laws than a Pagan one.
Secularists will naturally enjoy a Nation secular laws than a Christian one.
Zee Jur Mans will more enjoy a heavy handed Nation than one where nazi symbolism is allowed, since that symbolism is illegal over there.

The best way to ensure that your political enemies gain power is to attempt to stifle and marginalize them! But no one ever learns this lesson!

Narcissus (profile) says:

Re: Re: Re:

Sorry, can’t let this go uncommented…

“The us has the LEAST backward government of others”

If you’re saying that the US is a shining beacon of progressiveness when it comes to destroying dangerous toys I might agree since I don’t have much of an opinion on that. If this is meant as a general statement meaning that in all things the US is the least backward, then I can only assume you meant it as satire or you have no clue what happens in other countries.

The last 2 or 3 decades the US has been moving backward, not forward. This last government seems intent on speeding things up in that regard.

“but USA is a super power for a reason!” Again, not sure what is the connection to toys but if you are looking for the reason how about spending more on defense than the next 6 countries combined? Would that do it? Is that your definition of being “the least backward”? I thought that our utopian future entailed less wars, not more?

Anonymous Coward says:

Re: Re: Re: Re:

lol, lawn darts, yea, those were some fucking fun but damn they were dangerous. But not as dangerous as kids playing with fucking bows and arrows.

“they don’t tell everyone to destroy it themselves and provide proof they did so under threat of prison and fines.”

I did still say that US is slightly better.

TripMN says:

Alternate uses

Parents could just remove the batteries and it becomes just a doll… or, they could attach it to their front door and they’d have an internet-connected bluetooth-enabled intercom system.

Of course it’d be more than a little creepy to walk into a little German town where every door has a doll attached to it.

Anonymous Coward says:

Re: I'm confused

Sounds like they were worried about bluetooth too. Maybe there was no security on it so anyone could pair with an unpaired doll. A bit disturbing but I have a hard time seeing that as to much of a problem unless you lived in an apartment complex. Even then, it would have to be from someone close by.

orbitalinsertion (profile) says:

Re: I'm confused

Because the government will be attacked for it when it hits the fan, is why.

This isn’t like it may be an inconvenience for a consumer. It’s more like automobiles with a critical dangerous flaw that makes them a danger to the owner and others.

That being said, they should have forced a recall where the purchasers are compensated or the issues are fixed.

I know it is a huge infringement. Nanny states: Stopping you from starting huge bonfires in small yards and throwing DDT all over the place since forever. We are adults with god-given rights, damnit.

Anonymous Coward says:

How consumptionist!

If it has a defect, destroy it!

Couldn’t you fix it? Firmware updates are nothing new…
Or if it can’t be fixed, disable it? Just take out the batteries / snip a wire here or there…
Or, you know, keep it as it is?

In my opinion, it should be up to the producer of these toys to correctly inform the owners of what it does or doesn’t do, including possible dangers. But it should be up to the owners to decide what to do with it.

Anonymous Coward says:

Re: Obvious?

Just read about Stasi (

“It has been described as one of the most effective and repressive intelligence and secret police agencies to have ever existed.”

“One of its main tasks was spying on the population, mainly through a vast network of citizens turned informants, and fighting any opposition by overt and covert measures, including hidden psychological destruction of dissidents”

“After German reunification, the surveillance files that the Stasi had maintained on millions of East Germans were laid open, so that any citizen could inspect their personal file on request; these files are now maintained by the Federal Commissioner for the Stasi Records.”

Now we have some laws in place preventing such things.
There is the firm believe that you should be able to talk freely at home without the fear of being spied upon by someone else.
So it’s prohibited to own, manufacture, use objects that look like objects you use everyday, but are in fact capable of spying on you (audio & pictures) [also a long list of exceptions].

btr1701 (profile) says:

Re: Re: Obvious?

There is the firm believe that you should be able to talk
> freely at home without the fear of being spied upon by
> someone else.

But if the government has made me aware of the doll’s capabilities, and I don’t care about it, why isn’t that the end of it?

It’s my home, after all. If I’m okay with this doll, how is it the government’s business to go any further with it?

btr1701 (profile) says:

Re: Re: Re:2 Obvious?

The same reasons you aren’t allowed to own certain guns
> with appropriate permits.

If I want to allow myself to be observed, that’s my business, not the government’s. Analogies to guns are logically invalid.

A more appropriate analogy would be the German government ordering all citizens to close their window blinds every night so no one can see (spy) them in their homes. If the homeowner doesn’t care if people can see him watching TV or eating dinner from the street, why is it the government’s business to dictate otherwise?

Anonymous Coward says:

Yeah, sorry, but it’s not excessive. As noted that’s the maximum fine one can receive, not that they will receive. European justice systems are fundamentally different than what we have in the US. While ours is based on revenge and harsh punishments, Europe cares about rehabilitation. It’s very unlikely anyone would receive the maximum fine just because they were late in destroying a doll unless there are egregious circumstances. The fine is there to show people just how serious the situation is to Germans and is a strong incentive to do away with yet another bad IoT horror story.

Stop trying to insinuate the US’s broken justice mentality into European matters. It doesn’t work, and you just look stupid. If anything we should be considering how to integrate Europe’s justice concepts and social mores into the US’s violence glorifying culture. We’ll kill ourselves off long before foreign extremists do it.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...