Toy Maker Vtech Hacked, Revealing Kids' Selfies, Chat Logs, & Even Voice Recordings

from the because-we-can dept

As companies race to embrace the inanely-named "internet of things" (IOT), security and privacy are usually a very distant afterthought. That's been made painfully apparent by "smart" refrigerators that expose your Gmail credentials, "smart" TVs that transmit your living room conversations unencrypted, or "smart" tea kettles that compromise your Wi-Fi network security. In all these examples the story remains the same: everybody's so excited to connect everything and anything to the internet, few companies can be bothered to do so intelligently and correctly.

And with the mad rush to bring this kind of aggressive myopia to toys, the lack of security is now impacting kids as well. Late last week a hacker revealed that he (or she) had hacked into the servers of Hong-Kong-based toy company Vtech, exposing the data collected by the company's "Kid Connect" service (which lets parents use smartphones to talk to kids using toy tablets and other devices). Once inside, the hacker obtained the names, email addresses, passwords, and home addresses of 4,833,678 parents, and the first names, genders and birthdays of more than 200,000 kids.

What's more, the hack revealed that Vtech was storing kid selfies, voice recordings, and even entire chat logs between parents and their kids. In short, Vtech was gathering and saving pretty much anything these devices could get their hands on. VTech didn't respond to questions regarding why it needed to store all this data. And that's likely because, like most IOT gear makers, it didn't much think about it. It was so enamored with the gee whizery of gobbling up all manner of user data for later use, it couldn't much be bothered to ensure fundamental security best practices.

As Mark Nunnikhoven at Trend Micro remarked shortly after the hack was revealed, the lure of IOT has many companies collecting far more data than they could ever even conceivably need -- just because they can:
"This opens the organizations up to unnecessary risk. If the words "might", "possible", or "potential" are used in an argument supporting the collection of data, you're about to violate the principle of least data. You should only collect and store data for well understood use. Data should be evaluated for it's overall value to the organization and—just as importantly—the risk it can pose to the organization. Unless the cost to acquire the data in the future is so ridiculously high that it's infeasible, you should always opt to collect and store the data when you have a concrete use for it."
That's common sense, but the excitement surrounding IOT has made it clear that common sense doesn't enter into it. At least not in the design and implementation phase. Only once they're caught not giving a damn about security or privacy are these over-enthusiastic companies suddenly model citizens. Vtech is of course no exception, since issuing a press release stating it has shuttered many of the websites hoovering up this data. The company also reiterates how it's "committed to protecting our customer information and privacy":
"We are committed to protecting our customer information and their privacy, to ensure against any such incidents in the future. Our Privacy Statement can be found on our website here. The investigation continues as we look at additional ways to strengthen the security of all on-line services provided by VTech. We will provide further updates as appropriate in the future."
But if companies were so breathlessly committed to privacy, they wouldn't rush products to market and leave fundamental security standards as a distant afterthought in the first place. And with everything from your smart toaster to your kids' Barbie doll now gobbling up an ocean of household data, it's going to be an increasingly ugly lesson to learn.

Filed Under: hack, internet of things, kids, logs, privacy, toys
Companies: vtech


Reader Comments

The First Word

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 1 Dec 2015 @ 2:21pm

    And remember folks the THIRD PARTY doctrine applies to all this data they are hoovering up. The Government comes a knocking they will have to hand it all over because you have NO expectation of privacy.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 1 Dec 2015 @ 2:26pm

    Vtech deserves the lion's share of the blame, and there is role for parental responsibility to play. This is a teachable moment not only to the parents who thoughtlessly consent to this, but to the children who are learning that personal information disclosure is not only routine, but becoming an expected part of play, growth, and development.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 1 Dec 2015 @ 2:27pm

    I suspect that companies in this space will only start to take privacy and data protection seriously when serious fines -- say, a statutory $1000 per person affected, payable within a week of the breach -- are imposed for cases where well-defined data protection best practices were not followed.

    The $1000 seems small compared to the potential damage done to each person, but the resulting $4.8 billion fine wouldn't be out of place, no? It'd certainly start getting some attention...

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 1 Dec 2015 @ 2:28pm

    Vtech needs to be sued out of business quickly

    Once inside, the hacker obtained the names, email addresses, passwords, and home addresses of 4,833,678 parents, and the first names, genders and birthdays of more than 200,000 kids.

    This is a pedophile's or identity thief's dream: it's enough to convince children "mom sent me to pick you up, hey look, I even know your birthday" or enough to start setting up identity theft that happens years down the road.

    Unless Vtech is absolutely hammered for this, other companies will do the same. And in doing so, they're going to expose an entire generation of children to massive risk for no reason other than their own hubris.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 1 Dec 2015 @ 2:38pm

      Re: Vtech needs to be sued out of business quickly

      >Unless Vtech is absolutely hammered for this, other companies will do the same.

      People could simply stop buying Vtech products.

      reply to this | link to this | view in chronology ]

      • icon
        art guerrilla (profile), 1 Dec 2015 @ 2:58pm

        Re: Re: Vtech needs to be sued out of business quickly

        yes, they could...
        the sheeple could do ALL sorts of stuff if they acted in concert...
        prolly not gonna happen until the bread and circuses run out...
        then it will be too late...

        besides -no slur upon techdirtia- but how many parents are tuned in to this website on the off chance some tech-related story has this impact on their special snowflakes ? ? ?
        otherwise, it gets a 10 second mention on the mainstream news, then down the memory hole it is flushed ! ! !

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 1 Dec 2015 @ 3:01pm

          Re: Re: Re: Vtech needs to be sued out of business quickly

          All the contact information is out there. Maybe little Jimmys picture on a postcard will get their attention?

          reply to this | link to this | view in chronology ]

      • identicon
        Rekrul, 1 Dec 2015 @ 11:42pm

        Re: Re: Vtech needs to be sued out of business quickly

        People could simply stop buying Vtech products.

        Yes they could, but unless Vtech is punished hard for this, what's going to motivate the next company to install more safeguards and not collect so much data? Absolutely nothing.

        reply to this | link to this | view in chronology ]

    • icon
      Blackfiredragon13 (profile), 1 Dec 2015 @ 2:59pm

      Re: Vtech needs to be sued out of business quickly

      pedophile's or identity thief's dream


      You mean wet dream, right? Because all around, I do believe that's more accurate. Not to be disgusting.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 1 Dec 2015 @ 3:23pm

      Re: Vtech needs to be sued out of business quickly

      Hubris...no. Profit...yes.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 1 Dec 2015 @ 5:51pm

      Re: Vtech needs to be sued out of business quickly

      every company that sell there products without a warning [all]should be sued who needs a toysR.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 1 Dec 2015 @ 2:29pm

    Just like "No Capes!" ..

    No apps! Ever.

    reply to this | link to this | view in chronology ]

  • identicon
    vastrightwing, 1 Dec 2015 @ 2:46pm

    Buy dumb appliances

    I bought a dumb TV recently, but it was hard because the stores don't carry dumb tvs on the floor. They are special items now. The sales guy said the smart tv is so much better than the dumb tv. Sure, better for him and the manufacturer.

    Home equipment like lawn gear now has software in it we can't do anything with. Now toys. Of course we can't inspect the software because manufacturers don't want us to know what it is doing. Case in point, VW sure didn't want any one poking around to discover its trade secret. Right!

    I see a new market for dumb appliances as they become harder and harder to find.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Anonymous Coward, 1 Dec 2015 @ 2:56pm

      Re: Buy dumb appliances

      How many different ways does ‘smart appliance” exemplify oxymoronic? I understand that they did not bake security into the ‘net’ originally, but will we be able to buy toasters for cash without giving away our life history in the future?

      I think that may be problematic.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 2 Dec 2015 @ 5:50am

      Re: Buy dumb appliances

      I bought a dumb TV recently, but it was hard because the stores don't carry dumb tvs on the floor.
      You can still buy computer monitors, which may be good enough if you're using a cable box or DVR with HDMI output. They're not as enormous as modern TVs, but they're as big as the CRT televisions many of us grew up with (right until LCDs obsoleted them in the 2000s).

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 1 Dec 2015 @ 3:09pm

    Vtech did not kick in.....

    reply to this | link to this | view in chronology ]

  • icon
    tqk (profile), 1 Dec 2015 @ 3:17pm

    Are they investigating the implementers too, I hope?

    The investigation continues as we look at additional ways to strengthen the security of all on-line services provided by VTech.

    Additional to the current absolute lack of security, as apparently there was none. How can people write shit like this with a straight face? Have we managed to completely de-select away that gene that once allowed us to admit, "We fucked up, sorry. We'll do our best to fix this, and put in the necessary effort to ensure nothing like it ever happens again. We feel really stupid right now, and the idiot whose job it was to handle this is being flogged to death as we write."

    reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 1 Dec 2015 @ 7:40pm

      CYOA

      If they admit that they had no security to speak of, they then open themselves up to lawsuits for gross negligence. By framing it instead as not having had enough security though, the blame is shifted away from them.

      reply to this | link to this | view in chronology ]

  • icon
    Mason Wheeler (profile), 1 Dec 2015 @ 3:51pm

    Once inside, the hacker obtained the ... passwords, ... of 4,833,678 parents

    That right there should be considered a priori evidence of criminal negligence on the part of VTech. It's basically Websites 101 that if you store passwords in such a way that it's possible for a hacker to read them, you're Doing It Wrong.

    Some people without experience in such matters may look at this and say, "but wait, if you don't store the password, how do you validate it when you log in?" The answer is, you store a hash of the password, which is a technical transformation that's kind of like encryption, except it can only be performed one-way. (You can decrypt something that's been encrypted if you have the key, but you can't de-hash hashed data.) When the person tries to log in, you hash the password that they sent and if the hash matches, you're confident that the password is correct, since a properly designed cryptographic hash makes it exceptionally unlikely that two different passwords will hash to the same value.

    Getting the details of password hashing right can be complicated, but if the hacker got everyone's passwords, that means VTech was almost certainly storing them in plain text (not hashed at all) or using a hash that's known to be broken (the math for some of them has flaws that do make it possible to reverse the hashing process a lot of the time). Doing either one would be considered grossly negligent by any competent programmer.

    reply to this | link to this | view in chronology ]

    • icon
      bkb (profile), 2 Dec 2015 @ 7:28am

      Re:

      According to what I've read from Troy Hunt's analysis, the passwords were hashed. Although they used a simple MD5 hash without a salt.

      To me it seems that whoever implemented it, knew that a password should be hashed, but wasn't knowledgeable or experienced enough to know exactly how to do it properly.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 1 Dec 2015 @ 6:59pm

    We need to strengthen privacy laws and reinforce encryption.

    Think of the children!! It's for the children!!


    Now, advocates for privacy and encryption got the proper argument to make so that the government does what they want.

    reply to this | link to this | view in chronology ]

  • icon
    M. Alan Thomas II (profile), 1 Dec 2015 @ 11:23pm

    "This opens the organizations up to unnecessary risk. If the words "might", "possible", or "potential" are used in an argument supporting the collection of data, you're about to violate the principle of least data. You should only collect and store data for well understood use.
    Three words: NSA.

    reply to this | link to this | view in chronology ]

  • identicon
    Stephen, 2 Dec 2015 @ 12:30am

    As companies race to embrace the inanely-named "internet of things" (IOT), security and privacy are usually a very distant afterthought.
    So it seems! I've been reading Troy Hunt's analysis of the hack at:

    http://www.troyhunt.com/2015/11/when-children-are-breached-inside.html

    and some of these details show just how naive at Net security Vtech truly was.
    For example, there is no SSL anywhere. All communications are over unencrypted connections including when passwords, parent’s details and sensitive information about kids is transmitted. These days, we’re well beyond the point of arguing this is ok – it’s not. ...

    [O]nce the passwords hit the database... they’re protected with nothing more than a straight MD5 hash which is so close to useless for anything but very strong passwords (which people rarely create), they may as well have not even bothered. The kids’ passwords are just plain text...


    Storing passwords as plain text is all too cokmmon evn now, and not confined to children's products. There is a manufacturer of internet modems & routers which does the same thing with the admin passwords for at least some of its ADSL2 modem routers meant for home use!

    As for the impact of this particular hack, VTech itself now admits:

    https://www.vtech.com/en/press_release/2015/faq-about-data-breach-on-vtech-learning-lodge/
    In total 4,854,209 customer (parent) accounts and 6,368,509 related kid profiles worldwide are affected, which includes approximately 1.2 million Kid Connect parent accounts. In addition, there are 235,708 parent and 227,705 kids accounts in PlanetVTech. Kid profiles unlike account profiles only include name, gender and birthdate
    Given the growing trend towards connecting everything to the Net the VTech and their problem probably merely represents the small tip of a large (and growing) iceberg.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 2 Dec 2015 @ 2:38am

    Yes, blame the hacker, but blame the company more!

    There is only one way to make a greedy person/company spend money on reasonable protection... hit their wallet.
    It is ridiculous to watch these big companies basically leaving the door open and getting away with blaming the hacker every time.
    I know they will lose customers and future profit, but the amount pales compared to what they have made from those products in the past so in the end, it is a payday and a financial reason not to do it.
    The favorite excuse is that "it's business, what did you expect?" Well I do expect businesses to act like adults and act responsible with the valuables that people entrust to them. For far too long we have accepted atrocities in the name of money and business.
    Maybe we need to treat them like children if then insist of acting like it. With that I mean to send someone to do some serious forced security audits from an external source and make them pay when they don't live up to reasonable standards. They obviously aren't grown enough to police themselves.
    There needs to be a trial when data shows up on the internet, but both for the hacker and the company. If the company is found, by a security expert, to not live up to security that fits their exposure, the kind of data leaked the size of the company and other factors. Lastly they need to really feel the punishment so they can come to no other conclusion that better security practices are the only profitable way to go.

    reply to this | link to this | view in chronology ]

  • icon
    Violynne (profile), 2 Dec 2015 @ 3:16am

    It's easy to blame the company for its lack of security, but the ultimate responsibility lies on the consumer, who did not use any common sense while purchasing and using the product.

    Companies don't care about security for one reason: they're not held accountable for any breach of information. While it's true they must offer credit protection, the consumer is still required to take the offer. Otherwise, the company walks and the consumer deals with the fallout.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 2 Dec 2015 @ 3:38am

      Re:

      I disagree on this.


      The ultimate responsibility lies on the company because, well, it is their responsibility to do so.

      That's like saying that the responsibility of someone dying in the operation room is the patient's (in cases where there was a fuck up from the doctors' side, I mean), because they chose to go to that doctor instead of to another that wouldn't be so negligent.

      You are not supposed to know the specifics of any service you pay because it isn't your job to do so. That's why you hire them. If they are required by law to meet some standards, then they got to follow them. And if they aren't, then it's time to change the laws so that they are supposed to work the way we want, and not the way they want.


      The only responsibility of a customer is to pay for the service provided and to use it responsibly, taking into account the limits any normal person has.

      Any problem related to the product or that is too complex for your normal customer to tackle, that's the provider's responsibility and not yours.


      Because that's what means being a professional. You take responsibility for your work, not your customer. You're the expert, not him.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 2 Dec 2015 @ 5:56am

        Re: Re:

        The only responsibility of a customer is to pay for the service provided and to use it responsibly, taking into account the limits any normal person has.
        While I mostly agree, shouldn't parents have been hesitant to provide their children's birthdates and home addresses? (A home address is understandable if Vtech were going to mail a product but it doesn't seem that was happening.) It's odd that we didn't hear about this data collection till now. Somebody should have been alarmed they were even requesting it, and went to the media if Vtech didn't respond by making it optional or offering a product refund.

        reply to this | link to this | view in chronology ]

    • identicon
      Klaus, 3 Dec 2015 @ 9:44am

      Re:

      I too must disagree. Vtech are a Hong Kong based company. Their collection of personal data falls under the jurisdiction of Hong Kong's Personal Data Ordinance. VTech are meant to:

      1. Ensure the collection of personal data is lawful, fair and not excessive. VTech must identify to a data subject the information it is collecting about them.

      2. Ensure that all practicable steps have been taken to protect personal data against unauthorized or accidental access.

      Unless VTech really did make an effort in the security department, they are royally screwed.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 2 Dec 2015 @ 4:05am

    Catalog Coming Soon

    Coming soon to a dark net near you...

    From Vtech, we have acquired a large atabase of the following information:

    "... names, email addresses, passwords, and home addresses of 4,833,678 parents, and the first names, genders and birthdays of more than 200,000 kids."

    These data allow us to provide a catalog, shopping app with entries of the form:

    gender (sortable)
    age (sortable)
    picture (some)
    home address
    name
    parents' names

    The catalog app offers a distance filter that allows the user to a personal geolocation and maximum radius to identify potentionally local items.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 2 Dec 2015 @ 5:12am

      Re: Catalog Coming Soon

      This is ominous, frightening, and deadly accurate. Every one of those children is now at serious risk, and will REMAIN at serious risk for years to come.

      Vtech should not just be sued, it should be prosecuted.

      reply to this | link to this | view in chronology ]

  • icon
    John Fenderson (profile), 2 Dec 2015 @ 11:01am

    IoT done wrong

    The lure of IOT has many companies collecting far more data than they could ever even conceivably need


    Which is why everyone should avoid IoT things like the plague. The sad thing is that IoT could be done in a way that eliminates this problem simply by having the devices talk to a server placed in the home instead of in the cloud. But that would eliminate the entire entire reason companies are so excited about IoT: the expanded spying opportunities.

    reply to this | link to this | view in chronology ]

  • identicon
    Cranky, 2 Dec 2015 @ 12:34pm

    Everyone's been kinda slow on the uptake here

    Since I saw this news come out last weekend, one specific claim has had my BS detector going off-scale: that the leak involved the information of over 4 million parents, but only about 200,000 children.

    Think about that ratio for a minute. (Go on, I'll wait.)

    How is it that nobody seems to have questioned this completely upside-down ratio? If over 4 million parents apparently bought and registered vtech's surveillance toys,
    how is it that 3.8 million of these rocket scientists managed not to give the toys to their children? (I'm having trouble accepting the notion that these parents failed to "personalize" their unfortunate children's "experience" by passing along all the info vtech seems to have been fishing for.)

    And now I see that my suspicion was well founded: vtech now admits that the number of affected toddlers is actually over 6 million, not the 200,000 they first claimed. (El Reg has a fresh article on this.)

    I'm a bit disappointed in the apparent lack of attention demonstrated by these vtech articles. You guys can surely do better.

    reply to this | link to this | view in chronology ]

    • icon
      GEMont (profile), 2 Dec 2015 @ 6:31pm

      Re: Everyone's been kinda slow on the uptake here

      The vast discrepancy in numbers of parents VS children was indeed bothersome, but I had assumed it was because most of the parents had simply and correctly decided against inputting their child's information, as it was obviously unnecessary and dangerous.

      Silly me.

      ---

      reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 3 Dec 2015 @ 10:21am

      Re: Everyone's been kinda slow on the uptake here

      Personally, I noticed the discrepancy but thought it was of little importance. It just strongly indicates that VTech is lying about the number of kids involved, but that was already a well-established fact.

      reply to this | link to this | view in chronology ]

  • identicon
    Alex Ferreira, 4 Feb 2016 @ 1:02pm

    Is to track fatality

    The Bank of blood and gene is increasingly strong and safe closed ..

    Help me this despair, which could infect strategy send the investors, entrepreneurs, filmmakers, and other sites to bring the significance of this proposal to Brazil's production anonymously, hoping to be denied the significance of this proposal is to track fatality.

    I ask an opportunity to Cinema, the proposed production of the film "Bohr", Atomic particle.

    "Bohr" the atomic particle.

    Proposal for innovative script

    Movie "The Higgs particle" where the scenario starts a simple laboratory in Brazil specifically in the Amazon regions, with a young (I acting Children's theater) suffering from childhood polio and loss of immune gene disease.
     
    Young man who blew energetically disintegrating in the laboratory in Brazil and reappearing in the laboratory of LHC in Switzerland, such experiment similar to super. Hero Dr. Manhattan, only energy superhero color eletronspectra light all white. "Film to portray man's physical phenomenon that turns atom, rewind the birth of the universe, where humans eventually return to the core element of which arose" The BIG BAM ".

    Scenarios: Planet Earth where the vieja cumbre Volcano and other volcanoes on the planet explodes soon after contamination energy radiation releasing fungi, bacteria and viruses animated monsters (The LHC experiment) where you light guide these monsters to the planet Mars, and a wave of struggles and funny burnt ...

    Earth: Still on Mars man comet gets telepathically tsunami wave image that reach reef status in Alagoas (Northeast) and Brazil, due to the explosion of the volcano, returning to earth and a bright sun contains enraged ...

    Soundtrack:

    Girlfriend Bohr: girlfriend middle eastern nationality Medica

    At the hospital: When returning from tsunami help a child with two heads Indian heal herself with the senses.

    Universe, Lord receives light from the planet Aldebaran subconscious suffering from a cata confirmation, conflicts of tribes of giants God of War (the game character play), which transfers them to another planet dimension.

    Planets: Three planets are visited by enlightened, with similar cities to the cities of star war and Lord of the Rings who have experienced space gravitation if our way lacta is reached.

    I will be happy if they advertising correction of this proposal responding.

    "Movie Proposal, the light of God's creation and the birth of the human universe (Particle Bohr), lord of dreams," The Shining "".

    Other proposals that could make criticisms and comments of these advertisements:
    Game festival for children / Launch Game Man Atom
    Campaign aims Presidency of Brazil
    Movie Michelangelo, the painter.
    The fall of the Roman Empire
    jazz band season gospel

    ALEX FERREIRA
    Teatro Infantil / Law / Entrepreneur and business chief.
    Maranhão / 35 years / Unimed Health cards
    . Pass, War steps, n 52 - Guama / Bethlehem, Pa.
    Cep 66073-240
    Tel (91) 3253-8717 / 98993-3627
    BLOG - http://alex-ferreira-guedes.webnode.com/
    FACEBOOK - Alex Ferreira
    EMAIL - ferreira197979@r7.com

    Site of my company:
    Neves Carrier Ltd. Surveillance Services
    http://editor.wix.com/html/editor/web/renderer/edit/1d4f05a1-7abc-4ec7-83fc-d70329256617?met aSiteId=57dc9614-4562-4e97-9dc2-1c0f66069c18&editorSessionId=43E5A84D-326B-4070-AE68-C7BE93C0459 8The

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.