This article was amended on 24 November 2017 to add additional material.
By Steve Wood, Deputy Commissioner (Policy).
In an increasingly digital world, more and more toys and devices aimed at children now have internet-connected technology. As the Christmas shopping season begins, many parents will be considering buying them for their children.
The ICO supports innovation and creative uses of personal data, but this cannot be at the expense of people’s privacy and legal rights, whatever their age. Concerns have been raised in recent months, not only in the UK but in Europe and the USA, that the growth in toys containing sensors, microphones, cameras, data storage and other multi-media capabilities could put the privacy and safety of children at risk.
There have also been data protection concerns relating to some products over what data is collected, by whom, where it is stored and how it is secured.
The Information Commissioner’s Office (ICO) wants parents, guardians and others to consider data protection and privacy issues in the same way they would check on the safety of presents they are planning to give to their children.
You wouldn’t knowingly give a child a dangerous toy, so why risk buying them something that could be easily hacked into by strangers?
In the same way that safety standards are a primary consideration for shoppers buying toys, we want those buying connected items in the coming weeks to take a pause and think about both the child’s online safety, and also the potential threat to their own personal data such as bank details, if a toy, device or a supporting app is hacked into.
Unlike Santa, those looking to hack into your devices don’t care whether you’ve been naughty or nice, so the ICO has the following advice for grown-ups considering buying smart toys and devices this Christmas:
- Research the security of a product before buying
Doing your homework before buying a connected device should allow you to recognise those with poor security. Research online reviews and manufacturers’ websites for information on privacy notices and policies. You should also look to see how a product will be updated in the future if a security issue is identified.
- Take care when shopping online
At this time of year, when online shopping is nearing its peak, scammers may be more likely to try to access your personal information such as bank account or credit card details. Only use secure sites when shopping online – secure sites usually carry the padlock symbol. Get Safe Online has advice on how to protect yourself.
- Take your time
Don’t wait until Christmas Day, when excited children will want to just turn on a new toy or device and skip as much of the set-up process as they can. Take the time beforehand to read the manual and familiarise yourself with the security and privacy options available to you.
- Change passwords and usernames from default
Default passwords and usernames for many devices are freely available on the web. You should always change the defaults immediately and choose a suitably strong password. Use a different password for each account and device. If a device doesn’t allow you to change the default password, you should strongly consider whether it is worth keeping it.
- Is your router secure?
Your router is the first line of defence on the perimeter of your home network. If you have devices connected to your network, the default settings of your router might be exposing them to the internet and therefore everyone else. Create a strong password and look out for and install security updates.
- If there's a two-step identification option - use it
Two-factor authentication offers you an additional layer of security when logging in to an online service. While few devices will offer this capability, the website you use to view its data might.
- Be camera aware - you never know who's watching
Some toys and devices are fitted with web cameras. The ability to view footage remotely is both their biggest selling point and, if not set up correctly, potentially their biggest weakness, as the baby monitor hacking issue of a few years ago demonstrated. If you have no intention of viewing footage over the internet, then turn the remote viewing option off in the device’s settings, or else use strong, non-default passwords.
- Location, location, location
One of the main selling points of children’s smart watches is the ability for parents to know where their children are at all times. However, if this isn’t done securely, then others might have access to this data as well. Immediately get rid of default location tracking and GPS settings and set strong, unique passwords.
- Bluetooth ache
It is not just potentially insecure web connections that can put children‘s online safety at risk. Some toys and devices have been found to have unencrypted WiFi connections or unsecured Bluetooth connections which can be easily accessed by strangers. If there is no option to secure these in the device’s settings, consider whether using the device is worth the risk. If there is an option to protect them with either a password or a PIN ensure you choose a strong one.
- Children have information rights too
Have age-appropriate conversations with children about their online safety, and model the correct way to do this. Children’s information and privacy rights are a key area of concern for the ICO. We are funding independent research into this area, are active members of the UK Council for Child Internet Safety and new legislation coming next year will also strengthen children’s legal rights.
- If in doubt, don't splash out
If you aren’t convinced a smart toy or connected device will keep your children’s personal information safe, then don’t buy it. If consumers reject products that don’t protect them, then developers and retailers should soon get the message. If you’ve purchased a device that you’ve since discovered is insecure, complain to the manufacturer or retailer and see if you can return it.
- Have a secure Christmas
By taking some time and care beforehand and following our advice, you can still see a child’s face light up when they open their new, web-connected Christmas present, safe in the knowledge that you are keeping them secure as well as happy.
The ICO and other stakeholders are also working with manufacturers, wholesalers and retailers through the Secure By Default project, which aims to encourage data protection considerations from the outset in product development and commercial purchasing decisions, providing better protection for consumers in future.
Steve Wood is Deputy Commissioner for Policy and responsible for the ICO’s policy position on the proper application of information rights law and good practice, through lines to take, guidance, internal training, advice and specific projects.