After claiming it planned to petition Amazon for the second time in as many months in the name of children’s privacy, software community Mozilla has once again been charmed by sweet nothings from the ecommerce giant and scrapped its missive.
Last month, the company aimed, but did not pull the trigger, at Amazon’s Echo Dot for Kids. Mozilla’s target this go-round? CloudPets, an internet-connected stuffed animal toy, which calls itself “a message you can hug.” These cuddly messages-you-can-hug were discontinued at some point after a 2017 data breach.
Retailers Walmart and Target were also named in the petition-that-never-was. They have since pulled CloudPets from their websites. In Walmart’s case, however, this amounted to deleting a single listing for a unicorn. Neither retailer responded to a request for comment.
As of June 5, about 20 listings for CloudPets remained from resellers on Amazon, but because of “Amazon reaching out to Mozilla,” a rep for the software community said it was not going public with its campaign. And, by the end of the day, those listings were gone.
“Mozilla views this behind-the-scenes progress as a win for consumers—one less unsecure toy is on shelves,” the rep added.
Josh Golin, executive director for the Campaign for a Commercial-Free Childhood (CCFC), which was one of the organizations listed alongside Mozilla in the petition, said the strategy for CloudPets is similar to the one for My Friend Cayla, a connected doll that claims to be the “smartest friend you will ever have” and who was banned by the German federal network agency Bundesnetzagentur in February 2017 because she could be used as a surveillance device.
Golin said U.S. retailers pulled My Friend Cayla because of pressure. (The My Friend Cayla website lists Walmart as a U.S. retailer selling the doll, but it does not appear on Walmart.com. My Friend Cayla did not respond to a request for comment.)
On its website, CloudPets says its products have “built-in security” and parents choose who can send messages—and they can approve every message. However, from Christmas 2016 through the first week of 2017, the aforementioned data breach exposed email addresses, usernames and passwords. In response, CloudPets said it required all app users to reset their passwords and it was implementing new password security requirements.
About a year later, Mozilla said it had cybersecurity research firm Cure53 conduct “a thorough security audit” and it uncovered three additional vulnerabilities: the app points users to MyCloudPets.com for help and this domain is for sale and could be purchased by any yahoo on the internet; strangers can connect to CloudPets via Bluetooth without authentication; and firmware is installed without verification, which could allow someone to deploy custom firmware or modify the existing firmware.
Mozilla and CCFC’s hearts may be in the right place, but it seems as if it is tilting at windmills.
There are elements of the petition that simply defy logic. For example, Mozilla, CCFC and 10 other organizations intended to demand retailers stop selling the discontinued toy “until the flaws are fixed.”
Yet the company that manufactured it, Spiral Toys, is no longer in business. Spiral Toys does not have an active website. Its stock is trading at $0.00. And while Spiral Toys may arguably have a moral obligation to fix these flaws for consumers who have already purchased the toy, that’s not to say it will. And it’s unclear who Mozilla and Co. thought would fix these flaws in Spiral Toys’ absence.
And, quite frankly, their efforts might be better served addressing the needs of parents who don’t know what to do with these privacy-compromising animals.
In fact, a rep for CloudPets said: “CloudPets brand has been discontinued and no more units are being sold directly by the brand. We only provide technical support for the units in the field which will also end this year.” The rep did not respond to additional questions.
And as for why the petition about Echo Dot for kids was dropped while it still intended to pursue a petition against CloudPets, Ashley Boyd, Mozilla’s vice president of advocacy, said on Monday that the vulnerabilities in the latter were “more significant.”
Boyd said Mozilla is “in continued conversations” with Amazon over its Echo Dot for kids and ways to create better information for parents. Its primary focus is on getting more consumer information about data collection, storage and use and Boyd said she’d love to get to a place where manufacturers provide information about data in an easy-to-understand format like a nutrition label. Now she’s on to something.
And it’s this focus on creating a conversation between retailers and manufacturers that perhaps should have been Mozilla’s target instead of CloudPets in the first place. In fact, the defunct petition urged retailers to consider implementing systems to ensure the products they stock have basic practices in place to protect consumer privacy.
“It’s a challenging time for retailers,” Boyd said. “The technology is changing so quickly—it’s hard for them to keep on top of products that might be of concern.”
That, too, makes sense.
If nothing else, this will-they-won’t-they petition drama illustrates what uncharted territory we’re in with connected toys.
CloudPets and My Friend Cayla are hardly alone. Another connected doll, Hello Barbie, has also been discontinued, but Mattel did not respond to a request asking why.
Market research company NPD Group said connected toys represented about 1 percent of total U.S. toy sales in 2017.
In February, the FTC settled its first connected toys case against electronic toy maker Vtech. The FTC said Vtech collected personal information from children without providing direct notice and obtaining parental consent and it failed to take reasonable steps to secure the data.
An FTC rep would not comment on any other connected toy investigations—if any—saying they are nonpublic.
The FTC was reportedly looking into My Friend Cayla in 2017, but nothing seems to have come from it. And, aside from warnings from bodies like the FBI, it doesn’t appear the U.S. government has taken much action otherwise. The German government, on the other hand, has also banned i-Que, the “quick-witted, smart talking, know-it-all robot,” as well as toy cars with cameras and children‘s watches with listening functions.
Which begs the question what comes next—and if it’s simply too early in the evolution of connected devices full stop to have toys that safely balance fun and privacy.
Juli Lennett, toys industry adviser for NPD Group, said it is possible, but—no surprises here—manufacturers “need to be extra cautious about privacy when they are targeting their products to younger children.”
According to Lennett, some of the more popular connected toys recently include: Anki’s AI robot Cozmo; Lego’s Boost Creative Toolbox, which allows kids to build figures and code their behaviors; and Sphero’s programmable robot Sprk+.
