Towards a comprehensive analytical framework for smart toy privacy practices

Abstract

Smart toys are becoming increasingly popular with children and parents alike, primarily due to the toys' dynamic nature, superior-interactivity, and apparent educational value. However, as these toys may be Internet-connected, and equipped with various sensors that can record children's everyday interactions, they can pose serious security and privacy threats to children. Indeed, in the recent years, several smart toys have been reported to be vulnerable, and some associated companies also have suffered large-scale data breaches, exposing information collected through these toys. To complement recent efforts in analyzing and quantifying security of smart toys, in this work, we propose a comprehensive analytical framework based on 17 privacy-sensitive criteria to systematically evaluate selected privacy aspects of smart toys. Our work is primarily based on publicly available (legally-binding) privacy policies and terms of use documentation, and a static analysis of companion Android apps, which are, in most cases, essential for intended functioning of the toys. We use our framework to evaluate a representative set of 11 smart toys. Our analysis highlights incomplete/lack of information about data storage practices and legal compliance, and several instances of unnecessary collection of privacy-sensitive information, and the use of over-privileged apps. The proposed framework is a step towards comparing smart toys from a privacy perspective, which can be useful to toy manufacturers, parents, regulatory bodies, and law-makers.