U.S. Sen. Mark R. Warner (D-Va.), on May 22, sent a letter to the Federal Trade Commission asking the agency about its efforts to protect children’s privacy following several high-profile instances of children’s data being hacked.
His letter follows one Sen. Warner sent to then-Chairwoman Edith Ramirez on July 6, 2016 urging the FTC to work with Congress to strengthen protections for children’s personal information given the increase in apps and Internet-connected “smart toys.”
“Recent events have illustrated that in addition to security concerns with the devices themselves, new data-intensive functionalities of these devices necessitate attention to the manner in which vendors transmit and store user data collected by these devices,” Warner wrote in his letter to Acting Chairwoman Maureen Ohlhausen. “Reports of your statements casting these risks as merely speculative —and dismissing consumer harms that don’t pose ‘monetary injury or unwarranted health and safety risks’—only deepen my concerns.”
According to media reports, CloudPets, a product line manufactured by Spiral Toys and marketed as ‘a message you can hug,’ stored customers’ personal data in an insecure, public-facing online database.
CloudPets reportedly exposed over 800,000 customer credentials and more than two million voice recordings sent between parents and children.
Subsequent reports have raised questions about security at the device level, with individuals able to hack CloudPets’ toys and remotely control the devices, including the microphone, if they are within Bluetooth range.
Warner also referenced the children’s doll “My Friend Cayla.” In December 2016, privacy advocates filed a complaint with the FTC regarding the doll and concerns that it can be used for unauthorized surveillance. In February 2017, the Bundesnetzagentur, Germany’s equivalent of the FTC, pulled “My Friend Cayla” off the market due to concerns over the doll’s surveillance capabilities.
“Researchers have determined that in many cases IoT (Internet of Things) devices are, by design, not patchable,” Warner wrote. A lack of market incentives to design devices with security in mind or to provide ongoing support has allowed manufacturers to flood the market with cheap, insecure devices. In March, however, you seemed to downplay the existence of these risks, suggesting that, ‘We don’t know if that risk [from insecure IoT devices] will materialize,’ and contending that if it did, industry could sufficiently address the problem, obviating the need for FTC action.”
Warner asked Ohlhausen whether the Children’s Online Privacy Protection Act needs to be updated to keep pace with developments in data security and cyber-security best practices.
Other questions raised in the letter:
Does the FTC need additional authority from Congress to regulate the remote storage of data by operators or by third parties who store and handle children’s personal information?
In the case of a civil enforcement action related to a violation of either Section 5 or COPPA, does the FTC’s injunctive authority extend to requiring defendants to recall insecure products designed for, marketed, and sold to U.S.-based consumers?
Under what circumstances might the FTC require a ‘buy-back’ for insecure products, as it did in a recent Section 5 case involving an automaker’s deceptive marketing?
Warner is vice chairman of the Senate Intelligence Committee.