Are You Under Surveillance? ‘My Friend Cayla’ Dolls Are Spying On Children, Should Be Destroyed, German Goverment Warns

A talking doll that could allow hackers to listen and talk to children should be destroyed, an official watchdog in Germany has said. The “My Friend Cayla” doll uses a Bluetooth device to access the internet and answer users’ questions as well as ask for their personal information.

But researchers have warned since the start of 2015 that the Bluetooth device is insecure, allowing hackers to access it. Now the Federal Network Agency (Bundesnetzagentur), which oversees communications in Germany, has said the doll should be destroyed because it is in effect a “concealed transmitting device,” which is illegal in Germany. The country’s Telecommunications Act rules that manufacture, distribution and possession of what equates to espionage equipment is prohibited.

A law student filed the initial complaint with the Federal Network Agency. Stefan Hessel found that any Bluetooth-enabled device within a range of 10 meters could connect to the doll’s speakers and microphone, he told German publication NetzPolitik.

A complaint was also filed with the Federal Trade Commission last year alleging that the toy, which is manufactured by Genesis, collects data from children and sends it to a speech-recognition company, Nuance Communications, which built the toy’s accompanying app. A similar issue was reported with another Genesis product, the i-Que Intelligent Robot.

“Researchers discovered that by connecting one phone to the doll through the insecure Bluetooth connection and calling that phone with a second phone, they were able to both converse with and covertly listen to conversations collected through the My Friend Cayla and i-Que toys,” read the FTC complaint.

A formal complaint over the product was also lodged in the United States via consumer groups last December.

“The toys subject young children to ongoing surveillance and are deployed in homes across the United States without any meaningful data protection standards,” the complaint made to the Federal Trade Commission read. “They pose an imminent and immediate threat to the safety and security of children in the United States.

Nuance Communications responded by insisting that it does not violate data privacy law.

"Nuance does not share voice data collected from or on behalf of any of our customers with any of our other customers," spokesman Richard Mack said.