Mandated Ethical Hacking—a Repackaged Solution

Hacking to prove a point or to expose technological vulnerabilities has been around since the 1960s, but it has been labeled and packaged differently as “white hacking” or “ethical hacking.” This article suggests that smart toy manufacturers, such as Mattel and VTech, should be subject to required vulnerability testing which utilizes ethical hacking under the Consumer Product Safety Improvement Act (“CPSIA”). More specifically, this article proposes to amend the Toy Safety Standard, ASTMF- 963-11, to include smart toys connected to the internet. The CPSIA and Consumer Product Safety Commission (“CPSC”) impose safety testing on all toys intended for use by children of twelve years of age or younger. This article will explore the proposed safety testing in the context of the smart toys My Friend Cayla and Hello Barbie. This article is cognizant of how fast-paced the technology industry is and thus, does not suggest a specific time period, rather it suggests what must be done prior to the release of product

Little Things and Big Challenges: Information Privacy and the Internet of Things

The Internet of Things (loT), the wireless connection of devices to ourselves, each other, and the Internet, has transformed our lives and our society in unimaginable ways. Today, billions of electronic devices and sensors collect, store, and analyze personal information from how fast we drive, to how fast our hearts beat, to how much and what we watch on TV. Even children provide billions of bits of personal information to the cloud through smart toys that capture images, recognize voices, and more. The unprecedented and unbridled new information flow generated from the little things of the loT is creating big challenges for privacy regulators. Traditional regulators are armed with conventional tools not fully capable of handling the privacy challenges of the loT. A critical review of recent Federal Trade Commission (FTC) enforcement decisions sheds light on a recommended path for the future regulation of the loT. This Article first examines the pervasiveness of the loT and the data it collects in order to clarify the challenges facing regulators. It also highlights traditional privacy laws, principles, and regulations and explains why those rules do not fit the novel challenges and issues resulting from the loT. Then it presents an in-depth analysis of four key FTC enforcement decisions to highlight how the FTC has and can regulate the loT without undermining the innovation and benefits that this technology-and the data it providesbrings to our society. Specifically, the Article describes how the FTC, faced with the privacy challenge that accompanies the interconnected world of the loT, has managed to apply traditional standards of unfairness and deceptive practices to protect private information. The FTC has been flexible and nimble with its interpretations of such standards and, in its most recent loT case, FTC v. VIZIO, established a new tool in its toolkit for regulating loT devices: an unfair tracking standard. As the de facto data protection authority in the United States, the FTC can use this new tool to work toward standardizing its treatment of loT privacy issues instead of trying to fit those concerns neatly under the deception authority of section 5 of the FFC Act. However, this new tool also means that the FTC has the opportunity-and responsibility-to provide guidance on how it will wield that authority. To assure that innovation is not stifled and that this new rule is fairly applied (whether by the FFC or other agencies that may follow suit), it is imperative that the FFC diligently address concerns about the scope of this new rule and communicate that guidance to businesses, other regulators, and consumers alike. The new FTC administration should, as the primary regulator of information privacy and the loT, continue the strong practice established by the previous administration, which is to provide guidance to businesses, consumers, and other regulators navigating the big challenges caused by the little things in the loT

Pre-Interaction Identification by Dynamic Grip Classification

We present a novel authentication method to identify users as they pick up a mobile device. We use a combination of back-of-device capacitive sensing and accelerometer measurements to perform classification, and obtain increased performance compared to previous accelerometer-only approaches. Our initial results suggest that users can be reliably identified during the pick-up movement before interaction commences

Discursive constructions of the internet of toys

The Internet of Toys (IoToys) refers to the small subset of the Internet of Things often marketed to children and their caregivers as smart toys. These toys include many of the affordances of screen-based, networked technologies, packaged as children’s everyday playthings. Thus, Hello Barbie uses voice recognition and cloud-based computing combined with artificial intelligence procedures to craft meaningful responses to children’s statements and engage them in quasi-naturalistic conversation. Other IoToys also include image recognition and geo-locational data collection. Such toys can also be constructed in different ways that represent the perspectives of the speaker and circumstances of use. Thus Germany’s Federal Network Agency announced in February that it classified the My Friend Cayla doll (a competitor to Barbie) as an ‘illegal espionage apparatus’ because ‘under German law it is illegal to manufacture, sell or possess surveillance devices disguised as another object’. The IoToys facilitates both commercial relations and income streams for the manufacturers and/or associated organisations, such as marketing agencies, software providers and voice analytics services. These streams of income can include advertising to children through the connected toy, the collection, analysis and monetisation of children’s data and the sale of the toy itself. Buying the toy also involves long-term contractual agreements that transfer legal responsibility for the collection, analysis and distribution of children’s data onto their parents. This effectively gives commercial entities the authority to continue and conceivably expand upon data-collecting and data-sharing procedures. This article analyses the discursive construction of the future IoToys using textual analysis of media resources that provide stakeholder perspectives on this emerging field. It argues that, given their status as an emerging category of human–computer interaction devices, objects that can be classified as part of the IoToys currently occupy a controversial and contested media industries space, raising many regulatory and policy questions that children themselves are not equipped to consider or take into account

An Experimental Evaluation of Smart Toys’ Security and Privacy Practices

Smart toys have captured an increasing share of the toy market, and are growing ubiquitous in households with children. These toys can be considered as a subset of Internet of Things (IoT) devices, often containing sensors and artificial intelligence capabilities. They may collect personal information, and frequently have Internet connectivity directly or indirectly through companion apps. Recent studies have found security flaws in many smart toys that have led to serious privacy leaks or allowed tracking a child’s physical location. Some well-publicized discoveries of this nature have led governments around the world to ban some of these toys. To complement recent efforts in analyzing and quantifying security and privacy issues of smart toys, we set out to create two thorough analysis frameworks that are specifically crafted for smart toys. The first framework is designed to analyze legally-binding privacy policies and terms-of-use documentation of smart toys. It is based on a set of privacy-sensitive criteria that we carefully define to systematically evaluate selected privacy aspects of smart toys. We augment our work with a static analysis for the companion Android apps, which are, in most cases, essential for intended functioning of the toys. We use our framework to evaluate a representative set of 11 smart toys, along with 11 companion apps. Our analysis highlights several instances of unnecessary collection of privacy-sensitive information, the use of over-privileged apps, incomplete/lack of information about data storage practices and legal compliance. The proposed framework is a step towards enabling a comparison of smart toys from a privacy perspective, which can be useful to parents, regulatory bodies, and law-makers. The second framework is used to investigate security and privacy practices - based on experimental analysis - of those specific kinds of IoT devices. In particular, we inspect the real practice of smart toys to determine the personal information they collect and security measures used to protect them. We also investigate potential security and privacy flaws in smart toys that can lead to leakage of private information, or allow an adversary to control the toy to lure, harm, or distress a child. Smart toys pose risks unique to this category of devices, and our work is intended to define these risks and assess a subset of toys against them. We perform a thorough experimental analysis of five smart toys and their companion apps. Our systematic analysis has uncovered that several of these toys may expose children to multiple threats through physical, nearby, or remote access to the toy. The presented frameworks unite and complement several existing adhoc analyses, and help comprehensive evaluation of other smart toys

Towards an Evaluation of Cyber Risks and Identity Information Sharing Practices in e-Learning, Social Networking, and Mobile Texting Apps

With the growing dependency for online connectivity, the use of Information and Communication Technologies (ICTs) to share identity information surged substantially. Students are constantly sharing where they go, how they feel, and even pieces of identity information such as their age, address, personal pictures, etc. Pieces of identity information are bits of information that, if combined, provide a larger picture of the identity of an individual. Such identity information may enable criminals to obtain financial benefits under the victims’ identity, or be utilized for stalking, bulling, or other harassments. The use of different ICTs such as mobile texting, social networking, and e -learning among students, while most of them are not aware that their digital communication is not encrypted, exposes them to increased risk of identity theft. Given that students spend majority of their connectivity time with school related contacts, the focus of this exploratory study is to measure if there are significant differences on the frequency of identity information pieces they share, who do they willing to allow access to their personal profiles, and what is the level of identity protection risks they report compared between three ICTs (e-learning systems, social networking sites, & mobile texting apps). Preliminary results and discussions are provided