It’s nice to have a friend who’s a good listener, but a doll called My Friend Cayla listens a little too well, according to German regulators who say the toy is essentially a stealthy espionage device that shares what it hears and is also vulnerable to takeover by third parties.
“Cayla ist verboten in Deutschland,” says Jochen Homann, the president of Germany’s Federal Network Agency (the Bundessnetzagentur), announcing a ban on the doll in Germany on Friday. His agency oversees electronic privacy as part of its telecommunications mandate; Homann also cites a special obligation to protect the privacy of children, calling them the most vulnerable members of society.
The heart of the problem, Homann says, is that Cayla looks like an everyday doll and gives no notice that it collects and transmits everything it hears — in this case, to a voice-recognition company in the U.S. whose other customers include intelligence agencies.
Nuance, the U.S. company in question, has said in response to similar criticisms that it “does not share voice data collected from or on behalf of any of our customers with any of our other customers.”
The My Friend Cayla doll remains for sale in the U.S., including via Amazon. It’s not currently available on the websites of either Toys R Us or Wal-Mart. A Toys R Us representative confirms that the doll isn’t offered for sale in its stores, either.
To ban the doll in Germany, regulators invoked a federal law against espionage devices. And because that law provides fines of up to 25,000 euros for anyone who insists on selling or owning the equipment, the agency clarified in today’s ruling that it doesn’t plan to pursue actions against parents who bought the doll.
Instead, the agency says, it assumes parents will take it upon themselves to make the doll harmless — prompting the European Consumer Organization to say that while it applauds the ban, “asking parents to destroy the toy” leaves consumers empty-handed.
Much of what the German agency says echoes the concerns of privacy and consumer advocates in the U.S., who filed a complaint against Cayla during the recent Christmas shopping season. They criticized the scope of what the Internet-connected toy captures, as well as the vulnerabilities it poses for users who link the doll with their smartphones via an unsecured Bluetooth pairing.
That consumer group included Claire Gartland, director of the Consumer Privacy Project at the Electronic Privacy Information Center, a Washington nonprofit. Here’s how NPR’s Brian Naylor described part of their complaint:
“Gartland says the conversations that Cayla records are sent to servers at a company called Genesis, which makes the doll, and to another company called Nuance, which makes voice-recognition software for this any many other products. Nuance also has a database used by law enforcement and military and intelligence agencies that matches voiceprints.”
Brian also relayed an interaction with Cayla in which a question — “Can I tell you a secret?” — brought this reply: “Sure go ahead; be very quiet, though. I promise not to tell anyone; it’s just between you and me because we are friends.”
Consumer groups have also criticized the doll for its habit of praising commercial products, in what’s often seen as a stealth marketing campaign that targets children.
“For example, Cayla will happily talk about how much she loves different Disney movies,” Norway’s Consumer Council says. “Meanwhile, the app-provider has a commercial relationship with Disney.”
When Norway’s council urged consumers not to buy the doll, it included a video titled, “Watch how the toys fail.”
That video ends with the Norwegian Consumer Council’s technical director, Finn Myrstad, asking Cayla, “Can I trust you?”
“I don’t know,” the doll replies.