Barbie's Data Privacy Scandal

Written by

In 2015, Mattel released a new talking doll called Hello Barbie. The doll was designed to be a friend for children, and it could hold conversations with them, tell jokes, and even sing songs. However, Hello Barbie also had the ability to record and store these conversations, which raised concerns about children's privacy.

Some argued that Hello Barbie was a form of child surveillance, and that parents should be wary of giving their children a toy that could be used to collect their personal information.

Now, You Can Chat with Barbie!

The doll was promoted as a way for children to talk directly with their toys.

Here’s how it worked:

  • To get started customers had to download the Hello Barbie companion app to their own device.
  • The next step was for parents to set up a ToyTalk (later named Pullstring) account and connect the doll to use the conversational features.

According to Mattel, Hello Barbie doll could remember up to three different WiFi locations and did not require a smart device after WiFi configuration.

Once the set up had been completed a child could hold down the doll’s belt buckle and speak to Barbie, the audio was then sent to ToyTalk’s servers to perform speech recognition using artificial intelligence (AI).

Barbie and Data Privacy

The controversy came as users were informed that the use of Hello Barbie involved the recording of voice data which was then transmitted over cloud servers which ToyTalk then processes with voice-recognition software.

In March 2015, the Campaign for a Commercial-Free Childhood (CCFC), now named Fairplay, demanded that the toymaker halt marketing and production of the doll.

The CCFC noted that Mattel had said that it would use the information to “push data” back to children through Barbie’s built-in speaker.

The CCFC then pointed to ToyTalk’s privacy policy which at the time included the following:

“We may use, store, process and transcribe Recordings in order to provide and maintain the Service, to perform, test or improve speech recognition technology and artificial intelligence algorithms, or for other research and development and data analysis purposes.”

At the time, a Mattel spokeswoman claimed the toy will “deepen that relationship girls have with [Barbie].” Over time, she said, the goal is for the child and “Hello Barbie” to “become like the best of friends.”

Barbie and Security Concerns

Security concerns also spread as claims came in that suggested that the Barbie doll could be hacked. In November 2015 ToyTalk sought to comfort parents by outlining how secure the doll actually was.

No dolls were made to say anything unintended.Martin Reddy, Co-founder and CTO, ToyTalk (2015)

In a blog post the company went into detail but some of the key take-aways included:

  • The mobile app allowed you to configure the doll with your WiFi network’s name and password so it can join your network. Your WiFi password is stored in a hardware-encrypted section of the doll, and there is no mechanism to return passwords once they are stored on the doll.
  • The doll sent a child’s audio to ToyTalk’s servers and in return received an audio file of Barbie’s response to play. Both directions of this communication used asymmetric encryption technology.
  • The doll used an “over-the-air” firmware update mechanism to download improvements to the logic on the doll as they become available

Despite this, the company did acknowledge two cases where the doll was “hacked” but ensured that no passwords were compromised, and no dolls were made to say anything unintended.

In one case a ‘hacker’ opened the doll, de-soldered the chip from the circuit board, and placed the chip into a reader so they can look at the memory. In the second, they accessed the interface on the doll that the mobile app uses to configure it.

Discontinuation

Ultimately the controversy led to the demise of Hello Barbie and its associated accessories the same year it was launched.

Later, Pullstring (ToyTalk) discontinued its services to existing Hello Barbies, as well as the Hello Barbie Dreamhouses.

This was not the first time Barbie’s technology advances ended the doll in hot water. In 2010 the FBI issued an alert on a Barbie model that had a built-in video camera.

The Barbie Video Girl Doll could create movies from a Barbie doll's point-of-view with a real video camera inside.

The FBI’s concern was that child pornographers could use the technology. At the time, Mattel noted that nothing sinister had occurred and no incidents had been reported.

Image credit NightGliderSA  Shutterstock.com

What’s hot on Infosecurity Magazine?