Holiday shoppers beware, consumer advocates are warning: Danger lurks in U.S. toy aisles, where dolls and robots can be used as spies and unlabeled potential choking hazards are disguised as "Disney Princess Punchball Balloons."
"My Friend Cayla," a popular talking doll, uses a hidden microphone and an unsecured Bluetooth connection that can allow anyone within range to spy on your family and talk back to your child, said Kara Cook-Schultz, one of the authors of the U.S. Public Interest Research Group's annual "Trouble in Toyland" report.
"If you are an adult and have decided to share data with an internet-connected device, fine. But if you're a child, you probably have no idea that this doll that you think of as a friend can be used to spy on you," she said.
German authorities banned the Cayla doll in February, saying it violates Germany's privacy laws. Last summer, the FBI also issued a consumer warning about Internet-connected devices, saying that toys containing sensors, microphones, cameras, data storage and other multi-media capabilities could put the privacy and safety of children at risk because of the large amount of personal information that your children — and you, when you're in earshot of the device — might unwittingly disclose.
And Cayla isn't the only culprit.
The Mozilla Foundation, a non-profit aimed at fostering a free and functioning Internet, issued a report Tuesday that cited several other toys with identical Bluetooth risks — "Dash the Robot" and "BB-8 by Sphere," a Star Wars themed toy. Both Bluetooth-enabled devices could allow everyone from neighbors to the person sitting next to you at the park purposefully (or inadvertently) connect to the toys, listen to your kids' conversations and even talk back to them.
Worse, says Mozilla Foundation's vice president of advocacy, Ashley Boyd, is that these devices store all the personal information they've gathered. Yet it's not clear whether the data is stored in the device, in the "cloud" or elsewhere, nor is it clear how this data is secured.
"There isn't a lot of transparency," Boyd said. "As parents, we should know where the data is stored and whether it could be shared with others."
"Adidas miCoach" soccer ball poses even greater privacy risks, according to the Mozilla report. The ball has a camera, microphone and location tracker, but no privacy controls. Consumrs are also invited to create an account to use the game system, which could reveal more of their information.
"Privacy has really emerged as a theme with all of these Internet-connected devices," Boyd said.
There are low-tech risks, too, according to US PIRG, a consumer advocacy group. Specifically, balloons have proven to be such serious choking hazards that the Consumer Product Safety Commission has required them to be sold with warning labels for years.
But US PIRG found a number of balloon-based games on toy store shelves this year with missing or misleading warnings. Five balloon sets were cited in this year's Trouble in Toyland report: "H2O Blasters – Water Balloons" and "Disney Princess Punchball Balloons," sold at Dollar Tree; Party City's "Mega Value Pack 12 Water Bomb Packs" and "Mega Value Pack 14 Latex Punch Balloons"; and Dollar City Plus' 10-pack of "Party Balloons."
All are "either marketed to children under eight or have misleading warning labels that make it appear that they are safe for children between ages three and eight," according to US PIRG.
Parents of young children also should be aware of the risks of some travel games, which include small parts that can be choking hazards, the group said.
"Despite a ban on small parts in toys for children under the age of three, we found several toys that contain small parts but do not have any warning label at all," the report states. "These included a peg game, golf and football travel games that we found at Dollar Tree."
A US PIRG report earlier this month revealed that a handful ofwere being sold in toy aisles at Target stores. The retailer has since after the group issued a public warning about the lead-laden spinners.