How GPS watches can put kids in harm's way

Helicopter parenting is reaching ever-loftier heights, thanks to GPS-connected gadgets that allow parents to track their child's every movement. But putting a tracker on your kid could be a bad idea for reasons besides the psychological, consumer advocacy groups claim.

Some smart watches aimed at kids, in particular, are susceptible to being hacked, allowing strangers to track children and even communicate with them without parents' knowledge. That's according to a report from the Norwegian Consumer Council, which commissioned extensive testing on four models of GPS kids watches. 

US consumer groups are now warning parents not to buy the devices, and they're asking the government to investigate if the devices run afoul of laws concerning privacy and consumer protection.

"You have a watch that's being marketed as keeping children safe and a way for people to keep tabs on their children, [but] that's actually putting children at risk," said Josh Golin, executive director of the Campaign for a Commercial-Free Childhood. His organization, along with the Electronic Privacy Information Center, the Consumers Federation of America, Public Citizen and other groups, laid out their concerns in a letter to the Federal Trade Commission (FTC) Wednesday. 

Kids' smart watches, while a relatively niche item, appeal to busy parents who may have concerns about getting their child a full-featured and expensive smartphone. Location monitoring is the watches' main purpose, but many also allow a parent to call or text a child. Some send an alert when a child leaves a designated geographical area, a feature known as geo-fencing. And some have cameras that let a parent see what their child is up to.

In the Norwegian report, researchers tested four watches and found that three didn't meet basic security safeguards. The resulting "leakage of customer data" allowed a stranger to find information about a child or children and even contact them without the parent's knowledge. 

"It was so easy to circumvent the security. That was sad and one of the most surprising things," said Finn Myrstad, director of digital policy for the Norwegian Consumer Council.

In one watch, the security testers were able to pair an existing gadget with a completely new account, allowing the testers to see user data, including the watch's current location and location history and contact phone numbers in the account -- all without the watch user's being notified. 

Testers were also able to monitor a user's location while sending different location information to the app -- mimicking a scenario in which a hacker misleads a parent about their child's location.

In another watch, knowing a user's phone number "gives an attacker full access to the device," the report found. While testing a third watch, the researchers "inadvertently came across sensitive personal data belonging to other users, including location data, names and phone numbers." Some features like geo-fencing and the SOS call did not work reliably.

"This data can be abused for so many different things -- finding out where kids have been means getting extremely sensitive data around where they live, where they go to school," said Myrstad. "It's far, far away from any basic standard of security."

None of the four watches "handle data privacy and security particularly well," the report found. It was impossible for a user to delete information from the app. Deleting an account only stopped the app from collecting more information -- it did nothing with the data already stored. 

Only one watch, the Tinitell, required a parent's consent to set up the app to track a child, which the US requires marketers to do, consumer advocates said. And none of the apps used with the watches clearly stated they wouldn't use personal data for marketing purposes.

The models tested were the Gator 2 watch (also called Caref), watches using the SeTracker series of apps and the Xplora watch. A fourth model, the Tinitell, did not have major security flaws but also didn't have clear privacy protections, the report found. (All models except for Xplora are on sale in the US.)

"I suspect this is a very widespread problem," said Golin. "This is something we see with internet-connected devices. ... In a rush to get a competitive advantage and get these products out early, they're not paying attention to security and privacy."

The lapses the group found are reminiscent to flaws uncovered last December in a doll called My Friend Cayla, which encouraged children to speak to it and recorded their statements. After consumer groups complained to the FTC, the agency warned parents about the doll, and some retailers, like Toys R Us, pulled the product

Some of the same consumer organizations are now focusing on GPS watches, saying their lack of security is putting kids in danger. 

"I think we're used to seeing cheap products for children. If it breaks after six months, that's one problem," said Golin. "But if we're talking about a watch that a stranger can easily hack and track where your child's location is, that's much more serious."