Germany is dealing with children’s surveillance watches in the right way

Posted on Nov 21, 2017 by David Meyer

The internet of things comes with all kinds of privacy worries, and one country in particular is keen to address them. Having earlier this year banned an internet-connected talking doll for its lack of proper security, Germany’s Bundesnetzagentur (Federal Network Agency, or BNA), has now turned its attention to smartwatches that are marketed for use by children.

The problem here isn’t so much a fear of hackers – it’s the things that parents are doing with these smartwatches. Not only are they listening to their kids as they go about their daily lives; they’re also using the kid-borne gadgets to listen to what their teachers are saying. And in a country that takes privacy very seriously, that’s a no-go.

As BNA president Jochen Homann put it:

“Through an app, parents can use children’s watches to listen to the child’s environment without being noticed. According to our research, watches given by parents are for example used to listen to teachers in class.”

The watches have SIM cards and can be programmed to quietly call a certain phone number. Silent monitoring is prohibited in Germany, the BNA said. So, as with My Friend Cayla the doll, the agency said people should destroy the watches – parents were told to “keep records of destruction” and schools were advised to “pay more attention” to this surveillance phenomenon.

The BNA also said it has “taken action” against several offers of such devices on the internet. The watches were typically marketed as suitable for children between the ages of 5 and 12, it said.

“There is a shocking lack of regulation of the ‘internet of things,’ which allows lax manufacturers to sell us dangerously insecure smart products,” Pen Test Partners security expert Ken Munro told the BBC. “Using privacy regulation to ban such devices is a game-changer, stopping these manufacturers playing fast and loose with our kids’ security.”

Only a month ago, the Norwegian Consumer Council was also warning about the dangers of kids’ smartwatches, only this time the focus was also on their terrible security.

The Norwegian agency commissioned IT security firm Mnemonic to provide a technical report on four smartwatches sold in the country. Three of them had critical security flaws, two of which would allow a potential attacker to hijack the apps on the device, “thus gaining access to children’s real-time and historical location and personal details, as well as even enabling them to contact the children directly, all without the parents’ knowledge.”

Then there’s the matter of the devices sending personal data to North American and East Asian servers without encryption. And, the Norwegian Consumer Council noted, there’s this phenomenon of watches that can be used as silent environmental bugs.

As the council said:

“Devices that use the Internet to allow real-time location tracking of, and direct communication with, young children, and which store names, photos and continuous and historic geolocation data, should have strong safeguards in place. This entails not only a high level of security to avoid unwanted access, but also a robust framework to ensure that data protection laws and the privacy rights of children are respected and upheld. Three out of the four watches that were analyzed fall short in both respects.”

It’s all very reminiscent of security researcher Troy Hunt’s recent post about what warning labels on internet of things devices might look like – in particular, the one about the CloudPets app-connected toys that should have notified consumers: “This is a listening device for children. You acknowledge and agree that your child’s intimate voice recordings may be placed in an unsecured Amazon S3 bucket and the Mondo DB behind the app may be publicly facing without a password.” Very witty, and totally true.

But when it comes to internet of things devices for children, there is perhaps a moral element to this story too. Leaving aside the security problems and the illegality of bugging kids, parents should not be raising their offspring to see constant surveillance as part of everyday life. Privacy is something that should be nurtured and protected, in the fact of continuous assaults from other aspects of our modern world. We should not be normalizing surveillance.

Ultimately, when a place has strong privacy principles, as is the case not only in Germany but across the EU, the law provides the means for regulators to keep a check on these fast-evolving markets. It is good to see them upholding those principles in a way that could help protect the next generation.