German parents told to destroy doll that can spy on children

German watchdog classifies My Friend Cayla doll as ‘illegal espionage apparatus’ and says shops and owners could face fines

Jayla, aged 4, plays with a My Friend Cayla doll in the Hamleys toy shop in London.
Jayla, aged four, plays with a My Friend Cayla doll in the Hamleys toy shop in London. Photograph: Rob Stothard/Getty Images

Germany’s telecommunications watchdog has ordered parents to destroy or disable a “smart doll” because the toy can be used to illegally spy on children.

The My Friend Cayla doll, which is manufactured by the US company Genesis Toys and distributed in Europe by Guildford-based Vivid Toy Group, allows children to access the internet via speech recognition software, and to control the toy via an app.

But Germany’s Federal Network Agency announced this week that it classified Cayla as an “illegal espionage apparatus”. As a result, retailers and owners could face fines if they continue to stock it or fail to permanently disable the doll’s wireless connection.

Under German law it is illegal to manufacture, sell or possess surveillance devices disguised as another object. According to some media reports, breaching that law can result in a jail term of up to two years.

The ruling comes after Stefan Hessel, a student at Saarbrücken University, raised concerns about the device, which was voted one of the top 10 toys of the year in 2014 by the German toy trade association.

“Access to the doll is completely unsecured,” Hessel told Saarbrücker Zeitung. “There is no password to protect the connection.”

The student said hackers could access the doll via its bluetooth connection from a distance of up to 15 meters, listening in on conversations as well as speaking directly to the child playing with it.

The German ruling could potentially have EU-wide consequences for toymakers. The EU’s commissioner for justice, consumers and gender equality, Vera Jourová, said: I’m worried about the impact of connected dolls on children’s privacy and safety.”

While the monitoring and the enforcement of the data protection rules are the responsibility of the national data protection authorities, the national consumer authorities work together under the Consumer Protection Cooperation network.

The commission is organising a workshop bringing together the consumer authorities and the data protection authorities in March to further discuss the problem with smart toys and appliances.

Vivid Toy Group has not responded to a request for a comment on the German ruling. Previously the company has said examples of hacking were isolated and carried out by specialists, but it was looking into upgrading the app used along with the doll.