AUT academic Nicole Girvan has done a lot of research into smart toys. But it can all be distilled into one line.
"They have some benefits, but no advantage that out outweighs the potential risk," she says.
A smart toy looks like a standard play object. It could be anything from a teddy bear, racing car or doll to an activity tracker/step counter or watch.
But it has some form of internet connectivity, such as Wi-Fi or Bluetooth.
And it will also contain embedded sensors, which may record voice, take images and video, detect user location and perform speech recognition. Information from sensors can be stored in the cloud (data centres, usually off-shore).
"A look in any toy store or online toy sales will show a growing range of smart toys, from cute teddy bears and dolls targeted at preschoolers, to higher tech toys targeted at older primary school students. Activity trackers and watches are other categories with considerable connectivity that are becoming increasingly popular," Girvan says.
The researcher says risks from poorly designed smart toys include:
• Child identity theft – this may not be discovered for many years after the data is stolen
• Location tracking – exposes children to risks, particularly in families with custody issues. A German regulator has banned the sale of smartwatches aimed at children, describing them as spying devices.
• Data misuse - due to information being sold to unauthorised parties or used for purposes outside of the smart toy environment
Over the past couple of years, there have been multiple scandals involving smart toys with poorly-designed security that makes it easy for hackers to intercept or steal data - or set up a smart toy to covertly record a child.
Some are cheap knock-offs, but many have been name brands. As soon as security issues are patched with one product, another hits the news for shoddy security as price competition and the push for user-friendliness often win out over safeguards.
Girvan who was top student in her Master of Information Security and Digital Forensics (MISDF) cohort, and began a doctorate this year. Her tertiary studies are on top of a career as an analyst at Southern Cross, 2degrees and Incident Response Solutions.
She stresses she wants to raise general awareness rather than target individual brands.
But Girvan says the following are all examples of smart toys whose security has been found lacking by regulators and/or her own testing.
• Kurio Watch 2.0
• Air Hogs FPV High Speed Race Car
• Furby Connect (Hasbro)
• R2-D2 Droid (Sphero)
• FurReal StarLily Unicorn
• Hello Barbie (Mattel)
• CogniToys Dino
• Toy-Fi Teddy
• My Friend Cayla (Genesis Toys)
Some, like the Furby Connect app for Hasbro's Furby or Mattel's Hello Barbie, have now been discontinued - but they illustrate that even the top-tier multinationals have a patchy record.
And others have been banned in NZ but are freely available on the likes of Amazon.
Girvan says if your heart is set on buying a smart toy, do your research. Search for its name online, and see if it has been involved in any privacy scandals.
"Be prepared to spend time educating yourself."
She also recommends you follow "basic security hygiene". If a toy uses Wi-Fi, for example, change its default password to something hard to guess. If it uses Bluetooth, switch off that wireless internet function when it's not being used.
Only let a child use a smart toy when they're in the same room as you and, in age-appropriate fashion, let them know some of the privacy risks.
Be suspicious of any toy that asks for detailed information about a child, Girvan says. The manufacturer doesn't need to know, apart from marketing purposes. And the more information that's shared, the worse a case of identity theft can be in the event of a security breach.
Girvan says a child's identity can sell for more an adult's on the black market, because it can be years before a minor realises that their stolen details have been misused.
She adds that a key problem is that, "there's no simple way for a parent to determine security controls, such as which version of Bluetooth a toy is using" (the more recent, the better). "Even for me as a security researcher, it's hard."
If that all sounds like too much hard work, then just give smart toys a swerve, Girvan says.
The trouble is, a survey she carried out on 400 caregivers found many weren't fully aware of the problems.
"My research also showed that although consumers who buy these types of toys are primarily women – mums, aunties, grandmas – their level of understanding of the risks is particularly low."
And those who did have security concerns were over-confident about Crown oversight that in reality is, today, quite limited.
"My research identified a lack of awareness of the risks and an over-optimistic faith in the degree of protection offered by New Zealand privacy law," she says.
Privacy Commissioner John Edwards has issued a number of warnings about the often weak security in the so-called "internet of things", which includes smart toys, but until now he's had limited power to crack down.
The good news is that a sweeping update to the Privacy Act was passed earlier this month and will come into force on December 1.
"Then, we'll have many of the protections that many parents think we do today," Girvan says.
She name-checks key provisions such as a new requirement for mandatory data-breach disclosure, and the new Privacy Act's principle of extra-territoriality - meaning any company that sells to Kiiws is subject to our privacy law, whether it has a physical presence here or not. The new Privacy Act also makes it a criminal offence to ignore directives from the Privacy Commissioner.
More to be done
Despite the incoming provisions, the new privacy legislation is based around a broad set of principles. It's not designed to label Furbies - leaving a gap for more prescriptive action.
"The toy market is self-regulated, which has worked in the sense that toys which have been banned overseas aren't sold here. But there's not enough done by retailers to ensure their customers understand that the toys are connecting and transmitting data, often over unsecured networks," Girvan says.
"Buyer beware is fine in principle, but for these toys, the potential risks are great and could extend far into the future, so more needs to be done."
Today, children's toys carry physical safety ratings. She wants an easy-to-understand digital safety rating added, too.
Consumer pressure will be the key driver, she says.
So if you're not happy with the murky communication from many smart toymakers, keep your wallet in your pocket - or spend your money on an offline toy.