Is Mattel's Talking Barbie Safe For Your Kids?

Later this year, your kids will be able to talk to an interactive Barbie doll that can make jokes and remember your children's favorite foods and hobbies. It sounds fun and harmless, but that very same doll will store those conversations in the cloud, which raises a few questions about the security of the chit-chats your kids will have with Barbie about dinosaurs and pizza.

The upcoming Hello Barbie doll uses technology made by ToyTalk, a company whose interactive apps have been recording the conversations kids have with the apps for years. ToyTalk claims that all the data it gathers from its young users is provided only to parents and, for testing purposes, to the company's own developers.

Should Mom and Dad be worried about the safety of toys and applications that capture what their children say and store it online?

Talking with Toys

In order to get a sense of how Hello Barbie will utilize kids' data, I played around with ToyTalk's SpeakaZoo iOS app, which lets children have conversations with a variety of cartoon animals. Before I could start chatting up a virtual tiger, I had to enter a parent's email address (I used my own) so that ToyTalk could ask for permission to talk to me.

MORE: 10 Simple Tips to Avoid Identity Theft

To use the app, I had to give SpeakaZoo permission to record speech. Once granted, the permission extends to all of ToyTalk's apps. However, the questions that the app asks are innocent enough. For example, an animated tiger asked me if his roar scared me, what I wanted to be when I grew up and what my favorite thing about being a kid was. (I didn't have the heart to tell him I was an adult.)

Once I logged into my ToyTalk account on the Web, I was able to access a full list of recordings, broken down by question. Aside from listening to the clips, I had the ability to share them via Facebook, Twitter or email, or delete them one at a time.

No Opting Out

I found no way, in either the app or the Web settings, by which I could opt out of having my conversations recorded or shared with company developers — it's all or nothing. You can revoke your permissions in the Web interface, but then the app will not launch. We don't know if Hello Barbie's software will work in the same manner, but we've reached out to ToyTalk for comment.

Who Has Access?

The toys' ability to listen to and share conversations is a nice feature for proud parents who want to show off a cute moment recorded by the toy. But how easy is it for this information to end up places where it shouldn't?

"Conversations are stored securely on ToyTalk's server infrastructure," said ToyTalk co-founder and CTO Martin Reddy. Parents "can delete any clips, or even their account, and all their data will be removed from our servers."

The Safety of Speech Apps

When a youngster wants to use a ToyTalk app, parents receive an email that reads as follows: "We use these recordings so your children can talk with our characters. We also use these recordings to share the great stuff your children create with you, and to improve our services and technologies in areas like speech recognition."

ToyTalk's privacy policy is worded very similarly. The policy also mentions that ToyTalk shares recordings with third parties in order to improve speech recognition, that those parties cannot access ToyTalk user accounts and that the parties have agreed to not keep any recordings.

When asked about the benefits of recording kids' conversations, ToyTalk's Reddy said, "We want to give parents the option to be more involved in their child's play experiences. We've found that many parents really enjoy hearing the funny things that their kids have said to the characters in our apps.

MORE: 7 Ways to Lock Down Your Online Privacy

"Ultimately, we believe it's important for parents to be in full control of their child's data," he added.

Adi Kamdar, an activist at the Electronic Frontier Foundation, said he doesn't exactly agree with that last sentiment.

"There's a potential issue around Barbie and ToyTalk recording or deducing potentially sensitive topics that the kids are talking about, things they may not necessarily want their parents to hear," Kamdar said.

"I wouldn't want kids to get too comfortable with the idea of constantly being recorded," Kamdar added.

A Hello Barbie World

When Hello Barbie launches later this year, the Wi-Fi–enabled doll will keep a log of conversations much as ToyTalk's apps do. It will be the first time that ToyTalk's technology will be featured in a major kids' toy. And, based on the popularity of Barbie, the technology could end up being used by millions of youngsters. This makes it more crucial than ever for ToyTalk to keep its software secure.

"Very few parents know about best security practices, nor is it really a factor when buying toys,” Kamdar said. "Because of this, there isn't as much incentive to make sure ToyTalk's files and connections are encrypted, for example, in case of a data breach.

"Their privacy policy does say they take 'reasonable measures' to protect personal information. I'd be curious what those measures are," Kamdar noted.

When I asked ToyTalk's co-founder about those measures, he had a good amount of technical details to share. Reddy said that Hello Barbie connects to the company's servers via a secure Transport Layer Security (TLS) connection, and, according to certification company KidSafe, adheres to the Children's Online Privacy Protection Act. Reddy claims that Hello Barbie never stores any personal information, and only accepts speech when a button on the doll is held down.

"We are very concerned about the privacy and security of Hello Barbie and are very focused on making this a secure experience," Reddy said.

Even with all of these security layers, someone could easily access your kids' conversations simply by acquiring your ToyTalk password. To combat this, Kamdar suggested that ToyTalk might want to utilize two-step authentication for logging into the website.

He added that the company will also have to ensure that the always-online Hello Barbie doesn't get hacked from the server end. The thought of a Barbie doll being programmed to spout nasty things is surely a nightmare for Mattel.

No matter how secure Hello Barbie truly is, it's essential for the toy's makers to send a clear message about how the doll is using kids' data, said Joseph Jerome of the Future of Privacy Forum.

"ToyTalk's current apps provide parents with strong options," said Jerome, "but it will be critical for Mattel to be able to communicate the safety and privacy options in a clear and frank manner."

On the flip side, Kamdar said it's crucial for parents to educate themselves on how these types of toys and apps work.

"Parents should be aware of the privacy and security implications of having their children's voices and behavior recorded by a third party," said Kamdar. "Before using such a toy, they should know exactly how their children's information and voice recordings will be used, and by whom."

Mike Andronico is an Associate Editor at Tom's Guide. Follow Mike @MikeAndronico and on Google+. Follow us @TomsGuide, on Facebook and on Google+

Michael Andronico

Mike Andronico is Senior Writer at CNNUnderscored. He was formerly Managing Editor at Tom's Guide, where he wrote extensively on gaming, as well as running the show on the news front. When not at work, you can usually catch him playing Street Fighter, devouring Twitch streams and trying to convince people that Hawkeye is the best Avenger.