In this season of gift-giving, permit me to offer some advice: Don't buy your child any toy that connects to the Internet, unless you're comfortable with the possibility that the toy will expose information about your kid to hackers. That's what happened recently when someone broke into a Hong Kong–based toy seller called Vtech and got access to an astonishing amount of information about kids and parents, including photos and chat archives.
Hacker bonus: The “Hello Barbie” doll's Wi-Fi connection reportedly can be hijacked and turned into spying hardware. Makes you want to give little Barbie a hug, doesn't it?
Given the horrendous state of online security these days, I'm tempted to say don't buy anything that connects to the Internet, for your kid or for anyone else, for that matter. But that's no longer feasible if we want to live in the modern world. So I'll qualify that by saying—and this is not necessarily much better—the only devices I'd buy these days that contain an Ethernet port, Wi-Fi and/or Bluetooth are a personal computer, phone, e-reader, router, modem, or media-streaming box.
So-called smart devices (that is, everyday things containing microprocessors, memory and networking capability) are part of the emerging “Internet of Things,” which is shaping up to be as dystopian as even the most pessimistic among us had feared. It's more like the Internet of Ridiculously Insecure Things—gear that invites hackers to a new and (for them) hugely entertaining playground. Already, we've learned about dangerous flaws in everything from hospital medication pumps to cars to baby monitors.
Why does this keep happening? Because many if not most of the companies designing and making these things appear to have little clue about protecting users' privacy, or don't care.
To be perversely fair, the companies writing software for PCs, phones, routers, etc., have also repeatedly demonstrated an inability to protect their users. Malware infests much of what we've been using in the PC and mobile Internet era.
At least the more responsible companies in the PC and mobile businesses have begun to get serious, after long and often shameful records of neglect. But the idea that a toy company will have much of a clue about computer-data security—connected toys contain computers, after all, like so much else of what we use these days—is ludicrous on its face.
The situation is so bad that even the federal government, which has demonstrated epic incompetence in its own security practices, is waking up in a small way. Next week the Department of Homeland Security is holding a meeting in Silicon Valley to ask for ideas from (and dangle money in front of) technology companies, part of an initiative to make the Internet of Things less unsafe.
Not enough people are asking a more fundamental question, however: Why are we connecting everything to the Internet in the first place? The answer seems to be: because we can.
Yes, we can do some great things with “smart” devices—everything from more efficient agriculture to more prosaic practices like controlling lights and heating from outside the home. Wonderful, but can't we build in security rather than bolt it on later? But by most evidence there's far too little of that kind of design thinking in the real world.
I wish we could hit some kind of global pause button on the Internet of Things, at least until there's more reason to trust the companies making this stuff. Since we can't, we have to take control—to the extent we can do so—for ourselves.
The next time I buy a TV, it won't be a “smart TV” that could be turned into Orwell's telescreen. If there's no alternative—and manufacturers seem bent on removing this choice—I'll find a way to physically disable the camera, microphone, and Wi-Fi. And I'll take this approach to everything until I have some reason to believe the industries leaping into these markets give even half a damn about privacy and security. It may be a long wait.