Children make excellent intelligence assets. They trust strangers, lack socially-constructed boundaries about what is and is not private, and can be easily manipulated via relatively unsophisticated social engineering. And Mattel may have just created the most perfect spy who ever worked an asset over for information: the humble Barbie doll.
The latest version of Mattel’s Barbie is designed to listen to a child’s voice, transmit that audio via wifi to Mattel computers, and, based on analysis of that audio, generate a reply. Look quickly, and this seems a bit like the outcry that sprang up last month surrounding Samsung’s Smart TVs listening to the conversations users have in their living rooms (a characterization that Samsung disputes). But, as the original article points out, toys are different. Toys are aimed at children, who are not sophisticated about their privacy choices. And anyone who has spent time with a child, or who even has vague recollections of his or her own childhood, knows that children talk to their toys all the time, reveal their secrets, and say things that they would not say to another human being. This is especially likely if the toy is marketed as a “friend” to the child, as Barbie surely is. While the doll’s creators argue that the information collected by the toy will not be used for “marketing or publicity or any of that stuff,” the only things preventing that use are a clickthrough agreement, a thin layer of privacy law, and Mattel’s and ToyTalk’s promise.
The privacy issue at play here is not entirely new. We’ve known for years that strange things happen when the interests of service providers diverge from the interests of their users. For example, individuals use Facebook to connect with family and friends and share photos and links, and Facebook mines the information provided by its users to sell to advertisers. This is not always a bad thing—the economics of the internet as we know it only work because the Googles of the world can convert our digital exhaust into a more valuable form. But it can also lead companies to make some questionable choices about how they treat the sanctity of user information, as when Lenovo installed the Superfish adware on millions of users’ laptops and compromised their entire cryptographic infrastructure, all for a reported $250,000.
This singular Barbie doll highlights a more serious, foundational problem. Most of modern American privacy law relies upon individuals having a fairly sophisticated understanding of how their data might be used. The “notice and choice” model of privacy requires users to read user agreements and click to demonstrate their consent, and our data breach notification laws operate on the theory that individuals will hold companies economically responsible for security breaches. Unfortunately, the more scientific research teaches us about how we handle privacy in the real world, the more it looks like our minds mind are fundamentally, neurobiologically incapable of handling privacy like the law expects us to.
Humans are complicated. We are often irrational, and our decisionmaking processes are challenging under the most straightforward of circumstances. But if you average over a large enough population, we turn out to be just predictable enough to create a model. All of law, economics, sociology, political science, and a host of other disciplines are built upon these models. For example, tort law has its “reasonable person”, and patent law has its individual with “ordinary skill in the art”. But when it comes to modern, American privacy law, the individual it is built to protect seems to be a caricature of a person that only bears a passing resemblance to the real thing.
This is why the world of privacy has seen so much upheaval over the last few decades. The arc of our technology embeds it into more parts of our lives every year, and it becomes more and more personal. As the lines between us and our technology blurs, and as we carry around more sensors that record more of our constantly-shed information (fitness trackers, smart watches, and the like), our privacy calculus also needs to account for larger swaths of human behaviors, including the uniquely complex behaviors of children. Spymaster Barbie is not a one-off complication. She is an advance scout from the future we are rapidly approaching.