Consumer report warns over safety of kids’ smartwatches

A report by an EU consumer watchdog has flagged up myriad problems with smartwatches designed for children, including security flaws, privacy concerns, and risks posed by unreliable features.

Based on the analysis it argues that the core ‘peace of mind’ proposition of GPS smartwatches aimed at kids does not stand up to scrutiny. And that parents should really think twice before shelling out for a kids’ ‘safety’ wearable.

“Any consumer looking for ways to keep their children safe and secure might want to think twice before purchasing a smartwatch as long as the faults outlined in these reports have not been fixed,” writes the Norwegian Consumer Council (NCC) in the report.

Four brands of kids GPS tracker smartwatch and their companion apps for parents to keep tabs on their kids were analyzed for the report: Namely the Gator 2, Tinitell, Viksfjord, and Xplora — all of which are sold in the regulator’s local market, and at least some also in the U.S.

Security problems were identified in three of the apps and devices, according to the report, including two devices with flaws that could allow a potential attacker to take control of the apps — which would then give them access to children’s real-time and historical location and personal details, and could also enable them to contact children directly, without parents’ knowledge.

One of the watches was also found to function as a listening device, with further implications for privacy and security as it could allow a parent or stranger with “some technical knowledge” to audio monitor the surroundings of the child, without any clear indication on the physical watch that this is taking place.

The report also found that several of the devices transmit personal data to servers located in North America and East Asia — in some cases without any encryption in place.

Similar security concerns have been raised about kids’ connected toys in the past, such as CloudPets plush toys and My Friend Cayla dolls.

This summer the FBI issued a consumer notice about Internet connected toys — warning they “could put the privacy and safety of children at risk due to the large amount of personal information that may be unwittingly disclosed”.

But makers of GPS tracker smartwatches for kids are actively marketing their devices at parents as a product for enhancing kids’ safety — so consumers might well have additional reasons to feel aggrieved if these products are not living up to their claims. (Even if the security risks posed by connected kids’ toys are no less problematic).

The report also flags a lack of clarity from the smartwatch makers about how kids’ personal data might be being used — flagging up what it claims are “unclear and/or illegal user terms”, and a lack of compliance with EU data protection legislation.

It also found that core features — such as geofencing to set up alerts if kids stray outside a pre-set zone and SOS buttons — were flakey or non-functional, accusing the device makers of giving parents a false sense of security.

“After testing the four smartwatches and apps, and reading relevant user terms, it seems clear that this is a chaotic and somewhat immature market,” the NCC writes. “As products that are marketed toward parents in order to ease their worries, it is cause for concern that functions such as geofencing and SOS buttons are unreliable or simply do not work.

“The vast variety of products being imported and sold under different names also makes it exceedingly difficult to understand who is responsible for any problems with the devices or apps. The large number of disconcerting and potentially critical technical flaws discovered by Mnemonic further exacerbates these issues.”

In a response to the report, which was published yesterday, one of the device makers, Tinitell, has been quick to seize on its hardware being the only tested brand for which the NCC’s security testers found no “explicit security vulnerabilities”.

Though it does go on to say it has added “small additional information” to its privacy policy after the report queried whether its wording might leave it open for the company to use kids’ data for marketing purposes.

“Customers security and integrity is and has always been the first priority at Tinitell,” it writes. “Tinitell is fully compliant with all required privacy policies, through a detailed external audit, performed by the Swedish Post and Telecom Authority (PTS)… Tinitell puts the security and privacy of our customers first and foremost, as one of the best and safest way for parents and kids to communicate throughout the day, in a simple and secure manner.”

The Swedish startup’s product was also the only tested device found to ask users for consent to T&Cs at the point of registration. Although none of the smartwatches pro-actively asked consumers to consent at the point of any future changes made to terms.

None of the tested products allow users to delete their accounts entirely, either. And only two of the products offered users the ability to delete some data within the apps.

At the time of writing the other device makers could not be reached for comment.