Dragon News

Dragon News

An inside look at the world of Team Cymru. Cybersecurity tools, tips, news and views.




Dragon News

Hello World Meets Hello Barbie

Jenny O'ConnellJenny O'Connell

Who can honestly say they didn’t, at some point in their childhood, wish their toys would come alive? Or at the very least, care for a beloved item as if it already were?

The advancements made in our kids’ playthings certainly indicate a push towards the animated. From Tamagotchi to Furby to Tickle Me Elmo, toys that move, speak, eat, sing and interact with children are a perennial favorite. not to mention dolls that appear to cry or wee (can anyone explain the appeal of those?).

Hello Barbie


Bearing that in mind, Mattel’s latest innovation for Barbie dolls should come as no surprise. ‘Hello Barbie’(due for release this year) will allow children to speak to her by holding down a button to activate a microphone concealed in the doll’s necklace. The child’s statements are recorded, encrypted, and sent via WiFi to servers where it is analysed and a pre-recorded response is selected, a la Siri or Cortana.

Reportedly, Hello Barbie will ‘learn’ facts about a given child, such as whether they have siblings, and what they want to do when they grow up, to make future conversations more realistic. At the very least this indicates that recordings or transcripts of children’s chats with the toy, or key facts therein, may be held for an indeterminate amount of time. The doll itself must presumably be individually identifiable, though how/if the system would handle profiling multiple children from the same device is unclear.


Barbie is no stranger to controversy, and predictably this new functionality is causing some disquiet in certain quarters. A social media campaign dubbed ‘Hell No Barbie’ is underway. The campaign queries whether a doll that simulates a relationship with a child, and speaks to them, could be used to collect marketing information and advertise products in a new and persuasive way.

This isn’t Mattel’s first rodeo

The company is probably extremely keen to avoid a PR gaff. They’ve been quick to promise that the information gathered by Hello Barbie won’t be used for marketing purposes, and parents can delete their child’s conversational records at any time. So that’s all fine then.

Well, perhaps not. This toy raises questions that can’t be ignored, many of which are common to the more general ‘Internet of Things’ argument. For example, if a vulnerability is discovered that could allow an attacker to hijack Barbie, potentially gathering information or playing unauthorised audio, will (indeed, can) the device be patched?

Of course, unlike a networked kettle, there is an obvious additional sensitivity. This item is designed to exist primarily in the hands of children, often when they are not being closely supervised.

Barbie Dream Information Collection Playset

As we’ve discussed before, the three-to-eight year olds of today are growing up in a world where they need to learn how to navigate the dangers of the digital landscape, fast. Parents have historically taught their kids not to talk to strangers, now they’re warning them that not everyone online is who, or what, they seem. Encouraging children to spill their secrets to a talking toy seems to fly in the face of that advice.

Then again, what if children do treat the doll as the friend it’s attempting to emulate? We’re not talking about developmental effects here (that argument is going to keep child psychologists and parents busy for a while), but what if a child confides in Barbie that they are suffering abuse? Or the microphone inadvertently picks up some audio indicating that this is the case? Are, or should, there be any safeguarding mechanisms in place? Has there been any consideration of how to handle requests from law enforcement for the data held?

On the flip side, most children will presumably understand that playing with Barbie is fantasy, in which case, should what they say be relied upon? One can imagine the potentially serious consequences of misinterpreting something a child has said, or taking it out of context. Is it even ethical to monitor the recordings in the first place, given that the child is unlikely to understand the permanency of what they talk about?

On a more practical note

ToyTalk (the third party company providing the companion app and speech processing for Hello Barbie) has published a privacy FAQ, which notes that parents will have the ability to review and delete audio files via the parent account. Broadly speaking, this is probably a good thing. However, accounts get hacked, that’s a fact of modern life. Just thinking about the potential consequences of those audio recordings falling into the wrong hands is enough to make a person’s skin crawl.

The answers to the questions raised above, and many others besides, will no doubt begin to emerge in the fullness of time. As it is, Hello Barbie is coming; it will be up to parents, as ultimate arbiters of their children’s playtime, to consider the issues and act as they see fit.

To draw a positive, a child asking for Hello Barbie this Christmas may be a good opportunity for a conversation around the pros and cons of technology, privacy, and security issues. Hopefully, the first of many.

If you’d like to receive further security related news updates, why not follow Team Cymru on Twitter?

Photo Credit: AP Photo/Mark Lennihan, under Creative Commons