Last week, cybersecurity experts and national media called on parents to boycott – or at least be extremely cautious of – Vtech’s electronic toys, in the wake of their newly released terms and conditions of use.
Following the widely reported hacking scandal that took place in November last year, VTech – manufacturers of child-friendly technology products such as tablets and smart-watches –released some revised terms and conditions that, effectively, state that parents must accept and assume responsibility for any future hacks or breaches of privacy that occur during the use of their products.
Unsurprisingly, this announcement sparked somewhat of a backlash, with experts warning against trusting VTech, calling its security priorities into question, and parents expressing frustration and disappointment at the move.
It is not necessarily unusual for companies to revise their terms and conditions in the wake of an incident that’s caused some negative press, and for VTech, this incident was extremely damaging.
The huge data breach they experienced meant that more than 6.3 million child accounts and over 4 million parental accounts on VTech electronic goods were exposed – with perpetrators having access to chat logs, voice recordings and photographs. The hackers accessed VTech customer data on their ‘Learning Lodge’ app store customer database, and gained information including names, email addresses, secret questions and answers, IP and mailing addresses, download history, device passwords, voice recordings and photographs taken by, or sent to, child and parent users.
As a result of this, VTech immediately suspended some of their services during a period of investigation, and have now issued the aforementioned revised terms and conditions relating to the use of their products.
But, what exactly do these terms and conditions mean, and how do they sit against the industry standard?
The terms start out with fairly common place inclusions, such as ‘you acknowledge and agree that you assume full responsibility for the use of the site’, and ‘you acknowledge that your use of the site and any software is at your own risk’. These statements seem recognisable and expected – not dissimilar to the mandatory terms and conditions that so often require agreement before using a particular device or service.
However, the sticking point comes in the following statement: ‘you acknowledge and agree that any information you send or receive during your use of the site may not be secure and may be intercepted or later acquired by unauthorised parties’.
This is the clause that has caused uproar.
In making this statement, VTech are committing two serious errors from a consumer perspective – firstly, they are acknowledging a certain likelihood that they may be hacked again (rather than overtly and publicly focussing on making this as near to impossible as they can) and secondly, they are appearing to shift all legal responsibility on to their consumer, ultimately absolving themselves of any blame.
It seems unlikely that parents would willingly ‘acknowledge and agree’ to personal information – including voice recordings and photographs – about their child to be ‘intercepted’ by unauthorised, anonymous parties – and yet this is exactly what they must opt into, should they wish to use VTech products.
VTech have defended these terms, claiming that, while they’ve worked hard to enhance their security in order to safeguard customer information, ‘no company that operates online can provide a 100% guarantee that it won’t be hacked’. They state that, ‘like many online sites’, their Learning Lodge simply recognises that fact by ‘limiting the company’s liability for the acts of third parties such as hackers’.
Whilst it is understandable that VTech is not prepared to provide a cast iron guarantee that their systems won’t get hacked again, the decision to effectively place responsibility on their customers is not a popular one, and is doing little to re-establish faith in the company’s security competence and dedication to customer data protection.
It seems a bizarre way for any vendor to behave, but is particularly surprising given the severity and sensitive nature of the VTech breach. Rather than quieting customer alarm bells – after all, what parent wouldn’t be concerned that a hacker had accessed their child’s toys and, consequently, photographs – VTech seem focused on removing the potential for the blame to fall to them in the case of a future breach, and, implicitly, seem to be doubting their own capabilities in ensuring their products are made safe and secure for customers.
There is a lesson to be learned in PR here. Had VTech tackled this change in terms and conditions publicly and head on – announcing them, along with an explanation, rather than waiting for them to come to consumers’ attention – the reaction may have been different. Similarly, the timing – so soon after the hack, with it still very much present in customer’s minds – was clunky on their behalf; had they waited a while, and introduced a revised version of these changes clearly and openly, they might have been better received.
This is the first hack of its kind in the toy industry, and VTech had an opportunity to pave the way as dedicated vendors – unlucky victims of cybercrime – that are more than ever committed to dealing with hacking and security breaches firmly and responsibly.
Instead, their new terms and conditions have inadvertently sent their customer base one, clear message: your child’s data is vulnerable – buy our products at your own risk.