Hacker News new | comments | show | ask | jobs | submit login
German parents told to destroy Cayla dolls over hacking fears (bbc.com)
113 points by mavdi on Feb 17, 2017 | hide | past | web | favorite | 68 comments

The headline of the article is misleading. As the article mentions itself at the end, the legal problem with the doll is, that it is a concealed listening device, a bug. And the sale and possession of these kind of devices is banned in Germany. That it can be too easily hacked, only makes the situation worse in practical terms, but the decisive factor is, that it is banned by the kind of its design.

What about the xbox one or whatever similar always-on listening devices?

An Xbox looks like a technical device and it's not unreasonable to assume that it might contain a microphone that is transmitting what it picks up but this is still on the line.

A doll looks like stuffed fabric and it would never occur to me that it might contain a microphone that's sending what I'm saying in the room.

but now it does (occur to you that dolls can have hidden microphones).

I also wouldn't expect a TV to have a microphone, but smart TVs proved me wrong.

This isn't really about what logically makes sense to you personally, Germanier just explains how the law is currently interpreted.

Yes, the law prohibits to own "transmitting equipment which, by its form, purports to be another object or is disguised under an object of daily use and, due to such circumstances, is particularly suitable for intercepting the non-publicly spoken words of another person without their detection". Neither Smart TVs nor Xboxes claim to be something they are not.

From what I see, the doll also doesn't hide how it works, exactly like the "listening" TV: nobody would have expected that the TV would listen and send somewhere "the non-publicly spoken words" just a decade ago, and as far as I know, there are now such on the market, probably also in Germany. Then such a TV could be also considered a "clandestine listening device." If it's "does it have a manual that says it does that" both the TV and the doll have it. It's the matter of what is considered "normal." The specific quote you provide doesn't make the difference that makes the doll less legal than the TV. But maybe there's something clearer?

The FAQ pdf of the doll:


"Do I need an internet connection to play with Cayla?

An internet connection will be required to download the free app which unlocks all of the fun things which Cayla can do. Some functions, such as searching for information on the internet (famous people, places, time, weather, etc), require an internet connection. Cayla can do lots offline, like having conversations, playing games, reading stories, and exploring her photo album. In fact, most of the interactive play requires no internet connection at all."

I agree that it's not clearly stated that it's the recording of the voice that gets transmitted somewhere. But it's obvious that something is transmitted. Somebody can compare with the manuals of the "listening" TVs.

The site of the doll:


"Ask Cayla Questions -- ONLINE"

"Play games like noughts and crosses together -- Offline"

See my other post here for more technical details.

There is not a clearer quote because that's all there is. The specifics are up to interpretation in every situation. It's not about the packaging or manual – hopefully any clandestine listening device tells you that it is one on the box. It's about the device itself.

Assume you are a visitor somewhere, back at the time when smart TVs where still new and uncommon. You see two things in a room: A regular-looking doll and a TV. A doll is made out of fabric, so a doll cannot transmit your voice. A TV is – that's known to any layperson – a complex technological object that does a lot of stuff with electronics. It's not absolutely far-fetched to assume a probability that it contains a microphone. That's the difference in the eyes of the law. The "smart doll" is in fact not a doll but a microphone-speaker-device concealed in a doll. The TV does not conceal anything, it's just "electronicy" looking.

I've never heard of anybody argue that Smart TVs fall under that law even when they were new.

This is load of bullocks and failure of Germans to follow their own law.

If am certain than a common person does not expect TV to be equipped with a microphone transmitter. This is not a function of a TV.

That it has been somehow overlooked does not make it right.

I believe they're not considered to be concealed, since idk, the packaging says so. Reading another comment which says it's a bluetooth speaker, so maybe the ability to listen was never reported to the consumer, which would make it a concealed listening device.

According to the article, it answers questions (using Google). I haven't seen one, but I'd expect the microphone to be featured.

What's interesting about this, is Cayla is just a bluetooth speaker. The accompanying Android app is what people have been modifying, not remotely but locally. I think the entire thing has been blown out of proportion. Give anyone physical access to your device and they can do a lot worse than make a bluetooth speaker say some offensive words...

If it can answer questions, then there must be a mic somewhere. And if it's always on and its data can be sniffed, the doll effectively becomes a bug, open to everyone who wants to listen.

AFAIK there is no mic in the doll, you cannot get responses from the internet without the smart device app, you technically talk into your phone/tablet, not the doll

In the text on Netzpolitik linked in the BBC article it says, the doll has a microphone.

>Jedes bluetoothfähige Gerät in Reichweite von etwa zehn Metern kann eine Verbindung zu ihr [der Puppe] aufbauen und Lautsprecher und Mikrofon nutzen. In einem Versuch hatte ich auch über mehrere Wände hindurch auf die Puppe Zugriff.

Google Translate: Each bluetooth capable device within a range of about ten meters can connect to it [the doll] and use speakers and microphone. In an attempt I had access to the doll over several walls.

Off topic: Google translate is getting really good.

Sounds more like the doll is akin to a Bluetooth headset. It's got a mic, a speaker, and a BT transmitter which provides i/o to a mobile application running on a smartphone or tablet (much the way a Bluetooth headset would operate with a phone).

The mobile application does any local processing and handles queries to remote servers and such.

The doll is not illegal because it can be hacked, it is illegal because it is considered a clandestine monitoring device. And the possession of those is illegal.

> Germany has strict privacy laws to protect against surveillance. In the 20th Century Germans experienced abusive surveillance by the state - in Nazi Germany and communist East Germany.

Do these laws apply to the state?

No. There is a so called BND-law (BND := Federal Intelligence Service) that is aligned to the practices of the German intelligence service.[1]

[1] https://netzpolitik.org/2016/das-neue-bnd-gesetz-alles-was-d...

True, but not the same as "privacy laws don't apply to the state".

In general, yes.

For example, there is currently a commission which investigates the "NSA Affair". Just yesterday, chancellor Merkel was questioned for hours.

Good german news about NSA-UA: https://netzpolitik.org/tag/nsa-ua/

Yeah it's getting investigated, but it's not looking like there will be any consequences.

I agree. However, can you imagine that the US president having to sit down and answer questions for hours? The situation in Germany is better than in the US and probably most other countries.

It is also depressing that they were unable to invite Snowden.

It is very well possible that the German chancellor Merkel worked for the former East German State security under the name "IM Erika". The once was a very compromising picture of her her on the internet, showing her in front of a house of a former "dissident". Possible doing "observation" work.

This definitely needs a citation. It sounds like internet conspiracy theory trash. Wikipedia seems to have no mention of this either.

I am especially amused by the claim that at one point there was a compromising picture on the internet, as if there is a viable way to eliminate such a thing from continued existence on the internet.

"I am especially amused by the claim that at one point there was a compromising picture on the internet, as if there is a viable way to eliminate such a thing from continued existence on the internet."

Suprisingly, you are right. https://antilobby.files.wordpress.com/2013/05/merkel_im.jpg

As far as I remember, the picture was discovered by a government founded TV station.

There was a report and the picture was shown (I've seen it!) in a Swiss magazine. The website does not work anymore: http://schweizmagazin.ch/news/336/ARTICLE/4283/2008-05-29.ht...

Ms. Merkel disputed the publication of this image since it would violate her "privacy rights". http://www.spiegel.de/spiegel/vorab/a-377389.html

Otherwise, just google "IM Eirka" https://www.google.com/#q=%22im+erika%22+merkel

On a discussion board someone asked if the German chancellor could be blackmailed if someone had this information? Answer from another user:"How? Everybody knows already she was working for the state security..."

My German is really bad but there seems to be little of substance here. One of the first results cites "the internet rumor mill".

I'm not saying it's guaranteed untrue, but it seems without real evidence and therefore without merit.

Spiegel is THE MAJOR German magazine.

Here is a bad English translation of some information: https://antilobby.files.wordpress.com/2012/04/stasi.pdf

This picture in front of Havemann actually IS in the pdf. 1. What was she doing, far in the outskirts of Berlin, in front of the house if this dissident?

2. Why does this picture violate her "privacy rights"? (What in fact proofs that it is her on the picture)

I know what the Spiegel is. That's a story about the supposed picture, though, not a story claiming that Merkel was a security informant.

> What was she doing, far in the outskirts of Berlin, in front of the house if this dissident?

I have no idea. I don't know why being in the outskirts of Berlin seems questionable. Maybe it's odd that she was in front of a dissident's house. Maybe there was a clear reason to be there. Maybe she was going to a pub. I have no clue and don't think this random picture is very interesting by itself.

If you can read German, read this, despite the source http://www.pravda-tv.com/2013/11/platzt-die-bombe-war-angela...

"I have no idea. I don't know why being in the outskirts of Berlin seems questionable." Because there war nothing to do there. No Pubs. No Bars. Nothing. And his house was observed around the clock, including by many unofficial state security helpers.

Why does she not say what she was doing there?

Why does the publication of the picture violate her privacy?

It was media from Switzerland that asked the serious questions. Not German media. So what was she doing there? Nothing? Just chance? Take her word for it! She admitted she was requested to become an unofficial state security member but never signed (still was admitted to University). Take her word for it! Her father was a pastor, something that was not liked in the GDR. Still she was allowed to study in the UdSSR as an exchange student, a huge privilege. Just luck, take her word for it! Later as a scientist she was allowed to visit conferences abroad, again a huge privilege. During the break-up of the GDR she walked "by chance" by church were all the dissidents met and thought "why not let's have a look?"

Look, do I know that Merkel was working for the Stasi? No. Do I like her? No. But I think there are many serious questions to be asked and basically for all answers we have to take her word.

One thing I wonder. The Russians prefer that Merkel does not stay chancellor. If she worked for the State security it is likely that the Russians have compromising material. We may now before the next elections.

Do you have any reputable source for this allegation?

It is very well possible that this is a conspiration theory by people who fear democracy.

Democracy is one thing. For example I can be democratic to kill people. The constitution is the tool to prevent this. Merkel is currently breaking the German constitution and EU contracts (e.g. Dublin III)

Sure. That's why you have to always fill out all forms again and again, because previous forms at one office cannot be shared with the office next door (And because their IT sucks).

In all seriousness, as an example, data retention laws are a huge topic in Germany, that have been rejected by courts again and again.

> In all seriousness, as an example, data retention laws are a huge topic in Germany, that have been rejected by courts again and again.

The EU data retention directive was struck down at an EU level by an Irish campaign group https://en.wikipedia.org/wiki/Data_Retention_Directive

Correct me if I am wrong, but I think this law only applies to legal entities.

No, it explicitly also applies to public authorities.

Germans are well read and most are aware of state hypocrisy. The ccc, general public and governmental watchdogs keep a good watch over things. There is some restrained discontent regarding state cooperation with various agencies, and the government is well aware. So they don't push it.

This specific law (which among others prohibit owning such equipment) contains a clause allowing the federal and state governments to issue exceptions. They do this for police. For actually using that equipment one needs to through another process including legal review.

I can already see the reaction of parents...Alexa/Siri how can I destroy a Cayla doll...let me search the internet for destroy Cayla doll...thank you Alexa/Siri

I doubt Germans use Siri, let alone Alexa, all that much.

For me they are all useless.

Portuguese is usually not supported, and if it is, usually is the Brazilian variant, and I don't feel like playing accents just for making myself understood.

Also I have a multi-cultural life, so something like sending an email to someone usually requires at very least two languages, which those devices don't support.

I only have seen one guy asking Siri a question to this day. Everybody in the room was frowning to that, he never repeated it.

Killing Cortana is one of the first steps of everybody I know who switched to Win10.

Haven't seen an Amazon Echos yet, not even in flats which homeowners use a massive amount of home automation gadgets.

- East German

I'm seeing more people get Google Homes and Amazon Echos now compared to when they first came out. It's still a novelty for most people. I was reading a newspaper the other morning at the kitchen counter when I looked over at the Echo my mom got my dad for Valentines Day. I realized I could just ask Alexa for the news but then I wouldn't have the convenience of just skimming headlines. I would have to verbally skip to the next story and that just felt like a lot more effort than continuing to read the paper. We don't have any other home automation devices in the house like the Nest thermostat or any Hues. I feel like if I had a lot more connected devices in the home, then having something like an Echo or some other hub for controlling them would be necessary.

Personal anecdote: I got one free at AWS re:Invent. I use it to play music of my choice (specific songs or playlist categories, which requires a subscription after trial period), set timers ("alexa set timer for 45 minutes"; "alexa how much time is left on the timer?"), do various calculations ("alexa what is 1 plus 1?" -> "1 plus 1 is two, but you already knew that"), and ask what time a nearby business closes ("alexa when does Target close?" yields the closing time of the nearest target based in the location I have set. If it's closed, it says when it opens next). Other than that, it's mostly just a novelty that I forget about 99% of the time.

My mom got her first smartphone, an iPhone 7 Plus last christmas.

She is using Siri a lot.

That and taking videos/pictures of everything :)

I saw an Amazon Echo on a colleagues desktop, still packed up. It felt a bit weird.

It's not really common here and I actually don't know a single person who uses Siri etc. actively. I'm sure it got some attention after it was introduced, but only for the novelty of it.

However, I recently bought a German Amazon Dot device and I think I'll keep it. Right now, it's main job is to play music but I also use it for setting timers and to tell me the current time and weather. I've never used other "voice-based assistants" before but I can see the benefits that come with a dedicated device like the Amazon Echo. It's really comfortable if you can control things with your voice, you don't have to get to your PC or smartphone first. I'll probably integrate it with my home automation system to control lighting, and maybe add a media center like Plex/XMBC, too.

Edit: The only thing that bothers me is that the German voice is not as fine-tuned as the English one, and as of now there are not many skills available (built-in as well as third party), so I switched it to English. But guess what - you can't use the English skills unless you port your German Amazon account to amazon.com... the Echo is essentially handled like a kindle device on the server side, which means you'll lose all your eBooks and music if you switch...

German is one of the 2 languages Alexa supports, so they must use it a little

There are other countries speaking German, that have a different outlook on privacy.

However, as usual there are parts of the german society that won't have any issues using stuff like Alexa. "I have nothing to hide" is also a popular way of thinking in Germany, history be damned.

What other countries? Neither Austria nor Switzerland have a much different view on privacy.

I went out of an IT-project targeting Germany, France and Austria with the impression that the view on privacy in Austria is a lot more relaxed, and at least the interpretation of its privacy laws was less strict as well.

Could be a subjective impression, linked to the project and wrong when looking at the bigger society, but at least so far I believed it. I acknowledge that Austria was also part of the streetview hysteria that broke the project over here. Might be a differing indicator.

You would be surprised. Echo was released here quite recently, and adoption, at least in my demographic (webdev) is quite high. I myself have an echo dot which I use mostly to control my lights or annoy my friends with crappy jokes and the occasional easter egg.

I suspect that the kind of people who will destroy a doll over privacy fears will have a device which records everything they say and stream it to a foreign country with nonexistant privacy law (by local standards)

From what I understand, the main problem of the doll is that, as soon it is turned on, it pairs to the first Bluetooth connection it can? That means, if the child is using it without the parents, they can't know with whom the child communicates.

Once paired, the Internet-dependent functionality is provided by the device and the app with which the doll was paired. The attacks are possible because the hacker can provide his own "server side" handling (the doll being the client).

The doll has a built in microphone and speaker.

It's the app on the mobile phone that connects to the internet and "transcripts" the voice of the questions into something that can be processed by sending it to some servers. The iOS version of the app can do 3000 transcriptions before you have to purchase more.


From what I read, when not paired, the doll is offline but if powered it still "talks" and "listens", just without the processing possible through the app and the servers across the internet and for EU, that's another problem: are the servers in the EU or not, are they doing special treatment of the data as it's known the data are from minors etc.

No, the main problem is that a) it looks like a doll b) it has a microphone c) it can transmit recorded voice. That's enough to make owning that device illegal.

That it transmits the voice of unsuspecting children (who of course also have privacy rights) to who-knows-where is just the icing on the cake.

German parent here. No one is going to destroy anything just because some agency asks for it. That's for sure ;-).

> A spokesman for the federal agency told Sueddeutsche Zeitung daily that Cayla amounted to a "concealed transmitting device", illegal under an article in German telecoms law (in German).

Funny, but when the State does Surveillance, all of a sudden it's OK.

No it is not ok and illegal until a judge gave an order to wiretap a person. Even then, it required an extension of the laws to allow wire tapping of organized criminals within private rooms, which previously was completely forbidden.

> No it is not ok and illegal until a judge gave an order to wiretap a person.

So it's illegal unless the state says so. Who do you think the judge's boss is?

It is not the state, strictly speaking. In Germany, there are 3 pillars of the law. There is the police, which may not wiretap except under very limited conditions - it was a huge political discussion, when those exceptions were added to the German law. Before that, wiretapping in private rooms was completely banned. There is the state, which can creates laws, by which police has to act and judges judge. These laws can of course changed the legality of certain measures, but they are bounded by the constitution, and laws have been voided by the federal court due to being in violation of the constitution. Judges are independant in their role from state and police. While their salary is paid by the state, there is a good reason, that judge positions in Germany are for-life. Unless the judge performs an actual crime, he cannot be fired. This is to ensure maximal independence.

Nobody? Regarding verdicts there is literally no boss who can say anything about how they do their job (sometimes much to the grief of judges in a higher court).

Or social media companies.

I see the plot for a more realistic "Child's Play" reboot here.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact