What the Barbie movie won’t tell you about Barbie’s past data privacy issues

Barbie has endured as a childhood mainstay for generations. The doll’s voluminous hair, sparking eyes and effortless smile have long been a nonnegotiable in toy store inventories. The childhood phenomenon is coming to life in theaters, with the live action Barbie movie hitting the big screen July 21st. 

Despite Barbie’s status as a plastic and fantastic icon, she’s not without her darker history. In 2015, Mattel launched Hello Barbie – a toy that was nothing short of a privacy nightmare.

What was Hello Barbie?

Hello Barbie was an interactive, internet-connected version of the iconic doll. With an unwavering smile and a press of her belt buckle, she would hold conversations with children using speech recognition software similar to Siri or Alexa.

Hello Barbie included a microphone and WiFi connection, enabling her to transmit recordings of a child’s speech to outside servers maintained by a third party company, ToyTalk. That company’s artificial intelligence software would analyze the content of the recording and select an appropriate response from a database of thousands of lines of dialogue. The company would then prompt Barbie to respond. She also had a memory function, allowing her to recall details a child had shared with her in previous conversations. 

Ultimately, Hello Barbie had some troubling flaws that got her pulled from store shelves. 

Hello Barbie was easy to hack

Hello Barbie had major security bugs. Using the doll’s ability to connect to WiFi, hackers could gain access to the doll’s stored audio files and even take over her microphone, potentially allowing a bad actor to speak directly to a child through Barbie. Moreover, direct WiFi access gave hackers access to other devices connected to the same network. In one fell swoop, Hello Barbie could leave an entire household’s devices exposed and at risk of their information being stolen without them knowing.

Even worse, hackers had multiple ways to corrupt Hello Barbie. In addition to accessing a home WiFi network, bad actors could also trick the doll into connecting to a rouge hotspot, which would also enable direct communication with a child on the other end.

Hello Barbie collected lots of information from children

Any toy designed to have conversations with kids comes with unique dangers. Of all smart toys, ones that have free-flowing conversations with a child can lead to excessive data collection. Children likely come to view the toy as a trusted friend, and may unwittingly disclose a lot of personal information in the course of conversations, not realizing behind the toy are companies are doing the listening and the talking.

Hello Barbie asked her playmates lots of personal questions. She’d inquire about children’s likes and dislikes, about family members and their interests, including what kinds of movies and video games they liked, and asked children to keep a dream journal with her. All of the information kids volunteered was stored on the servers of tech startup ToyTalk. Children’s recordings were considered the intellectual property of both ToyTalk and Mattel. What kids told Barbie could even be used later for marketing. 

Barbie is far from the only smart toy to store and use information kids provide about themselves. Our 2022 investigation found a similar problem with the Alexa-enabled Fuzzible Friends stuffed animal. The manufacturer of the software that brought the Fuzzible Friend to life stated in its privacy policy that it could receive transcripts of a child’s interactions with the toy. Some parents who had purchased the toy didn’t know this and were understandably concerned.

Some advocates like Fairplay have also raised concerns about conversational smart toys building emotional connections with children. Talking toys have the potential to gain children’s trust in a different way than your average teddy bear. They often appear to have their own personalities and to be active listeners. Barbie could even store personal details shared by a child and bring them up as conversation starters weeks later, creating an illusion of a human being with a functioning memory. Some researchers have argued that Barbie’s asking for details of a child’s life were designed to deepen kids’ emotional relationship not only with the toy, but with the Barbie brand overall. 

What happened to Hello Barbie?

After facing public backlash for her privacy and security issues, Mattel discontinued the doll in 2017. But she remains an important reminder of the dangers of web-enabled smart toys.

The risks of smart toys  

Hello Barbie is just one example of electronic toys that have become increasingly popular. Our 2022 report looked at the dangers associated with these high-tech kid’s products. 

These threats include toys with WiFi connection that can have similar hacking vulnerabilities as Hello Barbie. Electronic toys of all kinds can collect vast amounts of data, including a child’s location and age. The more data companies collect and keep on servers, the more likely that data will be compromised in a breach or hack. Data breaches can cause serious harm to children and adults alike, impacting people’s financial health in the long-term.

Before you buy a smart toy

Before buying the next hot tech toy for your child, you’ll want to do your research. We’ve got a guide about how to make smart decisions about smart toys. It starts with thinking critically about what products truly deserve a place in the privacy of your home.