Why Mozilla’s CloudPets Victory Is Hollow

The connected toy war is far from over

Mozilla threatened to petition retailers over this discontinued toy. Cloudpets
Headshot of Lisa Lacy

After claiming it planned to petition Amazon for the second time in as many months in the name of children’s privacy, software community Mozilla has once again been charmed by sweet nothings from the ecommerce giant and scrapped its missive.

Last month, the company aimed, but did not pull the trigger, at Amazon’s Echo Dot for Kids. Mozilla’s target this go-round? CloudPets, an internet-connected stuffed animal toy, which calls itself “a message you can hug.” These cuddly messages-you-can-hug were discontinued at some point after a 2017 data breach.

Retailers Walmart and Target were also named in the petition-that-never-was. They have since pulled CloudPets from their websites. In Walmart’s case, however, this amounted to deleting a single listing for a unicorn. Neither retailer responded to a request for comment.

As of June 5, about 20 listings for CloudPets remained from resellers on Amazon, but because of “Amazon reaching out to Mozilla,” a rep for the software community said it was not going public with its campaign. And, by the end of the day, those listings were gone.

“Mozilla views this behind-the-scenes progress as a win for consumers—one less unsecure toy is on shelves,” the rep added.

Josh Golin, executive director for the Campaign for a Commercial-Free Childhood (CCFC), which was one of the organizations listed alongside Mozilla in the petition, said the strategy for CloudPets is similar to the one for My Friend Cayla, a connected doll that claims to be the “smartest friend you will ever have” and who was banned by the German federal network agency Bundesnetzagentur in February 2017 because she could be used as a surveillance device.

Golin said U.S. retailers pulled My Friend Cayla because of pressure. (The My Friend Cayla website lists Walmart as a U.S. retailer selling the doll, but it does not appear on Walmart.com. My Friend Cayla did not respond to a request for comment.)

On its website, CloudPets says its products have “built-in security” and parents choose who can send messages—and they can approve every message. However, from Christmas 2016 through the first week of 2017, the aforementioned data breach exposed email addresses, usernames and passwords. In response, CloudPets said it required all app users to reset their passwords and it was implementing new password security requirements.

About a year later, Mozilla said it had cybersecurity research firm Cure53 conduct “a thorough security audit” and it uncovered three additional vulnerabilities: the app points users to MyCloudPets.com for help and this domain is for sale and could be purchased by any yahoo on the internet; strangers can connect to CloudPets via Bluetooth without authentication; and firmware is installed without verification, which could allow someone to deploy custom firmware or modify the existing firmware.

Mozilla and CCFC’s hearts may be in the right place, but it seems as if it is tilting at windmills.

There are elements of the petition that simply defy logic. For example, Mozilla, CCFC and 10 other organizations intended to demand retailers stop selling the discontinued toy “until the flaws are fixed.”

Yet the company that manufactured it, Spiral Toys, is no longer in business. Spiral Toys does not have an active website. Its stock is trading at $0.00. And while Spiral Toys may arguably have a moral obligation to fix these flaws for consumers who have already purchased the toy, that’s not to say it will. And it’s unclear who Mozilla and Co. thought would fix these flaws in Spiral Toys’ absence.

And, quite frankly, their efforts might be better served addressing the needs of parents who don’t know what to do with these privacy-compromising animals.

In fact, a rep for CloudPets said: “CloudPets brand has been discontinued and no more units are being sold directly by the brand. We only provide technical support for the units in the field which will also end this year.” The rep did not respond to additional questions.

And as for why the petition about Echo Dot for kids was dropped while it still intended to pursue a petition against CloudPets, Ashley Boyd, Mozilla’s vice president of advocacy, said on Monday that the vulnerabilities in the latter were “more significant.”

Boyd said Mozilla is “in continued conversations” with Amazon over its Echo Dot for kids and ways to create better information for parents. Its primary focus is on getting more consumer information about data collection, storage and use and Boyd said she’d love to get to a place where manufacturers provide information about data in an easy-to-understand format like a nutrition label. Now she’s on to something.

"It’s a challenging time for retailers. The technology is changing so quickly—it’s hard for them to keep on top of products that might be of concern."
Ashley Boyd, Mozilla’s vice president of advocacy

@lisalacy lisa.lacy@adweek.com Lisa Lacy is a senior writer at Adweek, where she focuses on retail and the growing reach of Amazon.