I often rant about poor security in products and how "security wasn't an afterthought, it wasn't thought of at all." Mostly it's about something that is unlikely to effect most of all y'all. This time is different - here are some toys that can endanger children, and I STRONGLY recommend that you do NOT buy these as gifts this holiday season.
While it's somewhat concerning that the doll "phones home" over the Internet for the voice recognition to work, the issue isn't that it's listening in on your kid. Mind you, I find this more than a little creepy, but I remember when there were only 3 TV channels.
The danger is that the doll is Bluetooth enabled, and the Bluetooth is completely unprotected. What this means is that anyone within Bluetooth range (which at 100 yards is actually further than many think) can connect to the doll and start talking to your child as she plays.
Let me say that again - Joe Shmoe in the park across from your house can connect to your little Princess' doll and have a chat. There's a video of this, although they're wrong to call it a "hack". It's simply use of the functionality as it was designed.
Also using the exact same technology with exactly the same flaw is the i-Que robot: this isn't just a threat to little girls.
Unconfirmed reports also include the Barbie Hello Dream House. I don't know whether this is vulnerable to remote Bluetooth access, and it's almost certain that nothing definitive will be published on this before the holidays. Given that I recommend that you don't buy this, either.
This seems to me to be bordering on criminal negligence by the companies involved (certainly My Friend Cayla and i-Que; possibly Mattel). The idea that a child's toy could be released that would allow someone to remotely talk with your child his his or her own bedroom is mind bogglingly stupid.
To reiterate, I strongly recommend that you do NOT buy the My Friend Cayla doll, the i-Que robot, or the Barbie Hello Dream House as gifts due to a grotesquely dangerous security flaw in the toy's design.