Sites harvesting kids' data fly under the radar, even for the FTC

Sites harvesting kids' data fly under the radar, even for the FTC

Summary: Parents routinely fear creepy online individuals, but creepy online data collection and sales practices are commonplace and rarely exposed, discussed, and considered.

SHARE:

Sites harvesting kids' data fly under the radar, even for the FTC

Ask any parent what are the greatest dangers to kids online, and you're likely to hear about scary individuals: the pedophile masquerading as a friend on a social site, game, or virtual world (such as those sensationalized on To Catch a Predator); the bullying schoolmate who taunts online; the inconsiderate, callous, or hormone-addled peer who posts inappropriate pictures or encourages one's little angel to "sext."  Scary companies and commercial interests, however, fall low on the list of concerns, if at all.  In my experience, most adults either don't think about the collection and sale of children's online activity, or accept it as an unavoidable cost of using Web services.

The Federal Trade Commission is a case in point.  The FTC is in charge of review and enforcement of COPPA (the Children's Online Privacy Protection Act), and educates parents about online safety with its Net Cetera site and guide.  Net Cetera talks a lot about keeping kids themselves accountable -- "remind your kids that online actions can reverberate;" "if your kids download copyrighted material, you could get mired in legal issues."  It has some excellent guidelines for talking to kids about communicating and socializing online, and gets credit for telling parents that "your child's personal information is valuable, and you can do a lot to protect it."  But Net Cetera saves its discussion of COPPA and privacy for the guide's final page, and fails to explain tracking with cookies at all (while cookies get a nod in the guide's glossary, its security section highlights viruses, malware, spyware, and, that perennial bogeyman, P2P).  While Net Cetera does tell parents to think about fine-tuning whether and how information can be collected and used --

[C]onsider how much consent you want to give — it's not all or nothing. You might give the company permission to collect some personal information, for example, but not allow them to share that information with others

-- it doesn't address the fact that nothing in COPPA requires sites to negotiate with parents about data collection or use and sale of anonymized data.  The FTC is closer to the mark when it tells parents to read and understand relevant privacy policies, and that "if the policy says there are no limits to what it collects or who gets to see it, there are no limits."

The Wall Street Journal is doing a great job getting the word out that perhaps the spectral online pedophiles, bullies, and sex maniacs are stealing the spotlight from a more stealthy, insidious, and concrete danger:  the routine collection and sale of profiles built from records of online activity.  Its "What They Know" series should be required reading for all, especially parents.  In the series' most recent entry, On the Web, Children Face Intensive Tracking, Steven Stecklow exposes how easy it is to to purchase "anonymized" data about teens, and how dodgy even the companies trafficking in such data consider the information.  For example, data exchange firm BlueKai first denied the existence of "teeny bopper" data (kids age 13 to 19) on its service, then, when it became clear a third party was selling such data via BlueKai, removed the data "as a result of the Journal's inquiries."

Having identified this both under-reported and underrated problem then, what is to be done?  To begin with, I'd like to see those who hold themselves out as trusted sources on the subject of online safety, such as the FTC -- Net Cetera is distributed by our school's PTA -- pay at least as much attention to the dangers of commercial online tracking as they do to, say, the hazards of P2P file sharing.  (While the FCC is currently considering whether to expand COPPA's definition of "personal information" to cover such activity, it has not yet done so.)  The fact there's no such thing as really anonymized data should also be addressed (see Emily Steel and Julia Angwin, On The Web's Cutting Edge, Anonymity in Name Only and Nate Anderson, "Anonymized" data really isn't -- and here's why not).  And parents need the tools to make the FTC's "it's not all or nothing" vision a reality.  Cue Doc Searls:

Let’s also fix the problem on the users’ end. Because what we really need here are tools by which individuals (including parents) can issue their own global preferences, their own terms of engagement,  their own controls, and their own ends of relationships with companies that serve them.

If you're not yet familiar with Project VRM, and these issues seem as critical to you as they do to me, you should check it out, spread the word, and perhaps get involved.  I for one am looking forward to the day when it is both commonplace and easy for individuals, including parents, to have real control over collection and use of records of online activities.

(Image by Jeff Standen, CC Attribution-2.0)

Topics: Social Enterprise, Legal, Mobility

Denise Howell

About Denise Howell

Denise Howell is an appellate, intellectual property and technology lawyer who enjoys broad industry recognition for her expertise on the intersection of emerging technologies and law.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

13 comments
Log in or register to join the discussion
  • RE: Sites harvesting kids' data fly under the radar, even for the FTC

    The most profound development that could change how "we the people" interact with markets is Doc Searls VRM project. For it to become reality "we the people" need to support it and usher in a new era of user generated commerce vs. market generated commerce.
    JDeragon
  • RE: Sites harvesting kids' data fly under the radar, even for the FTC

    You and the WSJ make it sound as if something nefarious was up at BlueKai. It was an indexing mistake, easy to make when you handle billions of data points a day. BlueKai never sold any teen data and strongly disciplined the internal party responsible for the mistake. BlueKai never has and never will offer tracking data on children.
    georgehsimpson@...
    • RE: Sites harvesting kids' data fly under the radar, even for the FTC

      @georgehsimpson Thanks for chiming in George, I gather you're BlueKai's PR person and I appreciate the clarification. I didn't mean to suggest BlueKai was up to no good, my understanding is it's merely a marketplace. I'm glad it recognized and rectified the mistake, but the fact the mistake happened at all (and it took a reporter to bring it to BlueKai's attention) is notable. I fear there are other marketplaces that lack your client's compunctions.
      Denise Howell
      • RE: Sites harvesting kids' data fly under the radar, even for the FTC

        @Denise Howell I'd imagine the discipline was mainly for allowing it to leak that the data existed and less so for gathering it. Afterall, like you said, this guy is either their PR person or a sock-puppet on their payroll.
        snoop0x7b
    • RE: Sites harvesting kids' data fly under the radar, even for the FTC

      @georgehsimpson@... Thank you BlueKai sock puppet! Without you we would never have read your company's official lie about the topic.
      snoop0x7b
  • RE: Sites harvesting kids' data fly under the radar, even for the FTC

    Some clarification from BlueKai: The reason the Lotame data mistakingly made it past our initial filters is because the segment was not listed under a specific age grouping. As a matter of fact - any data that showed a person as under 18 of age does not enter the BlueKai Exchange. The teeny bopper segment was listed under a category of "modeled segments based on how people read content". When our taxonomist reviewed this segment, they found that it was modeled and that the age of the people in the segment was not known. They contrasted this segment against other data and found that majority of this group were over 18 years of age, so this data was admitted into the Exchange. Clearly that was poor judgment since BlueKai has a VERY clear policy on rejecting data on kids under 18. Since then, our classification protocol has been updated to "not only reject data with any known age under 18 but also reject data where the name or definition of the segment implies under 18". Thank you for the opportunity to clarify this.
    RowenaToguchi
    • RE: Sites harvesting kids' data fly under the radar, even for the FTC

      We both know that your company lobbies for self regulation in its field. We also both know that reidentification is not hard to do. Lobbying for self regulation is akin to lobbying against accountability.

      If you guys were actually interested in being accountable and solving that problem you would open your selves up to public scrutiny rather than lobbying against it.
      snoop0x7b
  • privacy policies

    Who reads these? We all are pretty sure we should, but when one of my children used to ask me to help them sign up for using a kids site, who has the minutes or hours required to sit and read, understand and research the implications of every line?

    Is there such thing as a "uniform" privacy policy that companies could use, perhaps a net cetera doc that might also be written so that a person *could* sit down, read and understand it without a library of reference resources at hand?
    zippee
    • RE: Sites harvesting kids' data fly under the radar, even for the FTC

      @zippee As guidelines, I like EFF's Best Practices for Online Service Providers (http://www.eff.org/wp/osp), and its own privacy policy (http://www.eff.org/policy). Would love to hear about others' "best practices" and models.
      Denise Howell
  • RE: Sites harvesting kids' data fly under the radar, even for the FTC

    Thanks for your post on sites that collect data from kids. As you mention, we're currently reviewing the COPPA Rule to determine whether to broaden the definition of "personal information" to include tracking data collected in connection with online behavioral advertising. In the meantime, we're constantly updating our education materials to keep pace with market practices. In fact, here's what we're adding to the next edition of Net Cetera, now with the printer:

    "Do you?or your kids?download 'apps' to a phone or social networking page? Downloading may give the app?s developers access to personal info that?s not even related to the purpose of the app. The developers may share the information they collect with marketers or other companies. Suggest that your kids check the privacy policy and their privacy settings to see what information the app can access. And consider this: Is finding out what flavor ice cream you are really worth sharing the details of your life?or your children?s?"

    Nat Wood
    Assistant Director, Consumer & Business Education
    Bureau of Consumer Protection
    Federal Trade Commission
    NatW
    • RE: Sites harvesting kids' data fly under the radar, even for the FTC

      @NatW Thanks Nat! We'll appreciate the coming update and keep fingers crossed for the COPPA change.
      Denise Howell
  • Thanks, Denise,

    VRM looks intelligent. Hopefully not too much so to be able to fly in today's miasmic commerce-world.

    Often appreciate your columns.

    Regards,
    narr vi
    Narr vi
  • RE: Sites harvesting kids' data fly under the radar, even for the FTC

    Gosh, giving you the perspective of someone who is trying to figure out all the COPPA regs and other laws, and has to pay a $650/hr attorney to try to figure it all out, and still live under the threat of a massive fine if we make one mistake, you get a good feeling for why people just try to avoid kids. But the problem is that kids lie, they have cell phones, they use IM, the swap pictures and music, and they most certainly (sorry Nat, have you even ever watched a dozen 10-year-olds on a computer at a birthday party?) are not going to read anything about how their data is going to be released if they get a free Neopet item, not in the sub-13 year old age group we're talking about. I'm all for protecting kids -- I've got four -- and I'm trying my best, but this article is written with the idea that "Companies should know better..." and I can assure you, even the smartest people can make mistakes. It's not easy trying to be right by the law here because of how vagueness of so many parts of the regulations. It's very expensive to try to figure out at the least.
    dbriere@...