Sites harvesting kids' data fly under the radar, even for the FTC
Ask any parent what are the greatest dangers to kids online, and you're likely to hear about scary individuals: the pedophile masquerading as a friend on a social site, game, or virtual world (such as those sensationalized on To Catch a Predator); the bullying schoolmate who taunts online; the inconsiderate, callous, or hormone-addled peer who posts inappropriate pictures or encourages one's little angel to "sext." Scary companies and commercial interests, however, fall low on the list of concerns, if at all. In my experience, most adults either don't think about the collection and sale of children's online activity, or accept it as an unavoidable cost of using Web services.
The Federal Trade Commission is a case in point. The FTC is in charge of review and enforcement of COPPA (the Children's Online Privacy Protection Act), and educates parents about online safety with its Net Cetera site and guide. Net Cetera talks a lot about keeping kids themselves accountable -- "remind your kids that online actions can reverberate;" "if your kids download copyrighted material, you could get mired in legal issues." It has some excellent guidelines for talking to kids about communicating and socializing online, and gets credit for telling parents that "your child's personal information is valuable, and you can do a lot to protect it." But Net Cetera saves its discussion of COPPA and privacy for the guide's final page, and fails to explain tracking with cookies at all (while cookies get a nod in the guide's glossary, its security section highlights viruses, malware, spyware, and, that perennial bogeyman, P2P). While Net Cetera does tell parents to think about fine-tuning whether and how information can be collected and used --
[C]onsider how much consent you want to give — it's not all or nothing. You might give the company permission to collect some personal information, for example, but not allow them to share that information with others
-- it doesn't address the fact that nothing in COPPA requires sites to negotiate with parents about data collection or use and sale of anonymized data. The FTC is closer to the mark when it tells parents to read and understand relevant privacy policies, and that "if the policy says there are no limits to what it collects or who gets to see it, there are no limits."
The Wall Street Journal is doing a great job getting the word out that perhaps the spectral online pedophiles, bullies, and sex maniacs are stealing the spotlight from a more stealthy, insidious, and concrete danger: the routine collection and sale of profiles built from records of online activity. Its "What They Know" series should be required reading for all, especially parents. In the series' most recent entry, On the Web, Children Face Intensive Tracking, Steven Stecklow exposes how easy it is to to purchase "anonymized" data about teens, and how dodgy even the companies trafficking in such data consider the information. For example, data exchange firm BlueKai first denied the existence of "teeny bopper" data (kids age 13 to 19) on its service, then, when it became clear a third party was selling such data via BlueKai, removed the data "as a result of the Journal's inquiries."
Having identified this both under-reported and underrated problem then, what is to be done? To begin with, I'd like to see those who hold themselves out as trusted sources on the subject of online safety, such as the FTC -- Net Cetera is distributed by our school's PTA -- pay at least as much attention to the dangers of commercial online tracking as they do to, say, the hazards of P2P file sharing. (While the FCC is currently considering whether to expand COPPA's definition of "personal information" to cover such activity, it has not yet done so.) The fact there's no such thing as really anonymized data should also be addressed (see Emily Steel and Julia Angwin, On The Web's Cutting Edge, Anonymity in Name Only and Nate Anderson, "Anonymized" data really isn't -- and here's why not). And parents need the tools to make the FTC's "it's not all or nothing" vision a reality. Cue Doc Searls:
Let’s also fix the problem on the users’ end. Because what we really need here are tools by which individuals (including parents) can issue their own global preferences, their own terms of engagement, their own controls, and their own ends of relationships with companies that serve them.
If you're not yet familiar with Project VRM, and these issues seem as critical to you as they do to me, you should check it out, spread the word, and perhaps get involved. I for one am looking forward to the day when it is both commonplace and easy for individuals, including parents, to have real control over collection and use of records of online activities.
(Image by Jeff Standen, CC Attribution-2.0)