Chinese toymaker V-Tech have become the latest victims of the biggest ever cyber-attack targeting children and their parents resulting in such private information as photos, dates of birth and email addresses of 6.5 million children being stolen. Surely, if we are to learn anything from this it is that the risky practice of gathering and insecurely storing large amounts of what is often verified personal data, along with transaction histories, is no longer a viable option for big organisations, and a very different approach to security is required. The stolen data also included encrypted passwords, secret question and answer for password retrieval, IP address, mailing address and download history” of both parents and children and is devastating for parents and catastrophic for the company. Vtech’s experience must serve as a wake-up call for big names such as Disney, Lego, and Activision, who also collect similar types of information from both children (5 – 15 years of age) and their parents.
No parent wants to think his or her child may become the victim of identity theft as a result of playing an online game. Children are targeted because the crime is usually not detected until the child reaches adulthood and applies for credit, enabling the thief to use the information for many years. Companies can and should do more to protect better children and their parents data online.
The US Children’s Online Privacy Protection Act (COPPA) requires companies, serving children under the age of 13 to get ‘verifiable parental consent’ to process a child’s personal data. In practice, this means that during the registration process, a child is asked to reveal their date of birth, and if this indicates that the child is less than 13 years of age, the child is prompted to provide a parent’s email. This practice is applied globally which means children in the UK are required to do the same and disclose their date of birth. Alternatively, parents may set up an account for a child, provide a child’s date of birth and their own email. Some of the data that V-tech had on its servers was gathered in part to satisfy legal requirements while other data will have been stored for operational purposes. The Vtech case demonstrates the inherent flaws with this approach, which has been in place since 2000.
So, are there better ways to meet these legal requirements while ensuring consumer data is secured? The answer is a resounding yes.
At a recent symposium, privacy, identity and child protection experts came together in London to discuss how best to address these issues. Developers with expertise in identity and attribute verification have developed tools to meet the legal and business requirements of online businesses for more secure ways to handle consumers’ data. These developers have built the APIs and SDKs that enable age-related eligibility checks to be conducted in a privacy-preserving manner that requires minimal data exchange and eradicates the requirement for companies to store large amounts of customers’ personal data.
Age checking that doesn’t require children to divulge their date of birth
So how will this operate?
Age is an attribute of your identity, and the age band into which you belong can be checked independently of your full identity. From a business perspective, the age band to which a user belongs is significant in terms of which content and services that user is, or is not eligible to either access or purchase online and in the case of children, whether or not their personal data can be processed. In the UK, a Publically Accessible Specification 1296 Online Age Checking code of practice is being developed, which will provide a framework and a set of guidelines for online age-related eligibility checking.
The results of the age-related eligibility checks are either true or false. That is, your current age determines which services you are eligible to access and which you are not eligible to access. The eligibility check is therefore a privacy–enhancing Yes / No check rather than one that involves sending around data like date of birth unnecessarily. Eligibility is age related as it may relate to a single value (“over 18”) or an age range (“between 13 and 17”).
Questions of what standards of evidence could be used to provide the degree of confidence required can draw on existing work in the identity space (including the role of different kinds of credentials to give confidence that the eligibility token is being used by the appropriate individual and hasn’t been sold on for use by ineligible individuals).
Eligibility may be inferred from a variety of data sources that potentially go beyond a (verified) date of birth and, as with identity assurance, there is scope for considerable innovation in this area that draws on novel data sets to support the assurance process. Having completed the age related eligibility assurance process, an Age-Related Eligibility Assurance (AREA) Token can be issued. Issuing an AREA Token should be a one–off activity (no ongoing “checking”) and there is no reason why a range of different providers could not offer AREA Tokens or why an individual could not use and choose as many different providers as they want. Edgar Whitley, Privacy and Consumer Advisory Group
A related issue is meeting the legal requirement to secure parental consent from parents of children below 13 years of age, without harvesting and storing large amounts of data from parents. Interestingly, this week Google is under scrutiny for allegedly not respecting the legal protections that should be afforded to children’s personal data. The Electronic Frontier Foundation (EFF) filed a complaint with the U.S. Federal Trade Commission claiming that Google is using data garnered from Google’s Chrome laptops that are supplied to school children, for collecting and data mining personal information from the school children who use them in violation of both Google promises and FTC rules against deceptive business practices. The pivotal issue here will be around Google ‘knowingly’ data mining in the absence of permission.
EFF found that Google’s “Sync” feature for the Chrome browser is enabled by default on Chromebooks sold to schools. This allows Google to track, store on its servers, and data mine for non-advertising purposes, records of every Internet site students visit, every search term they use, the results they click on, videos they look for and watch on YouTube, and their saved passwords. Google doesn’t first obtain permission from students or their parents and since some schools require students to use Chromebooks, many parents are unable to prevent Google’s data collection.
In many countries around the world and in particular in the UK, it is a legal requirement that the adult(s) with parental responsibilities for a child attending a school needs to provide the school with accurate contact details. A phone number at which this adult(s) can be reached if a child falls ill and needs to be taken home must be provided. That data is stored by the school and used by companies like GroupCall that serve schools and offer parents the option of using apps, through which a parent can pay, for example, for their child’s school trip or top up their lunch money online. These apps illustrate the technological capability exists to communicate with parents with respect to their child, in a manner that can be mediated much like the age-related eligibility checks whereby a parent provides a yes/no response to a request for permission to process their child’s data. Thereby removing the need for companies to gather and store large amounts of data with respect to both children and adults while still meeting legal requirements.
Five Recommendations for consideration by UK Government ministers and the UK Council for Child Internet Safety’s (UKCCIS) Executive Board arose from the symposium. One of the recommendations is that socially responsible companies should work collaboratively with privacy, identity and child safety experts and a team of developers to test the scope to deploy solutions that would better protect both children and their parents’ personal data online. A number of companies have expressed a commitment to work together in early 2016 and others are expected to join the initiative.
Google could work collaboratively with other companies that serve children to develop and test a parental permission dashboard that could leverage the technical architecture used by companies like GroupCall. Parents could access the app and set permissions that companies would have to respect. These permission checks would provide companies like V-tech and Google with a Yes/No response, thereby removing the need to store large amounts of personally identifiable information that is vulnerable to attack.
As an industry leader, Mind Candy is open to and continuing to explore ways in which we can provide a safe and creative experience for our users – every user, every age. We are fully supportive of the proposal to test the scope for age-related eligibility and parental permission checks to improve family safety and security online. Rebecca Newton, Chief Community & Safety Officer, Mind Candy Inc
The Children’s Charities’ Coalition on Internet Safety (CHIS) welcome efforts designed to test the scope for online age-checking to enhance child safety online. John Carr, online child safety consultant and Secretary of CHIS.
Plans to develop and test the types of approaches described above are underway in the UK and for more information please contact firstname.lastname@example.org
About the author:
Dr. Rachel O’Connell, founder & CEO, TrustElevate.com is one of the preeminent authorities on electronic identification and age verification. Rachel’s PhD focused on online criminal activity and the implications for investigative strategies. She is the former chief safety officer of BEBO, one of the first mainstream social media platforms and speaks frequently at technology events on all issues related to online identity be it age verification or how large technology companies should engage more on child protection issues online.