Keeping your kids safe on the Internet used to be as simple as installing SafeSearch and keeping the computer in the living room. Not anymore.
Much like their adult counterparts, a new wave of “kid-friendly” tablets and apps ensures that children are sharing their personal data on the Internet in more ways than ever before. Full names. Birthdays. Home addresses. Photos.
While the digital footprints of children are generally smaller, they are no less susceptible to being traced. VTech, a maker of a popular kid’s tablet that allows messaging to a parent’s smartphone, was hacked in November, exposing the personal information of roughly 6.4 million children. Luckily, the hacker’s motives appear to be experimental; he told Motherboard that he doesn’t wish to publish or sell the information. “Frankly, it makes me sick that I was able to get all this stuff,” said the hacker.
But child online-safety advocates and cybersecurity experts say the VTech incident raises serious questions about how much damage a large-scale breach of children’s data could bring. Ryan Anderson of UT-Austin’s Center for Identity called the VTech breach “alarming” because it could have enabled someone to pinpoint a child’s exact location or address. With the exception of the OPM breach and Ashley Madison hack, many high-profile data breaches involved the theft of financial information, such as in the cases of Target and Bank of America.
“The thought of a data breach leading to an increased danger of physical harm is terrifying,” Anderson told The Daily Dot, “and represents something of a departure from previous mega-breaches.”
Steven Weisman, an attorney and professor at Bentley University who specializes in online scams and identity theft, detailed why the theft of children’s data in the VTech hack is a particularly serious security threat on his blog, Spamicide:
“Children’s names and birth dates could be tied to their parents through the stolen information, thereby establishing a new avenue for identity theft and fraud. Spear phishing using this information, whereby malware containing emails could be made to appear legitimate, pose a real threat to the victims of this data breach.”
While there’s little evidence that the weak cybersecurity protections at VTech is industry-wide, it’s a stark reminder of how much personal information on minors is available online, with or without a parent’s consent. As time goes on, the issue of protecting all personal data, not just that of children, will become harder as it becomes easier to share. Alan Simpson of iKeepSafe, a coalition of non-profits focused on child safety and technology, told the Daily Dot that protecting children’s personal data online was “definitely getting more complicated.”
“Today’s kids are growing up in this world, and it’s very natural for them,” said Simpson. “They will use apps, devices, websites, and phones that are built on sharing data and sharing information.”
While Simpson vetoed the idea of banning kid’s tech all together (“The world is only going to get more digital.”), he said parents should view the VTech incident as a reminder to look closely at “kids-safe” products from tablets to phones to specific apps. He also advised limiting the time your children spend on devices. The American Academy of Pediatrics suggests that children between the ages of 2-18 years old be limited to two hours of screen time per day, and that tykes younger than 2 years old should be banned from devices altogether.
Thing is, many parents fail to heed that advice.
The percentage of kids 8 and under using mobile devices almost doubled between 2012 and 2014, according to a report by San Francisco non-profit Common Sense Media. A study commissioned by the Federal Trade Commission released in September found that only 45 percent of apps for kids had a direct link to a privacy policy that clearly told parents what information was being collected and whether it was being shared with third-parties.
Most apps for kids are games or educational apps, and the market is thriving. While a high-priced app for adults may not do so well, developers have found that parents are willing to shell out $4.99 or more to keep their offspring occupied. Along with parent’s credit card information, many apps for kids track online behavior, location, and purchase preferences.
Meanwhile, websites for kids, even though many have been around for longer than apps, don’t fare much better as far as privacy. A worldwide study of 1, 494 children’s websites by Global Privacy Enforcement Network found that 67 percent of children’s websites ask for some type of personal information, and less than a quarter ask for parental involvement. A total of 41 percent of the children’s sites studied made researchers “feeling uncomfortable” about how the data would be used, and 51 percent indicated the information would be shared with third parties.
The Daily Dot spoke to experts on child tech privacy to hone in on how parents can keep their child’s personal information safe on the Internet:
1) Talk to your child about privacy on the Internet
A frank discussion with your child about protecting their privacy on the Internet can be more effective than all the parental controls in the world.
Do your kids understand what kind of personal information is not safe to give away on the Internet, and why? Warn your child against disclosing their full name, location, gender, age, or other personal details online, including when chatting with strangers. Anderson from the Center for Identity said kids could be “the weakest line of defense” in a family’s cybersecurity perimeter, and he advised making kids a part of any solution. The Center for Identity’s Beat the Thief online game teaches children ages 8 and up what kind of personal information can be safe to share online. Common Sense Media also has a handy video on how kids can develop a healthy online identity.
2) Read privacy policies carefully
Most apps for kids on the iTunes store or Google Play should have a direct link to the app’s privacy policy. The app’s privacy policy should detail what personal type of information the app collects and whether they share with third parties. Does the app allow your child to chat with other users? Does the app track your child’s location or user behavior? Under a law known as the Children’s Online Privacy Protection rule, apps and websites need to ask parent’s permission first before collecting, using, or disclosing the personal information of children under the age of 13 years old.
3) Keep track of any new apps or websites
Rather than letting children have free reign over the iTunes store to download whatever they want, keep an eye on the products they use. Both iTunes and Google Play have parental features that allow you to restrict in-app purchases or the downloading of new apps. Read the app’s reviews and stick with those that have a long history of good ratings. If your children are young, keep an eye out for kid’s apps that require location tracking or post to social media.
Ask your kids about what websites they use at home or school. If they’re active on online forums, be sure to know which ones. Ask if they have any friends they chat with online, and keep tabs of any regular names that pop up.
4) Ask kids to use avatars instead of personal photos
If your child is under the age of 13 years old (some parents may set this threshold even older), warn them against using their personal likeness online. Instead, ask your child to use an avatar when signing up for a new game, app, or online forum. Avatars are a kid-friendly and fun way for children to express their personality online without revealing their physical identity. A couple of good destinations for avatars include WeeMee and Mini-Mizer.
5) Look for FTC’s “Safe Harbor” COPPA seal of compliance
When shopping around for new gadgets for your child, look for a seal or some other indication that the product is compliant with the FTC’s Child Online Privacy Protection Act (COPPA) standards. What might make this confusing is that FTC itself does not review products for COPPA compliance. Instead, the agency authorizes a variety of independent reviewers to review each gadget to make sure it aligns with COPPA standards. Here are some companies that FTC has given permission to act as “safe harbors:”
- TRUSTe Child Privacy Certification
- Entertainment Software Ratings Board
- iKeepSafe
- Privo
- Aristotle, Inc
- kidSAFE®
Common Sense Media rates and reviews children’s apps for age-appropriateness and other features. The non-profit’s list of recommended apps for kids and websites for kids is a great place to start.
6) Be careful about posting pictures of your children on social media
You’d be hard-pressed to find a parent who won’t share photos of their kids on Facebook, but try to be selective about the photos you share. Information such as your child’s full name, date, and location of birth can make them a target for identity theft. Consider changing your preferences so you’re only sharing Junior’s shots with the closest family and friends. Many parents opt to share photos of their children without tagging them or including their full name in photos. Avoid tagging companies on Instagram posts with your children, as some companies will see that as permission to re-post on their accounts.
Photo via MIKI Yoshihito/Flickr (CC BY 2.0)