Right to privacy: Risks to children on the Internet

If there is any one area of privacy that all members of the IAPP can agree is important, it must be the privacy of our children. As use of the Internet has become widespread and ubiquitous even to the youngest, the privacy of children has greatly diminished. Their information, images, actions, friendships and very lives have gone online, with little regard for the risks involved. In my newly published book,

, I present 10 major categories of risks for children in their interactions with the Internet. Several of these categories revolve around risks to children’s often neglected privacy interests. As stated in a recent court case, privacy interests bisect into “autonomy” privacy—being able to make intimate personal decisions or conducting personal activities without observation or interference—and “informational” privacy, avoiding disclosure or misuse of sensitive or confidential information. Several recent cases and publications provide prominent examples of how the Internet is invading these privacy rights of children as never before. I will discuss five such examples.

The first example of using the Internet to violate the privacy of children is the recent arrest of an ISP operator for the “sextortion” of minors (

). This operator is charged with exploiting sexually explicit videos of the children captured from a supposedly anonymous video chat website. The defendant had met the children through a social media site and befriended them, in a common pattern used by predators to lurk around such sites frequented by youthful visitors, looking for likely children to take advantage of. These predators use techniques to incrementally increase the building of trust with the child, which eventually ends up with demands for new explicit photos or videos and threats of exposure if these demands are not met. According to the complaint, the computer of the defendant had thousands of such images from hundreds of young victims.

The second example of using the Internet to violate the privacy of children is the recent U.S. state enforcement action charging a commercial Internet firm with collecting personal information from children without their parents’ consent (

). In this case, a popular mobile device educational software company is alleged to have collected personal information from children and then to have transmitted that information to third parties, all without the necessary consent of the children’s parents as required under the Children’s Online Privacy Protection Act (COPPA). The children targeted for these products range from toddlers to second-graders who were asked for their first and last names and a photo when registering. In addition to not getting informed consent from parents, the company did not disclose these privacy practices on its website. The U.S. Federal Trade Commission (FTC) has brought over 20 enforcement actions for violations under COPPA, the most recent of which was settled in March 2012 against another firm for collecting children’s information without consent and not providing notice of such practices (

).

The third example of using the Internet to violate the privacy of children is the lawsuit filed by a child against her peers for faking a Facebook page about her (

). A doctored, unflattering photograph of the child and falsified claims about the child’s sexual activity, use of drugs and other inappropriate and untrue comments were included on the page. Because it was not done on school equipment, the school could not address the problem and because it was not considered a crime, neither could the police. The cyberbullying statute in the jurisdiction where this took place requires the act to take place at school, so instead, a defamation suit was filed after the social network would originally not remove the page. It finally did, almost a year after appearing. U.S. states with appropriate cyberbullying or cyberharassment statutes provide an additional remedy, typically in supplementing the legal provisions that address offline bullying in schools. These laws may allow the schools to get involved with suspending students who use electronic means to intimidate other students, but location independence is important, as for example in Arkansas, where the statute covers cyberbullying acts “whether or not the electronic act originated on school property or with school equipment.”

The fourth example of using the Internet to violate the privacy of children involves the many cases of identity theft of children. Due to their clean records and unlikelihood of using their Social Security numbers or other confidential details to apply for credit or a job for a decade or more, identity thieves prefer to acquire the personal information about children to use in a variety of financial scams. Acquiring numbers through social engineering and malware—and previously by easily predictable SSNs—recent reports indicate that this problem is escalating, with even younger children being targeted, although the thieves are not always strangers and are in certain cases relatives. To help, the U.S. state of Utah has begun a program with one of the “big three” credit reporting agencies that protects the identities of children by allowing their names and SSNs to be registered in a database to be checked by creditors, which remains there until they turn 17 years of age. Part of IRIS (Identity Theft Reporting Information System), the Child Identity Protection program requires that parents/guardians are first verified; e.g., by state driver’s license, before entering their children’s information and enrolling them in this program.

The fifth example of using the Internet to violate the privacy of children involves the maintenance of privacy during children’s access to the Internet through the various applications they use. According to a recent report from the FTC, “Mobile Apps for Kids: Current Privacy Disclosures are Disappointing,” apps stores, application developers and those third parties that provide services need to be more forthcoming about their privacy practices. In looking at the two major platforms for mobile apps for children, iTunes and Android, and at the websites of 400 mobile apps, it found less than one percent had sufficient privacy practice disclosures on their collection and processing of information for apps targeting children. In addition, the Mobile Marketing Association has recently

a framework that addresses the privacy practices of its members. This includes simplifying privacy notices on collection, use, disclosure, consent and retention and renewed commitment for complying with COPPA.

The FTC recently

a number of changes to the Children’s Online Privacy Protection Rule authorized by COPPA. As part of an ongoing review, the FTC has suggested changes to the rule including clarifying some definitions; e.g., whether SMS are covered under COPPA, and revising others; e.g., personal information should include photos, video and geolocation data; updating the requirements for notice; e.g., providing more information to parents in the direct notice as opposed to the online privacy policy; for parental consent; e.g., mechanisms for obtaining verifiable parental consent; for confidentiality, security and integrity of children’s personal information; e.g., extending the requirement for reasonable measures to service providers and third parties, and for safe harbor provisions; e.g., more rigorous oversight and reporting, and also by adding a provision for data retention and deletion. The final modifications to this rule are still under consideration but are expected to be promulgated this year.

Protecting the privacy of children online is becoming increasingly complex. Not only are children curious by nature and willing to take risks online that they are unaware of the consequences of, they are constantly being induced, intimidated, inundated, befriended and defrauded. The online world is global by default and so has many, many sets of rules governing it, as each country has its own laws addressing cybercrime, data protection and protections specifically for children. And the cultural privacy prohibitions and permission vary from country to country. Children’s online behavior tends to be different based not only on their culture and location but on their ages, genders and access to technology.

Providing online privacy for children has many components, of which the examples provided above highlight only a few. For lawyers, risk and privacy professionals, teachers, schools, child-facing organizations and parents, the effort is only getting more involved, as new fronts seem to spring up with each new technology—think mobile devices, online gaming and social networks. To address the proliferating risks, these stakeholders in the welfare of children’s Internet safety need to understand the dynamic mixture of technologies and threats, statutes and standards, practices and personalities, cultures and cases, to provide a sufficiently safe zone around their children in their increasing interactions with the Internet.