A Proper Price to Pay for Privacy?

We all hold our privacy in the highest regard when we interact with others in society and for very good reason. Information about ourselves that ends up in the hands of people we never intended has the potential to drain our bank accounts, compromise our security and ruin our reputation among myriad other adverse consequences. As Alessandro Acquisti of Carnegie Mellon University presented in a recent TED talk [http://www.youtube.com/watch?v=H_pqhMO3ZSY], privacy matters even more as technology advances because each new application, network and innovation brings with it the prospect of not only simplifying our lives but compromising our most important assets. This digital double-edged sword has especially weighty implications for the children in our society since they are all the more prone to fall victim to entities which may employ loose terms, loopholes and underhanded tactics to wrest sensitive information under the guise of necessity. Users, developers and regulators are all at a crossroads to determine what the best course of action is to strike the appropriate balance between allowing freely accessible content and implementing safety measures for those most likely to be victimized.

Recent investigations have uncovered stark examples of the dark side of unregulated online interactions where children become prey for perverted predators. Skout, a social network app based around geolocation similar to FourSquare with around 5 million registrations, was used by adults to allegedly statutorily rape 3 children they contacted through the application; the company had to shut down their entire operations for around a month in June 2012 as a result. [http://bits.blogs.nytimes.com/2012/06/12/after-rapes-involving-children-skout-a-flirting-app-faces-crisis/] In July 2012, after implementing new security measures, it reopened its services for teenagers. [http://blog.skout.com/2012/07/13/teens-welcome-back-to-skout/]

The most notable case may be the Habbo Hotel debacle. The UK’s Channel 4 news ran an expose where a reporter posed as an 11 year old girl and interacted in the environment clearly catered towards young children with its neon lighting, merry tunes and plush teddy bears abounding. Within not long, she found herself being inundated with insistent prompts to engage in explicit sexual chats, virtual molestation by boy avatars, and resolute requests to strip naked via webcam. [http://www.channel4.com/news/striptease-and-cyber-sex-my-stay-at-habbo-hotel] Habbo presented itself as the largest social community for teenagers and had 10 million+ visitors each month, however, in light of the damning piece, its CEO reacted by claiming to increase its filtering technology and imposing more moderators in addition to the 225 it had in place who purportedly monitored in aggregate 70 million lines of chat each day. The company was hit hardest, though, in its pockets when 2 of its primary investors holding a total of nearly 30% of its shares backed out. .  [http://www.inc.com/eric-markowitz/gaming-industry-haunted-by-safety-concerns.html]

In 1998, Congress had enacted the Children’s Online Privacy Protection Act (COPPA) [http://www.ftc.gov/ogc/coppa1.htm] to tackle these types of issues head on and recently imposed new amendments effective July 2013 to further address growing concerns. Its provisions now require compliance in the following manners:

-posting of clear and comprehensive online privacy policies describing the practice for personal information collection from persons under 13 year of age

-making reasonable efforts to provide direct notice to parents of the company’s practices regarding the collection, use or disclosure of the information gained from persons under 13

-obtaining verifiable consent from parents prior to any such collection, use or disclosure of persons under 13

-providing parents with a reasonable means to review the personal information collected from their child and the right to refuse further use or maintenance of said information

-establishment and maintenance of reasonable procedures to protect the confidentiality, security, and integrity, of said collected personal information by releasing the information only to entities able to maintain that level of security

-retention of the personal information only as long as necessary to fulfill the purpose for which the information was collected and then deleting it using reasonable measures to avoid unauthorized use or access

-prohibition of conditioning a child’s participation in an online activity on the child divulging more information than is necessary to participate in said activity

The definition of “personal information” under this Rule includes:

-first and last name; or

-home address with street name and city; or

-online contact information; or

-user name that serves as contact information (e.g. email address, etc); or

-telephone number; or

-social security number; or

-a ‘persistent identifier’ that can be used to recognize a user over time (e.g. IP address, cookies, device serial number, etc); or

-photo, video, or audio files containing a child’s voice or image; or

-geolocation information which sufficiently identifies street name and city or uses coordinates; or

-information ‘concerning the child or the parents’ of that child that an operator collects from the child combined with any of the above information (e.g. a parent’s credit card coupled with other info about the child)


Though many parents and legislators herald these provisions as necessary and welcome to provide additional buffers for young children to explore the virtual world with relative security, many developers and operators of established and emerging online enterprises are loathe to comply with the regulations which they decry as overly burdensome and excessively costly. The FTC itself estimates that it will cost a total of $2.7 million for all existing operators and developers to comply with the new form of COPPA (About $9,420 for new ones and $3,000 for existing ones). [http://www.usatoday.com/story/tech/2012/12/18/developers-worried-about-new-rules-for-phone-apps/1777187/]

One of the loudest criticisms implicates the age verification requirement of exchanging signed, printed forms, credit card verifications, or digital signatures via email as an unwieldy and inherently flawed measure since they may expose parents to the same privacy dangers that they are trying to secure their young children from. Additionally, these ponderous laws may draw developers away from creating space and services catered toward children and thus leave a void for that demographic which could undoubtedly benefit from the educational aspects of the technology. Children can and do easily add to the headache for businesses by lying on forms or providing false information about their age. The Federal Trade Commission has further bolstered condemnation against the regulations by inconsistently enforcing the COPPA measures themselves, although it has encouraged self-regulation within the tech industry with its Safe Harbor Program allowing operators to be held to the discipline of certain approved bodies instead of the FTC.  Currently there are only 5 such approved entities: the Children’s Advertising Review Unit (CARU), the Entertainment Software Rating Board (ESRB), TRUSTe, Privacy Vaults Online (Privo), and Aristotle International.  [http://epic.org/privacy/kids/]

Ultimately, though these privacy laws do add layers of protection for minors who would largely benefit from them, the cost to most operators does seem to be a relatively hefty one. Some states endeavor to go above and beyond the federal rules by enacting further regulations for entities within their jurisdiction, notably California with its new SB568 ‘eraser button’ law allowing minors to “remove” postings from websites. [http://www.huffingtonpost.com/2013/09/24/teens-online-eraser-button-california_n_3976808.html]

Are the established federal laws and such newfangled state protocols a legitimately crucial measure in the fight for our children’s privacy online or are they largely futile attempts to appease a deep human yearning for security in this ever-evolving and complex digital age?

~ by prasadlaw on October 27, 2013.

9 Responses to “A Proper Price to Pay for Privacy?”

  1. These regulations, although expensive, are the necessary and logical progression of keeping children safe. We cannot expect parents to monitor activities they are unaware of their child doing–and children’s access to the internet is basically unfettered at this day in age. Traditionally, the only gate-keeping mechanism in place was through self-reporting (think please enter your birthday in this box to ensure you are over the age of 13). Although requiring a credit card may be viewed as more invasive, presumably it would force children to ask their parents for it; effectively placing the parents on notice as to what content their children are accessing so that they may monitor the site and decide whether or not its appropriate for their child. Again, I am a believer in putting the onus on parents to protect their children rather than governmental imposed filtering on a broad scale. Nonetheless, parents must be aware of what their children are accessing and in order to do so, we must close the doors where children could essentially lie to gain access and “do it behind their parents backs.”

    Given what a lucrative market products and services which are aimed at children is, I don’t think that those opposing the measures have much merit in the argument that developers will quit altogether. Over the last 20 years since I was child there has been exponential growth in the number of movies, tv networks, shows and games targeted at children and in particular tweens (the real problem age for these issues). This increase was not because developers thought this age group was left out and felt bad; it was because there was a large niche not being served and parents who will doll out lots of $$ to make their angst ridden 13 year old smile. A small increase in start-up costs is not going to hamper free speech or entrepreneurship to such a degree as to tip the scales of any balancing test. Limited increases in reporting requirements are worth ensuring that parents of 13 year old girls are aware when they are on sites like Skout and Habbo which may implicate real world dangers to children.

  2. This was a very well-written post. I agree with hkruzyk, above, that these regulations are necessary to protect children and should be enforced. However, it is clear that the law can not keep up with technology in almost any arena. Laws that enact formal steps, such as requiring credit card verification, that companies must follow are destined to be outdated or ineffective at some point. Instead of stating specific safety measures that must be taken, I think the rule should be similar to strict liability for websites that are known to have children visitors (admittedly, this will be nearly every website).

    For example, if a child is harmed in any way as a result of the use of the website, the website is strictly liable for that harm unless the company can prove that it had in place reasonable, effective safeguards to prevent unauthorized access by children. Instead of trying to come up with specified measures that will prevent child access to the website, the website needs to stay on top of technology and take all reasonable steps to ensure the child’s safety, or else face strict liability for the harm caused by their website’s inadequate procedures. I think many companies know very well that their website is used for illegal purposes, but just want to turn a blind eye once it complies with the letter of the law so they can continue to make money. This is a problem with trying to write laws that stay ahead of technology. I think legislature should try an alternate route instead and let the companies figure out the technology, or else face the consequences.

  3. I’m curious as to how you think these laws will ultimately protect children? And to what lengths should law go to protect children? Will their parents ever be assessed some responsibility for monitoring their children’s internet usage? While I am not against regulation of some type, I think the potential for governmental over reaching is huge here.There are many, “no costs” filters a parent can put in place such as no computers in the child’s bedroom and activating parental control features. Yet few parents avail themselves of these resources.

    I am also worried about any kind of strict liability assessment against anyone as suggested by Drew. If you take the example of Skout mentioned above, would you hold them liable because a bad actor took advantage of their programming? Even Habbo House thought it was doing a decent job of monitoring the children’s environment. How would we monitor and evaluate a website’s controls?

  4. I am agree that COPPA and similar laws are the logical response to the dangers posed to young children while online. However, I also agree that parents need to take increased responsibility for their child’s online activity, With that said I don’t know if most parents understand just how much personal information some of these apps, games, and social networking sites actually collect. Until reading the articles I didn’t even know that angry bird collected personal information.(Full disclosure never downloaded) I think if we really want to eliminate the risk to children, we may need to consider a prohibition on the collection of personal information on free to use/play apps and websites, at least to ones targeted toward minors. I know these companies make tons of money off selling this information for advertisement but maybe they will just have follow TV’s economic model. A complete prohibition may have to much of a negative impact on the industry but it may be a course to consider. Furthermore, I would flat out ban the use of global location in apps. To me seems absurd to even provide the framework to allow what happen with Skout. If you want to know where your friend is call them.

  5. I think that a complete prohibition of allowing apps, games, and social networks to collect any personal information. I agree with the posters above that the primary responsibility is with the parents– they need to monitor and regulate their children’s activity in the virtual world with the same (or perhaps even more) fervor that they do in the real world. I don’t think parents are excused by claiming they lack technological sophistication.

    Clearly the intent behind these laws is valid. I have mixed feelings about whether the regulations currently in place are too restrictive. But, I think we should be wary of going too far. I can easily see future laws going beyond what we have now. It would be very hard for a politician to advocate and vote against legislation that is to “protect our children.”

    I agree with Professor Jacobs in regards to applying strict liability to these companies. As long as they have reasonable protective measures in place, they should not be held liable for the bad acts of an unaffiliated member.

  6. I think that an outright ban on the collection of personal information would be overly restrictive. Free apps and online services are highly dependent on advertisement revenue; these developers would not survive if they were prohibited from selling the personal information of users. I believe a great number of app-related problems could be prevented by measures as simple as allowing parents to block access to the app store on their child’s phone. Parents could then screen what apps his/her child has access to on their phone. Additionally, developers would not be burdened by the costs of complying with restrictive regulations.

  7. As a parent of a 14 year old boy, I definitely agree there should be restrictions.But not just on apps and sites that appear to be kid friendly. There should also be some type of restrictions to ensure that children are unable to view content out of their age range. For instance I would be okay with a site asking for my son’s email or supplying some kind of username or something that makes the site aware that an child is accessing the app or site. Because merely asking if an individual is 18 or 21 before allowing them to enter a site is not effective. After all, anyone can just pick a random birthdate to enter the site. There should be a policy which not only protects children from potential predators, but also one the essentially protects the child from themselves. Maybe its not possible, but it seems it would be easier than a parent trying to figure out which sites should and shouldn’t be blocked. Trust me, I’ve tried every mobile monitoring app, there is and none of them truly block access.
    Now I know Facebook doesn’t even allow children under the age of 13 to create a profile. But again what is there to stop a child from merely entering in a different birthday. I can tell you now, there is nothing in place to stop a child from entering a different birthdate to gain access to Facebook to make a profile and to sites like YouTube, which by the way has pornography. At first there wasn’t even a filter now you have to check a box agreeing that you are over the age of 18.
    As far as games like Angry Birds and other apps purchased from iTunes, these games are probably purchased under the parent’s Apple ID so its not a big deal. This is the most effective way to monitor purchases. There’s no need for a child to have their own Apple ID, its just too risky.

  8. I would echo my colleagues’ general consensus that parents should be aware of their children’s activities on the internet. As we have discussed in class, times are changing and there is now a rule mandating that lawyers be technologically competent. While there is no official rule book that guides parents in raising their children (although, maybe there should be?), it seems as though parents should take it upon themselves to be familiarize themselves with free tools that are already at their disposal, all of which can help control/monitor their children’s online activities.

    The internet is now a huge part of our society. So, in addition to the “drug talk”, the “alcohol talk”, and the other talk which is always awkward coming from your parent, it seems that the “internet talk” should now be a standard discussion as well. A more in depth understanding of the internet by the parent will enable him or her to teach his or her children what is appropriate and what is not appropriate. This, along with utilizing the aforementioned filtering tools, will effectively reduce the need for constant parental monitoring. I think this is the most effective way to address the issue. Any governmental action that goes further than mandating the internet entity to take reasonable steps to prevent the exploitation of children seems to be over-reaching.

  9. I think that one of the things that hasn’t been mentioned yet is private development of software that would mimic what the government could potentially do. I agree that regulation may be needed to protect children who are not yet fully knowledgeable about the world and the internet to be making their own decisions. I also think that regulation may be needed to protect children when their parents don’t even know enough about the internet to properly watch over their child’s activity. But I agree with Professor Jacobs when she says the potential for overreach is extremely high. I think soliciting the help of private companies to develop screens and other programs that can help parents do their job in raising THEIR children would be a far more effective way to ensure that children are protected and that there is at least some semblance of privacy on the internet. As for allowing minors to remove posts on the internet, I am not sure whether I favor that or not. It seems like it could be used as a good teaching tool both ways ie: by either allowing them to rectify their mistakes and learn from them, or by forcing them to become cognizant of what they are posting on the internet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: