As a parent, you’re vigilant about your children’s use of digital media. You set limits on their screen time. You make sure the websites and mobile applications they use are age-appropriate. You supervise them while they play on their devices.

But are you paying attention to the amount of personal data these online services are gathering from your children?

In recent months, the Cambridge Analytica scandal, which revealed the improper sharing of data of up to 87 million Facebook users, has raised discussion over the privacy risks associated with online data collection. In light of the scandal, Facebook said Monday it has suspended around 200 apps as it investigates whether they may have misused users’ data. These risks apply to everyone, including young children, says Florian Martin-Bariteau, assistant professor and director of the Centre for Law, Technology and Society at the University of Ottawa. He says websites and apps that are aimed at children may obtain more personal information about them than they, or their parents, realize. And there are concerns about how all this data may be used – whether it’s for personalized advertising, potentially accessed by hackers, or used by organizations aiming to influence users’ attitudes.

“Parents need to be aware of risks, and not just for their child but for them[selves] too,” Martin-Bariteau says.

Last month, a study in the journal Proceedings on Privacy Enhancing Technologies found thousands of popular children’s apps potentially violate U.S. privacy rules. Researchers found 73 per cent of the 5,855 apps they analyzed transmitted confidential data over the internet, and nearly 20 per cent of them collected identifiers or other personally identifiable information using software development kits (SDKs) that are not intended to be used for apps aimed at children.

The researchers found the personal information that certain apps were collecting included geolocation data, the device owner’s e-mail addresses and phone numbers.

These findings echo the results of a 2015 global privacy sweep that found many websites and apps that were popular among children collected, and sometimes shared, personal data, including full names, genders and hometowns. That sweep, conducted by the Global Privacy Enforcement Network, which included the Office of the Privacy Commissioner of Canada (OPC), found 62 per cent of websites and apps popular in Canada said they may share users’ personal information with third parties, while only 29 per cent sought parental consent before collecting children’s data. (Since then, the OPC has reported that some apps and websites had responded, including five targeted sites that said they had made changes, such as asking for a parent or guardian’s full name and contact details instead of the child’s.)

Narseo Vallina-Rodriguez, one of the authors of the recent Proceedings on Privacy Enhancing Technologies study, says he and his team did not know why the apps they examined were collecting personal data from children – whether they were doing it intentionally or by mistake, and whether that data was used for commercial purposes or internal purposes.

But, he said, many apps were clearly using certain SDKs, or pieces of software that developers can integrate into an app to enable advertisements, for example, or to understand how users interact with the app. Because some of these SDKs can be very aggressive in terms of the data they collect, they are not meant to be used in children’s apps and warn against this in their terms of service, he said. The U.S. Children’s Online Privacy Protection Act (COPPA), prohibits certain data collection practices when it comes to children under the age of 13, and requires parental consent for others, the researchers noted.

(In Canada, the collection of personal data is governed by the Personal Information Protection and Electronic Documents Act or PIPEDA, which does not differentiate between adults and children. The Office of the Privacy Commissioner can make recommendations if apps or websites contravene, but it does not have the power to issue orders or fines.)

Vallina-Rodriguez, an assistant research professor at Madrid’s IMDEA Networks Institute and researcher at the International Computer Science Institute at the University of California, Berkeley, says he and his team were able to determine some apps were “leaking” personal data without obtaining parental consent because they could see data dissemination taking place as soon as they launched the apps.

“We just launched it. We don’t do anything for 30 seconds,” he says. But even within those 30 seconds, before interacting with the app, the researchers could see some personal data being disseminated, whether to the app developer or a third party, he says.

So just how concerned should parents be?

Nancy Smith, author of Social Citizens: A Positive Approach to Social Media & Parenting in the Digital Age, says there’s a lot of hype around the privacy implications of online data collection.

“I think people immediately freak out when they hear their data is being sold,” she says.

Smith, who teaches social media and digital marketing at Mount Royal University and the University of Calgary, suggests parents can take measures such as using strict privacy settings, conducting regular setting checks on apps and websites, turning off location services on children’s devices unless it’s for an app that tracks them for safety reasons, and avoiding online games, quizzes and surveys that ask for a social media profile to log in, or that ask for a lot of personal information. She also notes it’s important for parents to have frequent, age-appropriate discussions with children about the kinds of information they can and should not share online. Some examples of what they should not share include their birthday, their school, their address, names of family members, e-mail and phone number, she suggests.

Martin-Bariteau agrees that parents should regularly talk to their children about how to maintain their online privacy. But, he says, parents should be “very concerned” about the privacy risks their children may face.

He sees behavioural advertising, or the use of data to personalize ads, as “one of the biggest threats.” To customize an ad, companies rely on the collection of vasts amount of personal data, he says. “And when you know everything about someone, you can try to influence his or her thinking,” he says, noting children may be particularly susceptible.

Moreover, there’s also the risk of privacy breaches, such as apps or websites being hacked, he says. He notes there have been incidents of nanny cams, for example, that have been hacked to stream the camera’s feed online.

And it doesn’t take disclosing your child’s name or birthday to allow others to profile them, Martin-Bariteau says. He explains even an IP (Internet Protocol) address, which is the identifying number assigned to a device, can reveal where you live, and based on your location, whether you may be wealthy or not, and your browsing history. By merging two or more data sets, it’s possible to make anonymous data identifiable, he says. “You don’t need a name to know everything on someone.”

Vallina-Rodriguez adds it’s unclear what kind of implications digital data collection will have in the long-term. The data that apps gather may be able to reveal information, such as whether a child has any medical issues, how much time they spend gaming, and their intellectual capacity, based on how they respond to educational games, he says.

“You can profile the kids in many ways,” he says. “And you don’t know what kinds of usages [companies may have for] this data in the future.”

The Globe and Mail, May 14, 2018