Graphite Software looks at ways to control data access on mobile devices for children
Poor, beleaguered parents these days. Not only do they have to wage daily battles with their kids about too much “screen time” at home, they have to track the security, privacy and social-emotional ramifications of each app and device whether it’s being used for school or play. Even toys like Barbie dolls and toddler games are “connected” and have to be carefully reviewed for unintended and potentially dangerous gaps in security.
Many parents look to dedicated apps to help them keep their kids safe online. Yet recent hacks have exposed glaring security lapses at these same companies – can parents trust any of these services? Responsible educators are raising similar concerns. Are the for-profit educational technology companies looking out for students’ privacy, or are they too focused on the bottom line – and the lucrative business of selling aggregated data to advertisers?
Aren’t kids protected by law?
You might think that as far as education tech is concerned, state and federal laws must address digital privacy for minor students. The most applicable law, called the Family Educational Rights and Privacy Right Act of 1974, requires schools that receive public funding to secure parental permission before sharing personal information about students with third parties. FERPA, which should have been updated to address privacy issues that didn’t exist at the time of its creation, has in fact been weakened by amendments that define exceptions, including court ordered disclosures under the auspices of the U.S. Patriot Act.
The most notable exception allows schools to outsource school functions, including data analysis, to third parties without first obtaining parental consent. Advocacy groups like the Electronic Privacy Information Center and legislators have been pushing for stronger protections for students, but face an uphill battle against private companies representing billions of dollars in venture capital investment in educational technology.
The FTC oversees compliance with the Children’s Online Privacy Protection Act, which prevents companies from publicly disclosing data collected online from children 13 or younger. The regulations are limited in scope, especially when you consider that many of the most alarming privacy gaps are found in toys produced in China. As always, compliance is mostly self-regulated by industry and enforcement is neither swift nor drastic enough to constitute a serious deterrent.
What about online privacy services?
In other words, we can’t rely on government or industry oversight to keep our kids’ data private. It’s problematic even to rely on companies whose sole purpose – driven by the best of intentions – is to help parents protect their children while they use mobile devices for schoolwork, game play and social interaction. In February 2016, a white hat hacker revealed that a leading child tracker app called UKnow had left a sensitive database unlocked for at least 48 days, exposing millions of text and photos from kids’ phones.
Even major enterprises with the best cybersecurity solutions money can buy are vulnerable to hackers and their exploits (e.g., JP Morgan, Target). And we’ve seen time and again what can happen when a single database is left unprotected or unencrypted – think Anthem, Ashley Madison, etc.
The enormity and scope of kids’ data being collected for analytics and marketing, and the sheer number of sources from which it is being gathered constitute complications in and of themselves. Consider this list, for starters: smartphones, tablets, connected toys, fitness wearables, social media, games, streaming music, video sites, online shopping, job and school applications – not to mention parenting aids like baby monitors, nanny cams and tracking solutions like UKnow. Multiply this by millions of children and mobile devices across thousands of vendors and you begin to sense the size of the challenge.
Beyond the homefront lies another data battleground – the classroom. Parents have even less control over what happens when their children are at school, interacting with teachers, each other and digital learning platforms over phones, tablets and laptops. Most schools are overly focused on trying to shield students from inappropriate websites, while doing a terrible job of protecting them from third-party data collection. At the same time, some schools have begun employing more extreme monitoring and tracking solutions that record everything from drug and alcohol use to subjective qualities like sociability. As one privacy advocate warns, we’re actively “grooming students for a lifetime of surveillance.”
Khaliah Barnes, an expert on student privacy at EPIC, has discussed the spectrum of data gathering, from routine software teachers use to follow student progress through units of study to the more Orwellian “human monitoring services” that read student email and spy on social media to flag troublesome behavior. She states unequivocally the “collection of student data is out of control” – parents and students don’t know the data is being collected, by whom or for what purpose, and they don’t get to review it for accuracy. Teachers and administrators, who aren’t cybersecurity experts, may unwittingly be exposing their students’ personal information through poor management of settings and configurations. Finally, education tech providers are often more invested in the power and dollar value of aggregated data than addressing student privacy concerns.
Why worry?
Data records for children that contain personally identifiable information such as date of birth, address and social security numbers are in high demand by identity thieves, who use the pristine credit records of minors to open credit card accounts and apply for loans or government benefits.
There are also the usual physical safety concerns about controlling access to student PII. Parents don’t want strangers to know where their kids live, play and work. They don’t want noncustodial parents to track their children in violation of court orders. And every parent fears sexual predators finding personal details or connections online they can use to lure children and teens into abusive situations.
It’s not just criminals we need to worry about, of course – it’s the kids themselves. Parents are right to worry that a child’s lack of judgment today could be captured or persist online and come back to haunt them when the time comes to apply for colleges and jobs.
Unless you continuously monitor your child’s phone like an NSA agent, chances are they are downloading and deleting apps and games faster than you can say “Snapchat.” Are they combing through the privacy settings to ensure only friends can see their chats and posts? Who are these “friends,” anyway? There are simply too many variables, nuances and sneaky strategies for parents to keep up with. While it is natural and expected for teens, especially, to hide their social activity from their parents, they aren’t nearly as diligent about hiding it from the rest of the world, and often lack the maturity to understand the potential consequences of their online behavior.
What can be done?
Cultivating better security awareness is an important first step. Students, parents and educators need to advocate for stronger privacy measures, learn how to configure mobile devices and apps for privacy and encourage responsible behavior. Parents should proactively question teachers and administrators about the software used in classrooms and what is being done to guarantee student data privacy. Advocacy campaigns and lawsuits are making an impact: a nonprofit student data repository called InBloom, primarily financed by the Gates Foundation, shut down in 2014 after strong objections were raised by parents and privacy advocates. A recent lawsuit in California allowed an important data project assessing special education disparities to go forward despite parent protests, but only under strict privacy guidelines that will be monitored by the court. Hopefully these efforts will continue to gain momentum and capture the attention of lawmakers and regulators.
Parents still need more control, right now. After all, we don’t rely on laws against kidnapping to keep our kids safe from predators. We watch over them and set strict boundaries. We keep them close, entrusting them only to known, qualified caretakers. There are some basic security checks parents and older children can do when using new websites and apps: these pointers from Common Sense Media are a good start, along with careful password practices and caution regarding any request for personal information.
It’s equally important to defend our data privacy (and our kids’ safety) with stronger technology. We can’t keep kids away from smartphones – there’s no force in the universe powerful enough. But we can build better boundaries with technology by isolating data, accounts and apps so that data cannot be so freely gathered and shared. Partitioning solutions create separate spaces on smartphones that can be configured to closely protect user identity and activity. Apps used at school for educational purposes can be completely blocked off from social feeds and games. Kids-only spaces can be sequestered from everything else, an important capability for families that share mobile devices. The more we can prevent apps and accounts from mixing, sharing and selling their data, the better we can protect our children.
Keeping kids safe online until they are old enough to make sound decisions for themselves is a daunting task. Any solution that brings ease-of-use and closely held control to parents also brings peace of mind. Parenting and educating children is largely about setting boundaries, starting with baby gates across the doorway, then fenced yards, then playground rules then curfews. Securing their smartphones by setting up boundaries for data flow is a logical and manageable way to protect them while they play and learn online, for now and on into their promising futures.
Robert Grapes is the VP marketing and operations at Graphite Software, a mobile solutions company developing innovative solutions and services for Android devices.
Editor’s Note: In an attempt to broaden our interaction with our readers we have created this Reader Forum for those with something meaningful to say to the wireless industry. We want to keep this as open as possible, but we maintain some editorial control to keep it free of commercials or attacks. Please send along submissions for this section to our editors at: dmeyer@rcrwireless.com.