Google Buzz & kids' privacy

Because Buzz is brand-new and a hybrid of Gmail, micro-blogging, cellphone social mapping, and social networking, we're all at the early stages of figuring out its implications for kids – a lot of whom use Gmail. Yesterday Charlene Li, a mom and well-known social-media-industry analyst, blogged that she had discovered her 9-year-old daughter was using and really enjoying Buzz. Using it from her computer (people can also use Buzz on Apple iPhones and Google Android phones), the child had had one conversation on it with her friends. The problem was that the kids didn't know their conversation was public. Li wrote that "the easiest thing to do as a parent is to simply disable Buzz, meaning that the Google profile and all followers are deleted – permanently" (go to the bottom of your child's Gmail page and click "turn off Buzz," which will take you to where you can disable it). But because Li's daughter enjoyed Buzz so much, she seems open to "managing groups, privacy settings, etc." so her child can continue using the service. "We’ll give it a try," she writes, "but unless her friends also keep the conversation private, it will all be for naught." Ensuring that with all the other kids and their parents could be quite a project. Privacy is now a collective effort – by users too, not just providers (see "Collaborative reputation protection").

Last summer Google agreed, in response to a complaint by one of the FTC's "safe harbors" (organizations that help it enforce the Children's Online Privacy Protection Act, or COPPA), to require a birth date at registration to Gmail and, if a user indicates he or she is under 13, a session cookie to block the user from re-registering with an earlier birthdate. That's a start, but what this issue points to is the impact on children's privacy of combining social-media products within companies and connecting them across networks such as Facebook Connect. Perhaps the FTC's forthcoming review of COPPA rules and enforcement will address this emerging issue. But we feel the brilliant software engineers and project managers who develop these products need to wear their parent hats more, companies need to be thinking through children's privacy from the earliest developmental stages, and industry best practices need special sections or clauses addressing child privacy and safety. [See also "Google Buzz isn't exactly humming along" in the Wall Street Journal; "Does Google Buzz violate COPPA?" by Marquette University law Prof. Bruce Boyden (the jury's still out, he indicates); and my post at Buzz's launch, "Major buzz about Buzz, but not about its safety."]

Federal privacy case also about youth safety

There's an interesting conversation going on over at CNET about cellphones as tracking devices, outdated federal privacy law, and phone owners' privacy rights. Reporter Declan McCullagh looks at this crucial moment in the courts – a case to be argued before the Third Circuit Court of Appeal in Philadelphia tomorrow. As I read, I first thought, "Well, cops used to obtain phone records that located where suspects were when they made calls with fixed phones, as well as where the calls were made to. Now they just find out where the mobile phone was, right?" Yes, but, uh, the tracking of geolocation-enabled cellphones (which most mobiles are now), "comes in two forms," McCullagh writes: "police obtaining retrospective data kept by mobile providers for their own billing purposes that may not be very detailed, or prospective data that reveals the minute-by-minute location of a handset or mobile device." It's the "prospective" part that's new and raises even more concerns. If search-and-seizure laws aren't updated so that police need a search warrant to obtain cellphone location data in realtime (which is what this whole discussion's about), Big Brother really can, potentially, track you minute-by-minute now. Then I thought about youth safety. Is there a downside there? Of course not, if we're talking about tracking a kidnapper or his/her victim. But what if a child is trying to get away from an abusive parent, the police don't know about the abuse, and the parent calls the police saying s/he's desperate to find a lost child? There are many what-if scenarios like that. Minors have privacy rights too. Another consideration I'm not seeing in McCullagh's piece is prepaid "disposable" phones not attached to mobile carriers' billing departments and data-storage servers. Will bad guys be using those a whole lot more if the privacy-rights side of this case loses? To be continued.... [Meanwhile, feel free to weigh in on any of this in comments below, via email, or in our forum at ConnectSafely.org.]

Privacy on the social Web: Varying views

Our kids - the people who've never known life without the Internet - do think about their online privacy, and social technologies are actually giving them "greater control over their information," writes Heather West at the Center for Democracy and Technology in a Wired blog. She makes an important point about privacy in the new media environment that I think those of us who grew up in the mass-media era need to think about: We think of privacy in a binary way, as "the ability to conceal information from others" – public or private. Period. Internet natives think of privacy as the ability to control how they share information, and to do so in a nuanced way.

West cites two studies showing this, then writes, more anecdotally (and interestingly): "Gone are the days where my friends could see everything I posted on my Facebook page. Now, I am given the opportunity to choose not only what content is public, but who has access to that content. This includes privacy control for photo albums, status updates, and personal information. Truth be told, I am much less comfortable with social sites that do not give me this level of freedom."

[In this context, it's probably worth mentioning the finding that – despite all the online-safety warnings not to share personal info online – "sharing personal information, either by posting or actively sending it to someone online, is not by itself significantly associated with increased odds of online interpersonal victimization," published in the February 2007 issue of Archives of Pediatrics and Adolescent Medicine. Rather, the researchers found, it's aggressive behavior online that significantly increases risk.]

Privacy in 6 social sitess

In other important privacy news, Canada's Office of the Privacy Commissioner recently unveiled a study that looks into privacy protections in six social network sites: Facebook, Hi5, LinkedIn, LiveJournal, MySpace, and Skyrock.

"These sites were selected based on popularity, but also to facilitate the efficacy of the final product by providing an appropriate breadth and diversity to the analysis," the report said. Aimed at user education more than industry regulation, it does a "comparative analysis" in each of these categories: registration information (e.g., here), real identities vs. pseudonyms, privacy controls, photo tagging, accessibility of user info to others, advertising, data retention, account deletion, third-party applications, and collection of non-user personal information.

The report refers often to the March '08 "Report and Guidance on Privacy in Social Network Services – Rome Memorandum," building on the work of the International Working Group on Data Protection in Telecommunications (see this PDF file) spearheaded by data-protection commissioners in a number of countries.

Related links

A fascinating project at MIT bears out how the societal discussion about privacy needs to get more granular and social-media specific. "Project Gaydar" found that "who we are can be revealed by, and even defined by, who our friends are.... The ability to connect with other people who have something in common is part of the power of social networks, but also a possible pitfall. If our friends reveal who we are, that challenges a conception of privacy built on the notion that there are things we tell, and things we don’t," the Boston Globe reports. There's a lot in the article, too, about the state of research being done in social network sites.

A view from another generation - that of Andrea DiMaio in the Gartner Blog Network. Note the interesting comment below it about how, "in a world awash in information," as it is now, "a paradoxical effect is that many people know far less than they did before."

The Pew/Internet Project's December 2007 teen-online-privacy findings (the latest available).

Massive ID theft & new media literacy ed

The identities of some 4 million Britons and 40 million people worldwide (mostly Americans), are up for sale on the Internet to the highest bidder, the TimesOnline reports. "Highly sensitive financial information, including credit card details, bank account numbers, telephone numbers and even PINs are available to the highest bidder. At least a quarter of a million British bank and credit card accounts have been hacked into by cybercriminals, exposing consumers to huge financial losses." All of it has been put into a single database built by a retired police officer in the UK who wants to offset his 160,000-pound ($263,000+) investment "by charging members of the public for access to his database to check whether their data security has been breached," raising consumer-privacy questions (see the Times for more on this). This is and isn't kid-tech news. It isn't only at the superficial level: it's about the privacy of Net users of all ages. It is because we need to start teaching our kids critical thinking about social and commercial influencing just about the same day they start using the Internet. Critical thinking is protective - of our psyches, identities, pocketbooks, and computers. Increasingly, phishers' and other Internet fraudsters' success is based on their social-engineering skills as much as their technical ones - creating messages that trick people into clicking to sites that download keylogger and other malicious software onto their computers or into typing passwords or account numbers into fake bank sites. Stark stories like this illustrate not only how important it is to fold computer security into new-media literacy ed but also what an opportune subject it is, for examining all forms of manipulation. See also "How social influencing works."

Terms of use: Social Web bill of rights?

It's a big headache, Facebook's experiment in folding users' input into updating its terms of use, but so is democracy! And by definition - as a user-driven or -produced medium - Web 2.0 is more democratic than any that preceded it. Revising terms of service in this participatory way actually makes them relevant. I wonder why it has taken so long to get here, actually (maybe partly because all eyes were directed to predators by politicians and the news media, with the relentless message that it's entirely up to these social-media companies, like their mass-media predecessors, to control the content they "broadcast"). Now, as my ConnectSafely.org co-director Larry Magid wrote in CNET, Facebook's "officials seem to be trying to figure out what it means to run a company where users, not professionals, provide most of the content. In some senses, Facebook is a media company but unlike newspapers, TV networks and even most blogs, its contributors aren't employees or contractors. It's those 175 million members." Terms of use can no longer viably be written entirely by corporate lawyers "for other lawyers, in the hope that their lengthy recitation of claims leaves no room for a lawsuit," as the Washington Post's Rob Pegoraro put it. Nor can Facebook afford simply to "grind" users' reactions and edits to its proposed user "bill of rights" "into the usual legalistic sludge." Pegararo suggests Facebook should put its draft in a wiki that users can edit as in Wikipedia. The only problem is, Wikipedia doesn't need the input of corporate lawyers on its "encyclopedia" entries. The other problem is what adequate representation is for Facebook's 175 million "citizens." If more than 7,000 people comment on a new policy, Larry Magid points out, "the policy will be put to a vote and the result 'will be binding if more than 30% of all active registered users vote." Thirty percent of 175 million is 53 million. This will be an amazing experiment indeed if that many people vote! In any case, this is a great discussion to be having - it's important to make terms of use relevant. [Here's a transcript of Facebook's 2/26 press conference on this at CNET.]

FTC's new behavioral-ad guidelines

The Federal Trade Commission has just issued guidelines for behavioral advertising, a practice in which a marketer targets ads at a person or group based on their online activities, the San Jose Mercury News reports. The guidelines say Web sites must disclose to their users the data they're collecting on their activities "and give them a chance to opt out" of the data collection. "Privacy advocates immediately criticized the guidelines, which rely on the online advertising industry to regulate itself, as failing to adequately protect consumers. The four nonbinding principles laid out in the 48-page report are for industry self-regulation and "do not have the force of law," the Mercury News reports.

Facebook, terms of use & privacy

The biggest news over the holiday weekend besides the economy was the buzz about Facebook's recent terms of service update. Facebook said it was all about consolidating and clarifying "what people could and could not do" on the site (see CEO Mark Zuckerberg's blog), but the ruckus raisers said it was about what Facebook could and could not do with users' content, CNET's Caroline McCarthy reports. I think the update and the ensuing flap are much more about what users can do with and for their privacy - and society getting used to a bottom-up, user-driven, user-controlled medium. Here are two important takeaways on user privacy: 1) If you want to delete your own account and all the personal info therein, you can certainly do so, but Facebook can't automatically delete information you post in other people's profiles (because it's on their wall, not yours); 2) if by using Facebook you "license" the site in effect to own and share your content, its use of your content is subject to how you set your privacy settings, so users need to pay attention to and proactively set those privacy options; and 3) that last point is even more true now that Facebook Connect "allows users to 'connect' their Facebook identity, friends and privacy to any site" and Facebook of course cannot control or protect user info in other sites. In his blog post, Zuckerberg wrote, "There is no system today that enables me to share my email address with you and then simultaneously lets me control who you share it with and also lets you control what services you share it with."

Digital body art

A great metaphor for the Net effect on digital natives' lives is used by the University of British Columbia, which has a whole Web site about the "digital tattoo," with a tutorial on how to "Protect," "Connect," "Learn," and "Work" with the Net effect. Here's how UBC explains it: "Just like a tattoo, your digital reputation is an expression of yourself. It's highly visible, and hard to remove. Explore how your online identity affects you, your friends, your school and your job - for better and for worse - and how to make informed choices." I found out about this resource in a Toronto Globe & Mail article, "Chances are your kids are savvier online than you think."

Britain's 'child protection database'

This is what some in the UK call "child protection"? The BBC reports that "a child protection database" containing "the name, address, parents' contact details, date of birth, school, and doctor of every child in England" is being established "to improve information-sharing between professionals working with children." It will be accessible to 390,000 people described in the article as "local authorities, police, health services, and children's charities." Parents will not be allowed to remove their children's information from the database, the BBC adds. Children's Minister Baroness Morgan said "there will be provision for 'shielding' the details of young people facing risk if they were identified," the BBC reports. It says Conservatives attacked the £224m ($315.5 million) database as "another expensive data disaster waiting to happen," leading one to wonder if anyone remembers that UK database security breach in 2007 that jeopardized the personal information of "virtually every child in Britain" (see my item on this). [Thanks to QuickLinks for pointing this news out.]

European call for social-site privacy rules

The EU's Data Protection Authority has urged social-network sites to "warn users about the low level of protection given to their profiles," Agence France-Presse reports. At a two-day conference in Strasbourg, the regulatory body called for "a standard set of international rules" for privacy protection and user education. According to the AFP, it said that "users, especially minors, should be told about the risks they face by going online and given clear instructions on how to change their data protection settings." The AFP added that 70 countries stressed the need for a universal data-protection standard at the Strasbourg conference, which was organized by the Council of Europe.

Facebook plugs security hole

The security issue was people being able to view some members' private photos using the mobile version of Facebook and the Firefox browser, CNET reports. "Basically, someone who knew the serial number of a Facebook user, which is easy to get, and knew a trick for rejiggering the URL, could see private photos of that user," according to CNET. Facebook says it fixed the flaw within hours of being notified. It also plans soon to launch a program to verify the security of third-party applications (those mini applications users download to add games, slideshows, playlists, and other features to their profiles) - an update, apparently, over the statement from a Canadian consumer privacy group in the Toronto Globe & Mail that Facebook wasn't "doing enough to screen third-party developers to ensure they're not phishing for information or trying to commit identity."