A look at child privacy from Michelle Horton

• by Ellie Hurst
• Advent IM Blog

Thank you to Advent IM Security Consultant, Michelle Horton for this post.

A recent headline in the news has caught my attention, “Amazon may be recording kids without consent”. Chapters 3 and 8 of GDPR explain that children have the same rights as adults over personal data and may exercise their rights on their own as long as they are competent to do so (Scotland state this is any child over the age of 12 unless the contrary is proved).

Whilst the headline is in response to two cases in America, Amazon gadgets are used over here in the UK and therefore I thought I would have a look into the privacy policy to see how Amazon state they will protect our children. From reading Amazon’s Privacy Policy, the only statement within the policy I can find which is transparent in regards to children is “Amazon Europe doesn’t sell products for purchase by children. We sell children’s products for purchase by adults. If you are under 18, you may use Amazon services only with the involvement of a parent or guardian”.

Whilst I appreciate what this statement says, I am unsure what protective measures are in place to stop gadgets such as Alexa have in place to protect our children. Smart phone, tablets, TV boxes can all have a parent guardian passcode, therefore allowing them to be used only with parent guardian supervision if that’s how they are set up. However, whilst I appreciate parental controls can be set up on Alexa (but from what I can find out this is only in regards to the times it can be used throughout the day), what does it have that’s stops our children from giving a command, and Alexa recording? Alexa is not loyal to its “owner” and will exercise any voice command and respond.

Amazon have also released Echo Dot Kids Edition, which in America has been criticised with concerns regarding the privacy of children, however Amazon states it is compliant with the Children’s Online Privacy Act. The concerns are in relation to the fact you can request voice recordings to be deleted or erased, which they are, however the text version of the recording or “text data memory” does not get deleted in the same request. Instead the text data memory is used for “machine learning purposes” and only gets deleted once the “machine learning training” is completed. However I am unable to find anywhere which states how long this process takes and confirmation of the how the text data memory is deleted.

These gadgets in our homes are meant to make our lives easier offering the facility to ask a questions and get the answer without having to physically type something into a search engine. On face value they do.  Whilst I do not have an Alexa or Cortana to speak to (as I feel Siri listens to enough), family and friends do own one and they use it all the time to play music, ask about the weather or news and even to settle an argument to see who is right or wrong. This includes usage by my 13 year old sister-in-law. When I queried my mother-in-law on the 13 year olds usage of the gadget, the response was, well what harm can it do, it helps her with her homework? Supporting the argument of making everyone’s life easier. But what happens when this easy life becomes difficult, and our data is compromised or is still being used 20 years later? Even if it is protected and safe, will my 13 year old sister-in-law understand what information is held on her now and may still be used in 20 years’ time? Unless the information is compromised, I’m sure no harm will come to us of the usage of our information 20 years down the line, but that doesn’t take away our right to know.

When amazon makes its policies and states Children should not use their devices without a parent/guardian present, why can’t Alexa be told not to respond to a particular voice as it’s a child? Does Amazon assume based on an Adult buying the device that consent has been given to collect the data of everyone who uses it? Food for thought I think.

Children are very technology smart in the sense they know how to use the gadgets, and this “know how” is improving each and every year. But the knowledge around the information they are submitting and how it’s used is something they very much don’t understand. There is currently a trend on Facebook whereby children (and adults) are doing something called the “FaceApp Challenge”, this is an app whereby you take a selfie and it shows you what you will look like in 40 years’ time. This sounds like all fun and games, but the terms of use are quite scary stating “You grant FaceApp consent to use the User Content, regardless of whether it includes an individual’s name, likeness, voice or persona, sufficient to indicate the individual’s identity. By using the Services, you agree that the User Content may be used for commercial purposes. You further acknowledge that FaceApp’s use of the User Content for commercial purposes will not result in any injury to you or to any person you authorized to act on its behalf. You acknowledge that some of the Services are supported by advertising revenue and may display advertisements and promotions, and you hereby agree that FaceApp may place such advertising and promotions on the Services or on, about, or in conjunction with your User Content. The manner, mode and extent of such advertising and promotions are subject to change without specific notice to you. You acknowledge that we may not always identify paid services, sponsored content, or commercial communications as such.”

However bringing this back to child privacy, within FaceApp’s Privacy notice it does state that “FaceApp does not knowingly collect or solicit any information from anyone under the age of 13. The Service and its content are not directed at children under the age of 13. In the event that we learn that we have collected personal information from a child under age 13 without parental consent, we will delete that information as quickly as possible. If you believe that we might have any information from or about a child under 13, please contact us.” The only criticism I have here is that do they take steps to see if they hold this data or wait to be advised?

Are companies doing the bare minimum to keep our children safe and leaving it up to parents/guardians to take the responsibility? I think so. Are parents/guardians fully aware and up to the challenge? I think not. Parents and guardians and in fact children need to be educated on how information is kept, by whom, how long for and what damage can be done if it falls into the wrong hands. I agree that companies like Amazon can’t fully stop children from using its devices, but it could put a few more safeguards in place. Whilst FaceApp terms and conditions are a bit out there, technically in order for it to be downloaded a child would have to have parent consent, obviously this is set by the controls on the device usually set up by the parents/guardians. Therefore FaceApp as a safeguard in place in that sense.

My final thought…. So much data is being collected by everything now, privacy policies are quite long and often overlooked for convenience or for the latest craze. I feel there should be a summary privacy policy which sits above the full document so people can begin to have a better understanding of what information they submit and how it is used. Also are we going to eventually run out of room to store all of this collected data!?