Children's personal information isn't supposed to be an online commodity. But whether kids are using Google apps at school or Internet-connected toys at home, they're generating a stream of data about themselves. And some advocates say that information can be collected too easily and sometimes, protected too poorly.
Last month, a hacker stole personal information and photos of more than six million children after breaking into the computer records of a educational toy company, VTech.
VTech says that they've since hired a security company to deal with the breach. That might not be enough to convince Congress — Sen. Ed Markey (D-Mass.) and Rep. Joe Barton (R-Texas) sent a letter to VTech, wanting to know if the company is complying with a law called the Children's Online Privacy Protection Act.
The issue, of course, spans beyond VTech. In the toy world, there's the new Internet-connected Barbie doll, which has also been found to have security flaws, for example. And privacy advocates have long waged a battle against cookies and other data collection based on kids' Internet activity.
Google is one of the companies that have come under fire. A nonprofit advocacy group called Electronic Frontier Foundation has filed a complaint with the Federal Trade Commission over Google's data mining practices. More than half of classroom computers in the U.S. are Chromebooks and many students and teachers are using Google Apps For Education, a group of tools that include Gmail, Google Calendar, Google Docs and the purpose-built Google Classroom.
Anya Kamenetz of NPR's Ed Team and Lorenzo Franceschi-Bicchierai, a staff writer for the tech news website Motherboard who has reported on the VTech data hack, spoke to All Things Considered about the issue of children's privacy. Here are a few takeaways.
On the VTech hacker's motivation
He realized their services were really easy to break into. And he just took a peek in and found there was a lot of personal data and he was like, whoa, I should not be able to get this.
On what the hacker discovered
He analyzed it (the data) a little bit further, and he realized that you could actually link the two databases, and basically figure out who the kids were. The children database only had their first names, so you couldn't really identify the children because you only had Mike, Lucy, Sarah, whatever. But from some other data in the files, Troy Hunt (an Internet security analyst) realized that you could actually link the two databases and figure out who the kids were, who were their parents, and effectively find where the kids lived and all this creepy information.
On sharing addresses with toy companies
If you're a parent and you buy a V-Tech toy, put in a fake address. If the company doesn't need that address, you might want to not give it out. And that way, there's no damage there.
On planning for the future
The big takeaway here is that these things can happen, and as we connect more stuff to the Internet, we're going to lose data. That's unfortunate but that's the reality. So we have to accept it and find ways to limit the damage if it happens — and also, hold more companies accountable as well.
On what happens when you type a search into Google
When you or I are logged in to Google, whether we're using search, or Maps, or gmail, we have one account and that's following us around — sometimes literally in the physical world — and it's collecting information. When you're logged in and using Chrome, which is their web browser, Google can actually, with permission, track your entire browsing history, every site you visit. And Google uses all this data to better target ads and search results and to improve its services, not only for you but for everyone.
On why that can pose a problem in schools
For students, the rules are supposed to be a little bit different. When students are using the Google Apps for Education and "Core Services" within them — gmail, docs, sheets, slides — Google says that they don't collect personal data to target ads. In fact, they stopped collecting student data for ad-targeting last year after a California lawsuit questioned that practice.
But the EFF says that there's a little bit of a sliding door, a back door: when students are logged into their student Google accounts but they're using other Google services like YouTube videos or they're searching Maps — that Google is collecting that information after all. And when students are using Chrome on these school-issued computers, they're browsing the web and Google potentially has access to their entire browsing history as well.
On legal implications of such data collection
Well, that depends on who you ask. Google denies any wrongdoing here. They have signed a voluntary but binding pledge called the Student Privacy Pledge, along with 200 other companies. And that pledge says that Google will seek parental authorization before collecting data that isn't being used explicitly for educational purposes. And EFF told me that they're not necessarily digging into what Google is doing with this information, they just want Google to get permission.