How Best to Protect Kids Online

Straits Times illustration

Straits Times illustration

How many “friends” does your child have online? Who reads her blog or sees the pictures she uploads? And what survey forms is she filling in to win a chance at a prize?

Some parents will know some of the answers to some of these questions. But it is highly unlikely that any parents would know the answer to all.

This highlights an important gap in Singapore’s new personal data protection law, introduced in Parliament last month. [10 Sept 2012]

All in all it is a good piece of legislation — balancing the interests of consumers and corporations, while maintaining the flexibility to deal with the fast-changing world of information technology. Many jurisdictions presently find themselves stuck with laws written before Facebook, at a time when “tweets” were sounds made by birds.

Some critics have highlighted the fact that the law does not extend to government agencies, though it is not unheard of to have separate regimes for the public and private sector.

Another area in which the legislation arguably falls short, however, is in its failure to provide special rules for the personal data of children.

To be sure, many regimes adopt this approach. The European Union’s 1995 Data Protection Directive, for example, does not refer to children as such, relying on parents to take any special measures required on their behalf.

That approach appears to rest on two implicit assumptions. First, that parents are aware of their children’s activities online. Second, that parents are in a position to help guide their children in making appropriate decisions.

Neither assumption withstands much scrutiny when compared to the actual online behaviour of children (and their parents).

Many children quickly become adept at hiding their activities. Even if parents implement reasonable restrictions — such as only using computers in open areas of the home — a child might reasonably seek to keep certain conduct private. In social media forums, for example, “POS” is widely understood Internet slang for “parent over shoulder”.

A child may also have a better understanding of emerging technology than his or her parent. You would do well to think twice before accepting a challenge to an “Angry Birds” competition against a seven-year-old.

What children lack, however, is the perspective to foresee the possible consequences of posting information online. A graphic recent example was the girl in the Dutch village of Haren who posted an open invitation to her 16th birthday party on Facebook. When 20,000 people replied, she was persuaded to cancel the party and her family fled town. More than 3,000 still turned up, and in the drunken antics that followed two cars were set on fire and 34 people were arrested.

Other consequences can be much more serious, like cases of sexual predators “meeting” children online. More commonly, companies that market to children have a clear interest in gathering data on their spending habits and being able to market to them directly.

In the United States, the Child Online Privacy Protection Act (COPPA) was adopted more than a decade ago. It imposes significant restrictions on sites that are likely to gather personal data of children aged under 13. Among other things, it requires “verifiable parental consent” and limits the use of any data collected.

Though it is still possible to collect data, many U.S. sites now prohibit users under the age of 13 entirely — most prominently Facebook.

The U.S. is in fact looking at tightening these restrictions after revelations that the McDonald’s HappyMeal.com website had encouraged children to upload photos and then stored them in a publicly accessible directory.

Similarly, the EU is now looking to update its 1995 Directive, among other things adding a provision covering the personal data of children.

Singapore’s proposed legislation does allow for regulations to be made concerning the application of the new law to minors, so it is possible that this issue will be revisited. If that happens, it will be necessary to be realistic about the extent to which any such laws will have an impact.

Among the hurdles will be the blithe attitude of some adults. There is anecdotal evidence, for example, that parents and even teachers allow or encourage primary school children to open Facebook accounts by lying about their age.

More generally, many primary schools send mixed signals to their students by posting photos (and sometimes names) on blogs, or requiring students to sign up for online educational programmes run by private companies.

Even assuming the good faith of adults, barriers to policing children’s online activities will remain.

Verifiable parental consent in the U.S. is typically sought through the submission of a credit card number or email, though these may be easily obtained by an enterprising child.

Alternative means of verification include provision of a handphone number, perhaps with some confirmation being sent via SMS — though an increasing number of children have their own phones. (As a result, some companies rely on the low-tech solution of “snail mail” — a letter.)

Operational questions aside, the key question is whether children should be treated as typical “consumers”.

New laws in the U.S. and Europe may offer some protection on the sites of companies like Facebook and McDonald’s. But as Singapore develops its own regime, it offers an opportunity to think how best to protect children from the downside of information technology.

Law will play an important role, but so will education about the changing ways in which we share information and what is truly “personal”. And it is not just our children who need to be educated.

The writer is the dean of the National University of Singapore Faculty of Law.

Published in the Straits Times on 13 October 2012.