How apps capture your kids’ data—without you even knowing

BY HEIDI BOGHOSIAN

Disclosures that the National Security Agency is engaged in widespread surveillance of Americans and others, including allied nations, have generated much apprehension and dominated the public discourse. Absent from media analysis, however, is a discussion of how children—perhaps the most vulnerable and impressionable members of society—are affected by ever-present surveillance and data-gathering techniques.

The following excerpt from Spying on Democracy addresses how children’s online activities and use of mobile apps put them risk of handing over personal information to corporate marketers, often without parental consent or awareness of the long-term consequences. Several factors facilitate this: Advertising to children is generally less regulated in the United States than in other countries, children develop computer proficiency earlier than they develop the ability to differentiate between advertising and other content, and legal protections have not kept apace with new forms of technology.

…

As soon as children are able to play police-type games, watch television, or strike a computer key, they are exposed to a wide variety of corporate solicitation. Toys such as Playmobil’s Security Checkpoint help habituate them to accept daily surveillance. Designed for four- to seven-year-old children, the toy’s characters are a female traveler and two airport security guards equipped with a hand scanner and a full-body X-ray screening machine. Parents’ reactions range from dismay that “Security Checkpoint” normalizes surveillance to praise that it exposes youngsters to the realities of constant monitoring.

McDonald’s, the Walt Disney Company, and a host of other corporations try to access children as early as possible by routinely engaging in deceptive, inherently exploitative marketing practices. Any parent familiar with games like Angry Birds also recognizes the constellation of commercial click-through ads and cartoons that have been designed to create consumer desire in their children. Online ads and websites coax children to befriend fantasy creations of corporate empires and then gather personal information in the process. Data aggregators collect that information to sell to third parties for commercial use.

Children raised on computers develop technical proficiency at an early age. Despite that mechanical aptitude, they do not simultaneously develop the media literacy required to distinguish commercial inducement from other forms of content. They also do not comprehend the consequences of sharing personal information, such as toy preferences, favorite foods, or their names and addresses. Aggressive, all-too-clever techniques enable corporations to capture personal information from millions of children. Legal and regulatory protections have failed to keep pace with ever-changing technology and the methods used to target and expose children to corporate persuasion.

As a result, children are primed to be up-to-date consumers long before they learn what it means to be informed and engaged citizens.

Enticing an impressionable audience

A great deal of children’s television viewing consists of exposure to commercial advertising often visually indistinguishable from the cartoons or fantasy programs surrounding it. In a conservative calculation of children’s exposure to television advertising, the Federal Trade Commission estimated that children ages two through eleven watched nearly 26,000 ads in 2004. A few years earlier, ad agencies had been consulting with psychologists to help them market to children as young as three. In response to a request in 1999 from dozens of psychologists and psychiatrists, the American Psychological Association called for an investigation into the practice of using their profession “to promote and assist the commercial exploitation and manipulation of children.”

In addition to television commercials, Internet ads bombard children with a range of virtual worlds populated by fantasy characters that corporations create to increase demand for their products. The lines between substance and commerce are often intentionally blurry, and advertising frequency is high. According to Susan Linn, from the Boston-based Campaign for a Commercial-Free Childhood, the United States lags behind other industrialized democracies in regulating children’s exposure to corporate persuasion.

Food industries, including Coca-Cola, Nestlé, McDonald’s and Kellogg’s, use online engagement-based marketing to get children to associate their brand with enjoyable activities. McWorld, a game featured on McDonald’s website, provides an example of the methods corporations use to foster emotional relationships and then capture personal data for targeted selling campaigns. In McWorld users create characters and go on quests. Along the way, McWorld prompts them to enter codes from Happy Meal boxes to unlock special gear for their online characters.

McDonald’s was forced to change its Happy Meal website after privacy advocates filed a complaint with the Federal Trade Commission in 2012. The company removed its forward-to-a-friend option, which encouraged children to email e-cards, links, and photos to friends and family. Led by the Center for Digital Democracy (CDD), 14 groups cited five corporations that used theme websites aimed at the young to engage in commercial exploitation of children by enticing them to play online games or engage in online activities and then encourage them to share their experiences by giving email addresses of their friends. In the complaint five companies and their sites—General Mills, Inc. and its TrixWorld.com and ReesesPuffs.com sites; Turner Broadcasting System’s CartoonNetwork.com; Viacom Inc.’s Nick.com site; and Doctor’s Associates Inc. and its SubwayKids.com site; in addition to McDonald’s Corporation’s HappyMeal.com site.option—were charged with circumventing the Children’s Online Privacy Protection Act of 1998 (COPPA), which governs the collection of online data from children under the age of 13. The watchdog and privacy organizations urged the Federal Trade Commission (FTC) to investigate and end “refer-a-friend” practices because they fail to mandate obtaining consent from the parents of children whose emails were shared.

New meaning to oppression and reward

To appreciate the extent to which corporations exploit any interaction with a child for monetary gain—and arguably groom future generations of compliant buyers—one need only count how few recreational pastimes are commercial-free or educational. Self-contained worlds erected in theme parks take full advantage of children’s attention. In 2002, Stone Mountain Theme Park near Atlanta, Georgia, replicated a 1870s-style barn in which children moved from station to station, earning points by completing farming tasks. Young “farmers” entered personal identifying information on a computer. The information was then embedded into radio-frequency identification (RFID) tags in bracelets. Waving a bracelet over a “magic spot” (an RFID reader) stored each child’s points and posted them on an electronic scoreboard. The RFID transponders were made by Texas Instruments and supplied by Precision Dynamics Corporation, the world’s largest maker of wristbands. Precision Dynamics began manufacturing RFID-embedded bands in 2000 and has watched demand grow steadily, especially for crowd control, healthcare-related functions, and theme park management.

Visitors at Walt Disney World in Orlando, Florida, can skip long lines at entrance turnstiles and eliminate the need for cash and credit cards when buying food and merchandise, also by waving banded wrists. To avail themselves of this convenience they must turn over, as Stone Mountain visitors do, identifying information and consumer habits to Disney. Sharing a date of birth can result in Cinderella greeting a child by name on his or her birthday. It is not without irony that the figurehead for this particular aspect of corporate profit generation is the beloved fairy tale character who represents the oppressed woman and exploited laborer who ultimately obtains her reward.

Disney World attracts up to 30 million visitors annually. The estimated investment of nearly $1 billion in RFID technology is worth it given that it helps to groom children—who may someday bring their own children to Disneyland—to become repeat consumers of whatever products Disney may sell. Although other theme parks, such as Great Wolf Resorts, have used RFID chips for years, the sheer size of Disney’s global parks operation, exceeding 120 million admissions annually, and generating nearly $13 billion in revenue, is so enormous that it is a standard-bearer for influencing young behavior.

Apps capture kids’ data

Parents find corporate methods for collecting information from their children even more troubling than potential interactions with strangers online. When 802 parents were asked to list concerns about their teenagers’ use of social networks and online habits, 81 percent were worried about exposing children’s personal information to advertisers, whereas 72 percent were concerned about interactions with online strangers. The Pew Internet Project and the Berkman Center for Internet & Society at Harvard University collaborated in the study, which also revealed that parents are increasingly monitoring their children’s behavior on social-networking sites and are conducting Internet searches to determine what information is displayed publicly about them. While social networking sites such as Facebook are required to gain parental consent before gathering data on children under thirteen years of age or affording them access to interactive features that let them share personal information with others, many children lie about their ages in order to gain fuller access, clicking through to wherever ads may lead.

Apps are adding to parents’ collective headache. Apps are software applications, usually for mobile devices, that perform a variety of functions, including information retrieval. Their enormous popularity has spawned a virtual explosion in the development of a wide range of functions. Although many apps are fun, they are also insidious trackers able to pinpoint and store a child’s physical location, the telephone numbers of their friends, and more. Third parties can then create detailed profiles of minors without parental knowledge or consent. Not surprisingly, the FTC found in a survey of four hundred popular children’s apps that only 20 percent disclose their practices on data collection.

The FTC report, “Mobile Apps for Kids: Disclosures Still Not Making the Grade,” noted that nearly 60 percent of the apps reviewed sent information from the personal device to the app developer or to third parties, such as advertising networks or analytics companies. Noting that nearly 80 percent of consumers believe that data on their personal devices is private, the FTC staff authors wrote that, in fact, information from children’s apps being shared with third parties (without disclosure to parents) included geolocation, telephone numbers, and the device identification. Even when applications such as the top-selling Angry Birds disclose their data-collection practices in Web-posted policies, they don’t offer an opt-out choice. Angry Birds’ maker, Rovio Entertainment, directs customers who do not want their data gathered or who don’t want targeted ads to two other websites—youradchoices.com and networkadvertising.org—to opt out. (Each site displays a list of participating companies that have enabled customized ads for the user’s browser. Visitors are then given the option to check a box next to the ones they want to opt out of.) Rovio acknowledges that some companies disregard the opt-out lists. One trade group representing app developers said the industry’s growth is fueled largely by small businesses, first-time developers, and even high school students without access to either legal counsel or privacy experts.

W3 Innovations, a designer of games for mobile telephones, in 2011 settled a lawsuit brought by the FTC alleging that the company violated the COPPA by unlawfully collecting and disclosing personal data from tens of thousands of children under age thirteen without parental consent. Marc Rotenberg of the Electronic Privacy Information Center (EPIC) testified in 2010 before the Senate Commerce Committee that COPPA needed to be updated to clarify its application to mobile-devised and social networking services.

The social game site RockYou was ordered to put in place a data security program and pay a quarter of a million dollars in penalties after inadequate security resulted in hackers gaining access to the personal data of 32 million users. RockYou agreed to pay $250,000 in civil penalty for violations alleged in United States v. RockYou Inc. that it violated COPPA by knowingly gathering the email addresses and passwords of approximately 179,000 children without first obtaining their parents’ consent.

Is spying on children ever acceptable?

More and more, parents watch their children’s online activities to make sure they stay out of trouble. AVG Technologies found that 44 percent of parents monitored children in the 14-to-17 age group. To accommodate this growing practice, a wide range of digital monitoring systems has been developed to watch iPhone, cell phone, and Internet activities. Such software, dubbed spyware, allows for surreptitious watching, recording, and filtering of online activities including sites visited, files transferred, keystrokes, chats, and more.

While safety issues may occasionally justify secret surveillance policies by parents, cases such as an instance in Pennsylvania involving nonparental parties, reveal potential abuses. Harriton High School students had no idea what was hidden in the computer laptops that their school had given them. A “one-to-one” laptop computer initiative, partially funded by state and federal grants for technology, was supposed to implement what the school called “an authentic mobile 21st Century learning environment.” However, in a remarkable display of audacity, school district administrators were remotely activating built-in laptop cameras to watch students’ behavior in the privacy of their own homes.

School officials notified Blake Robbins’s parents that he was engaging in improper behavior at home. When Blake’s parents went to school, administrators showed them a photo of Robbins taken by the remote camera. Only then did the Robbins family learn that the school had spied on him. In response to a 2010 class action suit on behalf of all students who were issued laptops, Robbins v. Lower Merion School District, school officials reached a $610,000 settlement and admitted that the computers included webcam software that could be remotely activated to view minors surreptitiously, but denied any wrongdoing.

Other pervasive practices of collecting data from children’s online activities may not appear as patently objectionable as the Harriton High incident, but the consequences may last a lifetime. As they grow, children become habituated to a corporate infrastructure that entices them to unknowingly barter away their privacy.

Heidi Boghosian is the executive director of the National Lawyers Guild, a progressive Bar Association established in 1937. She co-hosts the weekly civil liberties radio program, Law and Disorder, which airs on Pacifica’s WBAI in New York and on over 50 national affiliate stations around the country. She has published numerous articles and reports on policing, protest, and the First Amendment, She is admitted to practice law in Connecticut, New York, the Southern District of New York, and the U.S. Supreme Court. She lives in the East Village of New York.

This excerpt from Spying on Democracy is published with permission from the publisher, City Lights Publishers.