I was recently contacted via the WeLiveSecurity blog site by a senior journalism major at an American university, working on a research paper about child privacy and the internet, in particular the implications of the way that some parents (and guardians) post photographs and potentially sensitive information about their children to social networking sites. What are the privacy implications of the exposure of those data for those children when they have become adults?

While I’m usually happy to share the benefit of my own prejudices, I asked my colleague at ESET Lysa Myers if she had any thoughts on the topic, knowing that her interest in elements of security and malware that go far beyond her indisputable knowledge of the bits and bytes of malware, as her recent blogs for WeLiveSecurity bear witness. Two people don’t constitute a huge sample, even in the fairly small anti-malware research community, but at least we don’t represent the same gender and age group.

You might think this would be centred on the risks to minors from exposure to the attentions of school bullies and sexual deviants, and in fact I found it impossible to answer without some reference to this kind of exposure, but in fact the main thrust of the research is a little less dramatic, though by no means less important.

family

Family Photos on Social Media

We were asked whether there are ethical problems when parents or guardians of children post photos and information about their children online before the children are old enough to have had a say about their digital footprint, and if so, what the problems are.

I don’t suppose that most parents think of posting pictures of their children on (say) Facebook as any different to showing them to friends and relatives in the bar or at a family dinner: after all, they probably see it as being for the benefit of much the same people, only reaching more people.  We don’t usually regard it as an ethical question if parents take photos or home movies of their children long before those children can reasonably be expected to express a truly informed opinion about whether they want that footprint (digital or analogue) to exist. It’s natural to be proud of your children. It might be less fun for the audience, or for a child-turned-adult, but it’s probably not an ethical issue. Unless you regard it as a parent’s ethical – or even moral – responsibility to think about the difference between the online and offline contexts and act accordingly.

Data Persistence 

There are at least two related problems with a digital footprint, as compared to the non-virtual world. (1) Physical photographs and other documents are (scanners and photocopiers apart) in some sense unique objects. You put a photo back in your wallet or purse and, as far as other people are concerned, it’s gone. If you trust someone enough to give them a photo or other information, you either give yours away or you generate a copy. Put it on the web/social media and you lose control over it. It’s not just your friends and relatives who see (and, potentially, keep) a copy: unless they’re anal about what they post, where, and who is able to see it, then (potentially) it’s also available to their friends/contacts and even to complete strangers. (2) The digital world may seem transient because it’s ‘just’ bits and bytes pushed through a wire, but digital data are actually extraordinarily persistent. Taking a site down or deleting an email is rarely a guarantee that the offending object no longer exists.

What happens on the internet tends to stay on the internet, and not necessarily in a good way.

The Ubiquitous Digital Footprint

The enquirer suggested that it might be considered odd for children born in the past 5-10 years not to have or want some kind of online presence, but asked ‘... is it fair for children's parents to assume this about their children before their children have had the chance to decide whether they even want an online presence?’

I certainly know many people my own age or older who have declined to be silver surfers, and don’t have as much as a mobile phone, let alone a smartphone or a social media app. However, I’m not sure I know anyone under thirty who doesn’t have or want an online presence at all. But I can see that people might not, for many reasons, want to have their digital identity predetermined by their parents.

First Steps, First Footprints

Lysa commented:

I was just hearing from a friend about a set of parents who, for the birth of their child, created accounts in their child's name for all the major social networking sites. They also registered a website using the child's name as the URL. The intent was to reserve this space for their child, so that they could have a chance to create a digital presence from scratch, upon his or her 18th birthday. Until that day, these parents will not post pictures or details about the child online, so that the child can craft its online persona all on its own.

This struck me as an incredibly sweet and thoughtful gesture on the part of the parents. And yet it isn't necessarily feasible to keep a child's activities completely off the Internet - while friends and family may buy into this idea, more and more schools and organizations are posting pictures of children online. (That in itself may be cause for privacy legislation some day!) It might be possible to opt out of these picture days, but some children might feel like they're being excluded from cherished social moments in that case.

That certainly seems to show a scrupulousness about preserving the child’s privacy (and safety) that might cause many proud parents to think twice about their own readiness to post about their own children.

As it happened, I recently reviewed for Virus Bulletin an eBook by Tony Anscombe that makes a similar suggestion about buying web sites on your child’s behalf to prevent his or her identity being hijacked later on in life. There are actually practical problems with this – do you buy every possible TLD that resembles your child’s name, in the hope of preventing cybersquatting? What happens if providers go out of business? How many other variables might kick in?

But more relevantly to this enquiry, perhaps, what strings are attached to services that your parents acquire for you? Perhaps there are none, at least that the parent would regard as conscious manipulation, but the parent/child relationship is often extraordinarily subtle and complex, and control is an element of that relationship from both sides. Besides, it’s part of the process of maturation to want to become more independent and intent on making one’s own decisions.

When does Parental Responsibility become Snooping?

no entry

WeLiveSecurity blogger Rob Waugh recently cited in Two-thirds of parents spy “regularly” on children’s social media accounts a survey by VoucherCloud of 2,105 UK parents regarding the social media use of children aged 13-16.

  • 55% of parents made sure they knew the passwords used by their children to social network sites and 31% signed into such accounts on a regular basis without the child’s knowledge.
  • 45% of the parents claimed to know their child/children’s email password, whilst 36% knew their social media login details for at least one of their profiles.
  • Vouchercloud’s Matthew Wood was quoted as saying “It’s sad to see that some parents feel the only way they can assess what their children are up to is via a sly look at their social media.” I can’t disagree, but presumably a proportion of this ‘snooping’ is out of a concern for the child’s safety rather than curiosity and an urge to control, and that can certainly be seen as part of the parental role. But even accepting that argument, when does it become an unacceptable invasion of privacy? Many teenagers and not a few parents would probably think that minors are entitled to a measure of privacy long before the age of majority. And that if a parent feels compelled to monitor from time to time, all parties may be more comfortable if the possibility of occasional checking is at least openly discussed.

So when and if children’s photographs and identity-related data are posted by their parents while they’re still minors, what difference will it make to them when they reach the age where they can decide for themselves whether they want a digital presence at all?

Opting out of Social Media

Lysa commented:

That's something we have yet to really see. This is very much the norm now, rather than the exception. It may be that as these kids who have been born since the ubiquity of the Internet reach the age of majority, we could see a rash of lawsuits relating to their desire to erase childhood records from the web.

This is a very new and tricky area which will likely take decades to hash out to some reasonable degree. The people who are old enough to make legislation had a childhood pre-Internet that was not recorded, posted and indexed by search engines. So this sort of issue is not particularly pressing for them, and may not be until their own Internet-saturated children come of age. It may also be that this simply becomes so much a part of our post-Internet culture that the presence of compromising or embarrassing photos is considered de rigueur and that the absence of such things is more cause for concern.

Without disagreeing at all with those thoughts, my own opinion is that to some extent it depends on how careful the family has been. It’s not impossible – depending on the services used – to restrict access to friends and relatives, to prevent or at least restrict casual copying and mitigate the risk of unanticipated dissemination. In some cases they will take that much care, if only because of the horror stories about misuse of data relating to children in particular and other issues such as identity theft and various kinds of scam.

It’s possible to overstate the dangers of being online in general, so it’s very possible that even parents or guardians whose security awareness isn’t particularly high won’t be putting their tweens and teens into any great danger. At any rate, no greater danger than they might put themselves into, as they go through the painful process of making their own mistakes. But as I’ve said before, on the Internet data are generally persistent: whether that matters depends on the context.

Social Attitudes and the Anthropology of Technology

Victoria - Piazza Regina Valetta

It seems to me that the issues being raised here, while interesting and important, are one facet of a larger issue. Many of us who are still working were born in the 1940s/50s when World War II was barely over and the world was mostly run by people who had been (young) contemporaries of Queen Victoria and Theodore Roosevelt. Culturally and anthropologically, it’s not surprising that older people cling to mores and attitudes still resonant of parental authority and a world where the most prevalent communications technology was represented by radio, television and the telephone, but these were far less ubiquitous than the cell-phone and mobile computing (not yet quite the same thing!) are now.

Roosevelt

Our grandchildren (and their children, in some cases!) find it difficult to understand what it was like to live in a world so limited in a technological and informational sense. They have quite a different problem with information – while they understand the technology that makes it available far better than many of my generation, they have access to far too much data and lack the life experience to enable them to discriminate easily between good and bad data, information and misinformation. And our own children are stuck somewhere between those two worlds (and that includes some of the Wunderkinder of the dotcom and social media revolutions). It’s no wonder that our overall cultural and ethical development hasn’t kept pace with the technology that to some extent rules our lives.

My own daughter is well beyond the majority age, but grew up more aware than many of her generation of computing and related technologies, in part due to my work, and was an early adopter of social media.  Her own reaction to the publishing of photos was this:

...ultrasounds, baby photos etc. I think could be considered acceptable - at the end of the day a child is a child. Although maybe embarrassing, the photos do not have the same long term problems as, for instance, employers getting to see embarrassing drunken photos. I would say it’s about as unethical as showing the obligatory naked bath photo to a new boyfriend/girlfriend. If the child when old enough decides not to add to its digital footprint there is no long term harm done.

(We could get into deep discussion about the parental ‘right’ to embarrass one’s offspring, but this is a blog article, not a book :))

More contextual information such as full names and family information may present more of an ethical problem, in my book. My feeling is the issue comes alive when the information is fully traceable to those children, once they are old enough to judge for themselves whether they wish to have an online presence. If it is fully traceable then there may be issues but if not, the child can be separate from what then essentially becomes a whimsical if embarrassing look back on his or her childhood which it can choose to either acknowledge or ignore. I guess the point I'm making here is that it's a grey area, but very much depends on the level of information available.

It's an interesting subject which I hadn't really thought about before now (despite my friends list being full of pictures of babies and children) and I don't think that many people around my age have thought about it either.

Protective Parenting as Management Strategy

Rob Waugh’s article cites an article summarizing my contribution to a set of tips published by SafeSoundFamily almost a year ago: : Internet Safety for Kids: 17 Cyber Safety Experts Share Tips for Keeping Children Safe Online. Its relevance here, I guess, is that I was arguing for a a “gentle, guided introduction” at a very early age that would, potentially, enable parents to be more relaxed about a child’s ability to manage his or her own safety further down the line.

It may be the key is to achieve an acceptable balance between an authoritarian, protective-but-controlling model and a more laissez-faire model. (Hmm. Parenting as management strategy…) I suspect that for many people, there will be a shift from the first towards the second as the child gains maturity and is capable of greater independence. Trusting your children to make their own decisions is an important step towards ‘letting go’ in a wider sense.

The children of today seem to be eager to use technology and participate interactively in game-play and some form of social media from an early age. The age at which they should be allowed and even encouraged to do so, though, is – I think – still very much a parental decision. After all, a parent’s ability to preserve the child’s security and privacy at this point is, as Lysa suggests, a point of concern not only at the time or in the following months, but also when they become legally entitled to take control of their pre-majority records.

Having done a little work with schools (mostly at the behest of my wife, a former IT teacher), I’ve become aware of an interesting paradox. There’s a common stereotype that parents and grandparents know far less about technology than their children. In fact, a surprising number of students are fairly Luddite in their attitudes to information technology, at least as far as the formal teaching of technology is concerned. “Why do I have to learn about spreadsheets? I’m going to be a [mechanic/farmer/garbage collector…].”

Let’s disregard the fact that it’s hard to think of any occupation that could never require you to write a letter, construct a business plan, keep accounts, use a Facebook page for PR, evaluate the validity of a comparative review, or update your résumé. It seems to me that we’re talking about an implicit distinction between computing on a handheld/mobile device seen primarily as recreational, and business computing seen as closer to traditional Information Technology (IT) and computer science as taught in schools and colleges.

Skills, Responsibility and ‘Ageing Out’

Perhaps this tells us that there is a greater gulf than is usually acknowledged between young people who are highly skilled in computing and those who are adept at the use of social media on consumer devices. If I’m right, it’s possible that those in the first group are better equipped on average to protect themselves in terms of security and privacy than many who fall into the second group.

And also to exploit those who are less technologically savvy, if they so choose. I’m not aware of any useful current research – equivalent to Sarah Gordon’s research into virus writers in the 1980s and 90s – that might tell us about ethical development in modern malware creators. However, my suspicion is that the shift in recent years away from hobbyist virus writing and towards malware for profit has raised the age at which malware authors might ‘age out’ (move towards a less antisocial position).

Further Discussion/References

Finally, here are some more relevant references and resources:

  • The book review I mentioned above is available to Virus Bulletin subscribers here: Don't forget to write.
  • Tony Anscombe’s book is here: One Parent to Another: Managing Technology and Your Teen.
  • The other book mentioned in the review, by Sorin Mustaca, is Improve Your Security. It’s less focused on teen/child issues, but does nevertheless include some relevant commentary.
  • Here’s a resource I wouldn’t have known about if I hadn’t been asked to contribute to it, and I certainly don’t agree with every opinion that was expressed there, but you may find some content there that’s of interest to you.

Unfortunately, Sarah Gordon’s papers, which made a huge contribution to our understanding of malware writers at the time, seem to be pretty hard to find on the internet these days. I’m thinking in particular of The Generic Virus Writer (written for the fourth Virus Bulletin Conference in 1994) and the follow-up paper The Generic Virus Writer II (for the 6th VB conference in 1996).

Photograph of Theodore Roosevelt from the Library of Congress
Other photographs by permission of Small Blue-Green World

David Harley
Lysa Myers
Katherine Harley