Children's personal information isn't supposed to be an online commodity. But whether kids are using Google apps at school or Internet-connected toys at home, they're generating a stream of data about themselves. And some advocates say that information can be collected too easily and sometimes, protected too poorly.
Last month, a hacker stole personal information and photos of more than six million children after breaking into the computer records of a educational toy company, VTech.
VTech says that they've since hired a security company to deal with the breach. That might not be enough to convince Congress — Sen. Ed Markey (D-Mass.) and Rep. Joe Barton (R-Texas) sent a letter to VTech, wanting to know if the company is complying with a law called the Children's Online Privacy Protection Act.
The issue, of course, spans beyond VTech. In the toy world, there's the new Internet-connected Barbie doll, which has also been found to have security flaws, for example. And privacy advocates have long waged a battle against cookies and other data collection based on kids' Internet activity.
Google is one of the companies that have come under fire. A nonprofit advocacy group called Electronic Frontier Foundation has filed a complaint with the Federal Trade Commission over Google's data mining practices. More than half of classroom computers in the U.S. are Chromebooks and many students and teachers are using Google Apps For Education, a group of tools that include Gmail, Google Calendar, Google Docs and the purpose-built Google Classroom.
Anya Kamenetz of NPR's Ed Team and Lorenzo Franceschi-Bicchierai, a staff writer for the tech news website Motherboard who has reported on the VTech data hack, spoke to All Things Considered about the issue of children's privacy. Here are a few takeaways.
On the VTech hacker's motivation
He realized their services were really easy to break into. And he just took a peek in and found there was a lot of personal data and he was like, whoa, I should not be able to get this.
On what the hacker discovered
He analyzed it (the data) a little bit further, and he realized that you could actually link the two databases, and basically figure out who the kids were. The children database only had their first names, so you couldn't really identify the children because you only had Mike, Lucy, Sarah, whatever. But from some other data in the files, Troy Hunt (an Internet security analyst) realized that you could actually link the two databases and figure out who the kids were, who were their parents, and effectively find where the kids lived and all this creepy information.
On sharing addresses with toy companies
If you're a parent and you buy a V-Tech toy, put in a fake address. If the company doesn't need that address, you might want to not give it out. And that way, there's no damage there.
On planning for the future
The big takeaway here is that these things can happen, and as we connect more stuff to the Internet, we're going to lose data. That's unfortunate but that's the reality. So we have to accept it and find ways to limit the damage if it happens — and also, hold more companies accountable as well.
On what happens when you type a search into Google
When you or I are logged in to Google, whether we're using search, or Maps, or gmail, we have one account and that's following us around — sometimes literally in the physical world — and it's collecting information. When you're logged in and using Chrome, which is their web browser, Google can actually, with permission, track your entire browsing history, every site you visit. And Google uses all this data to better target ads and search results and to improve its services, not only for you but for everyone.
On why that can pose a problem in schools
For students, the rules are supposed to be a little bit different. When students are using the Google Apps for Education and "Core Services" within them — gmail, docs, sheets, slides — Google says that they don't collect personal data to target ads. In fact, they stopped collecting student data for ad-targeting last year after a California lawsuit questioned that practice.
But the EFF says that there's a little bit of a sliding door, a back door: when students are logged into their student Google accounts but they're using other Google services like YouTube videos or they're searching Maps — that Google is collecting that information after all. And when students are using Chrome on these school-issued computers, they're browsing the web and Google potentially has access to their entire browsing history as well.
On legal implications of such data collection
Well, that depends on who you ask. Google denies any wrongdoing here. They have signed a voluntary but binding pledge called the Student Privacy Pledge, along with 200 other companies. And that pledge says that Google will seek parental authorization before collecting data that isn't being used explicitly for educational purposes. And EFF told me that they're not necessarily digging into what Google is doing with this information, they just want Google to get permission.
KELLY MCEVERS, HOST:
Your children's personal information is not supposed to be an online commodity. But whether kids are using Google apps at school or Internet-connected toys at home, they are generating a lot of data about themselves. It's getting stored in the Cloud, and some advocates say there aren't enough protections in place to keep it private. We're talking about kids and privacy today for All Tech Considered.
(SOUNDBITE OF MUSIC)
MCEVERS: A complaint has been filed with the Federal Trade Commission against Google for spying on students. The nonprofit advocacy group known as the Electronic Frontier Foundation accuses Google of harvesting way too much data about kids in the classroom. More than half of all classroom computers in the U.S. are Google Chromebook computers. And the EFF says Google gets all kinds of information about children from these devices and from Google's educational apps and then stores it, potentially using it for targeting kids with ads. For more on this issue, we turn to Anya Kamenetz of our NPR Ed team. And, Anya, let's get more specific. What exactly is the Electronic Frontier Foundation alleging that Google is doing?
ANYA KAMENETZ, BYLINE: So this requires a little context. When you and I are logged into Google, whether we're using search or Maps or Gmail, we have one account. And that's following us around, sometimes literally in the physical world, and it's collecting information. And when you're logged in and using Chrome, which is their really popular web browser, Google can actually, with permission, track your entire browsing history - every site you visit. And Google uses all this information to better target ads and search results and to improve its services not only for you but for everyone.
MCEVERS: OK, so what's the problem here? I mean, that's how these services work, right?
KAMENETZ: Yes, but for students, the rules are supposed to be a little bit different. So when students are using the Google apps for education and core services within them - Gmail, Docs, Sheets, Slides - Google says that they don't collect personal data on those students using those educational apps to target ads specifically. And in fact, they stopped collecting student data for ad targeting last year after a California lawsuit questioned that practice.
But the EFF says that there's a little bit of a backdoor. When students are logged in to their student Google accounts but they're using, you know, other Google services like YouTube or they're searching Maps, Google is collecting that information after all. And when students are using Chrome on the school-issued Chromebooks, they're browsing the web, and Google potentially has access to their browsing history as well.
MCEVERS: OK, so that does sound creepy, but is it against the law?
KAMENETZ: Well, that depends on who you ask. You know, Google denies any wrongdoing here. They have signed a voluntary but binding pledge called the Student Privacy Pledge along with about 200 other companies, and that pledge says that Google will seek parental authorization for collecting data that isn't being used explicitly for educational purposes. And in this state, it would fall under that category because it's being used, perhaps, to better target Google's results in general but not for educational purposes.
And the EFF told me, though, that they just want Google to get permission. They want a dropdown the menu. They want students and parents of the students who are younger to be able to give permission before releasing or allowing this kind of data collection.
MCEVERS: Is that likely to happen?
KAMENETZ: Well, the politics of this are pretty complicated, as are the technological questions at stake. You know, EFF is raising these complaints as part of a broader student privacy campaign, and they're trying to strengthen a bill that's currently in the works in California. It's worth pointing out as well that there's a lot more action and a lot more rules around student privacy specifically than there is around children's privacy more generally. So you know, EFF's targeted this complaint - a student may be using a Chromebook to Google things in the school library, and they're not seeing any ads. But then they get home and say they turn on YouTube Kids, and they're being bombarded with ads. So you know, there really are a lot of loopholes here, a lot of uncharted territory, and I think a lot more work that needs to be done.
MCEVERS: That's Anya Kamenetz of the NPR Ed team. Thanks so much.
KAMENETZ: Thanks, Kelly.
AUDIE CORNISH, HOST:
Hackers are a threat to kids, too. Last month, the personal information and photos of more than 6 million children and their parents was stolen from a toy company.
(SOUNDBITE OF ARCHIVED RECORDING)
UNIDENTIFIED MAN: VTech has done it again - the new InnoTab 3S.
CORNISH: That's an ad for a children's tablet by VTech, which makes all sorts of other electronic toys.
MCEVERS: That tablet comes with a camera and the ability to text.
(SOUNDBITE OF ARCHIVED RECORDING)
UNIDENTIFIED MAN: Send text and voice messages, animated stickers, kids' own drawings, photos and more right to your smartphone.
MCEVERS: A few weeks ago, VTech says a hacker cracked into its customer database and grabbed children's names, addresses, passwords, birthdates and more, information that parents and their kids enter into VTech's website to use certain functions of their toys.
CORNISH: That hacker then went to the media to a tech news website called Motherboard to publicize the theft.
LORENZO FRANCESCHI-BICCHIERAI: This hacker reached out to me via encrypted chat, and he told me, I found something interesting that you might be interested in.
CORNISH: That's Motherboard staff writer Lorenzo Franceschi-Bicchierai.
FRANCESCHI-BICCHIERAI: What he told me was that basically, he found about this company. He just got curious, and he realized that their services were really easy to break into. And he just took a peek in, and he saw that there was a lot of personal data. And he was like, whoa, I should not be able to look at this.
CORNISH: Franceschi-Bicchierai says the hacker sent samples of what he had stolen to prove he had broken into VTech's database. That included kids' selfies.
FRANCESCHI-BICCHIERAI: He was able to download more than 190 gigabytes of pictures. And he showed me a few of them.
CORNISH: The hacker claims he used something known as SQL - or an S-Q-L attack - to grab all that data. And internet and security analyst Troy Hunt says VTech seriously dropped the ball.
TROY HUNT: It's the number one recognized risk on the web today. It's very, very easily discoverable. It's easily exploitable, and it has an enormous impact. And anyone who works building software certainly should know about this, but you know, here we are with all this data out there.
MCEVERS: Now Congress is getting involved. Massachusetts senator Ed Market and Texas representative Joe Barton sent a letter to VTech.
CORNISH: They want to know if the company's complying with a law called the Children's Online Privacy Protection Act. But Motherboard writer Lorenzo Franceschi-Bicchierai says you can't rely on a toy company to protect a child's privacy.
FRANCESCHI-BICCHIERAI: If you're a parent and you buy a VTech toy and they ask for your children's name or your home address and, you know, maybe don't, you know - input, like, a fake name or a fake address. You know, if the company doesn't need that address, you might want to, like, not give it out. And at that point, you know, even if they use it, then there's no damage there.
MCEVERS: VTech didn't reply to our request for comment. In a press release, the company says it has hired a security firm to help design a more secure approach to storing data. Transcript provided by NPR, Copyright NPR.