Who is harvesting your child’s data online and what can you do about it?

by Aebha Curtis

Recently, the Human Rights Watch (HRW) released its report, “How Dare They Peep into My Private Life?”. The report revealed the extent to which children’s rights were violated by government-endorsed online learning platforms during Covid-19 lockdowns: 146 of 164 government-endorsed EdTech products endangered the privacy of children, with 199 third-party companies receiving personal data.

The report details the various means by which these EdTech products track users, collect their personal data and share, sell, trade or transfer that data with third parties. One of the more alarming sections of the report describes how some persistent identifiers related to users’ devices cannot be removed (despite privacy settings or factory reset) and are permanently connected to a person’s digital lives by bridging with online identifiers.

Another section of HRW’s report relays how 30% of the EdTech apps, endorsed by Governments for children to use, “granted themselves the ability to collect precise location data, or GPS coordinates that can identify a child’s exact location to within 4.9 metres.”

Just before that, the report describes a New York Times investigation that determined that just two precise location data points is enough to identify a person: “journalists were, for example, able to identify a single child and where they live by tracing their daily route from home to school.”

The HRW details in its report several recommendations to multiple different stakeholders. Their recommendations to governments include facilitating “urgent remedy for children whose data were collected” by conducting data privacy audits and remove those that fail the audits, require them to identify and delete children’s data collected during the pandemic and require any AdTech companies to also immediately identify and delete children’s data that they received from those companies.

Across the various groups of stakeholders, the HRW recommends that companies provide (or are obliged to provide) age-appropriate and easy-to-use mechanisms of redress for children and parents. The Watch also calls for the banning or ceasing the profiling of and behavioural advertising to children as well as supply chain transparency.

However, throughout the report, no mention is made of child age verification. The requirement for informed and explicit consent is mentioned, particularly with regard to parental consent in those countries where data protection laws call for it, but little consideration is given to the implementation, governance and trustworthiness of these two processes — the first which is an implied need and the latter a stated need with no elaboration provided.

It is critical that in the deployment of mechanisms designed to ensure that children’s privacy is protected, such as age verification that can be used to determine how to process/manage/control a user’s data according to their age, we consider the additional layer of privacy concerns that could be introduced. For example, those age assurance assurance solutions which rely on biometric information are introducing new data points about users into the ecosystem which may in fact render their privacy more vulnerable.

Other methods of age assurance generate new or synthetic data points about individuals. Age estimation, for example, may draw upon multiple signals, including biometric ones as well as ones relating to behaviour or language processing. Several issues arise from these methods. For example, the insertion of synthetic data points (age estimates) into the data ecosystem is not helpful from a child rights perspective: fallible age estimation associating individuals with incorrect age bands is against children’s rights, could exclude them, may be upsetting and will be disruptive to their ability to exercise their data rights. And, during the gathering phase of these processes, how is informed and explicit consent collected in line with local data protection laws from individuals whose ages have not yet been determined? Is it to be gathered from parents after the fact?

The almost absolute inaccessibility (either in terms of interpretability or clear reporting pathways) of such systems to parents and children presents additional challenges in terms of flagging false results and the harms encountered consequently.

It is no surprise, then, that there has been a major surge in international activism promoting the rights of digital citizens in the face of algorithms known to drive online harms. Check My Ads, for example, is aiming to defund disinformation by “apply[ing] public pressure on the hidden engines of the online advertising world: ad exchanges.” Ad exchanges are grappled with in the HRW report and routinely leverage illegally or unethically collected data about children to inappropriately target them and shape what they are seeing and what experiences they can have online.

TrustElevate’s own campaign, #StrongerTogetherOnline, aims to effect change by bringing together the voices of children, parents and responsible companies to combat these profit and data-driven engines.

The HRW’s report highlights continuously in its recommendations the need for age-appropriate redress mechanisms as well as the ongoing violation of children’s rights at the hands of both governments and private entities, despite the laws put in place to prevent that. It has become abundantly clear that transparency and accountability have not been built into our digital ecosystems and movement has been slow in bringing them to the fore.

Children deserve to learn, grow and play online without being continuously surveilled. We need to think carefully about the mechanisms that we deploy to minimise surveillance and consider the unintended consequences of those mechanisms. Guesstimation is not enough and, in fact, may work to compound the problem at hand. Rather than feel helpless against the might of thousands of companies involved in harvesting and selling of your data, parents and teens can mobilise and combine their voices to effect change and fight against datafication and corporate surveillance.

TrustElevate is a tech solution for child age verification and parental consent. If you would like to ensure your voice is heard in the fight against online harms, click here to join our #StrongerTogetherOnline campaign.