One small step… … and a giant data foot­print for your child

The chil­dren’s data pro­tec­tion law is all we need, right? Harry de Quet­teville puts it to the test and is shocked by the re­sults

The Daily Telegraph - - News Review & Features -

What does your child get up to on the in­ter­net? Per­haps, very oc­ca­sion­ally, if there’s noth­ing on Cbee­bies, you al­low them to fire up Youtube on your ipad and watch a

Peppa Pig video or two.

Or maybe they are a lit­tle older and keen on the world-build­ing game

Minecraft – so lauded for its cre­ative as­pects that it even has an “ed­u­ca­tion edi­tion” for use in the class­room.

Or per­haps, at 13, they have just opened their first In­sta­gram ac­count and are shar­ing snaps with friends. Or tun­ing in to Twitch to watch ex­perts play Fort­nite. Who isn’t! Where’s the harm in it? Maybe even you have mas­tered the Floss.

Clearly, these sites claim to en­ter­tain, not ex­ploit, chil­dren. Af­ter all, col­lect­ing any in­for­ma­tion that could be deemed per­son­ally iden­ti­fi­able about a child un­der 13 (16 in some coun­tries) is now il­le­gal – a breach of GDPR-K, the new Eu-wide chil­dren’s data pro­tec­tion law that came into force in May this year.

Most pop­u­lar sites set the­o­ret­i­cal age lim­its. Google, which owns Youtube, notes that “to sign in to Youtube, you must have a Google ac­count that meets the min­i­mum age re­quire­ments” – that’s 13 in Bri­tain. But, you don’t have to sign in.

So, just how much in­for­ma­tion is be­ing col­lected about them – and you?

To find out, I de­cided to run a sim­ple ex­per­i­ment to give me, a par­ent of two boys, four and six, an idea of what the ma­jor tech plat­forms are up to dur­ing the typical dig­i­tal jour­neys of young users.

That’s how I found my­self in a board­room in cen­tral Lon­don with Dy­lan Collins and Joshua Wöhle, CEO and CTO of Su­per­awe­some, a Bri­tish com­pany that builds “kid safe” dig­i­tal tech­nol­ogy. Wöhle in­tro­duced me to “Charles” – a piece of soft­ware able to mon­i­tor the flow of data be­tween de­vices on­line – be­fore nav­i­gat­ing to Youtube on his smart­phone.

Im­me­di­ately, Charles be­came a blur of ac­tiv­ity, re­veal­ing the re­quest made by his de­vice, the sub­se­quent con­nec­tion made to Youtube, and the video data be­ing trans­mit­ted back.

So far, so pre­dictable. But Charles also re­vealed how that data was trans­mit­ted to al­low Google pre­cisely to iden­tify us – even though we weren’t logged in to Youtube. The first piece of in­for­ma­tion is the IP ad­dress – the iden­ti­fy­ing code of any de­vice on the in­ter­net. Then there is the so-called “user agent”; the pre­cise com­bi­na­tion of how you are ac­cess­ing the in­ter­net – what browser, op­er­at­ing sys­tem and so on – that can be so spe­cific that it iden­ti­fies you. The re­sult was that, while the Peppa Pig video re­quest was be­ing sent, a host of other re­quests were also qui­etly be­ing made in the back­ground.

“I can see dif­fer­ent IDS be­ing sent,” says Wöhle, point­ing out var­i­ous lengthy num­bers dis­played by Charles. “I can see DSID, which is Google’s method of do­ing cross-de­vice tar­get­ing, iden­ti­fy­ing me, whether I’m on my PC or on my phone or any­thing else. This is their way of cor­re­lat­ing all that data.” While he talked, data re­quests were be­ing made to more than 20 other do­mains beyond Youtube, to ser­vices that de­liver on­line ad­verts, such as Google’s own Dou­bleclick.

And even though we had not of­fi­cially de­clared our iden­tity by log­ging on, those ads – for flights – were well tar­geted. “Tech­ni­cally, that was all anony­mous,” says Wöhle, clos­ing down the site. “But in re­al­ity you can see there are lots of data points that iden­tify me.”

Above all, the pri­vacy of in­ter­net users is blown by so-called Data Man­age­ment Plat­forms (DMPS), which ag­gre­gate the de­tails and data we leave as a trail be­hind af­ter each visit on­line. DMPS can pro­vide rich, full, pro­files about each of us – from nick­names to post­codes to pets. For a price. In­ter­net giants, like Google, have de­vel­oped their own soft­ware, ef­fec­tively al­low­ing them to iden­tify you, logged in or out, on which­ever de­vice you might be us­ing, in what­ever place, and “stalk” you with al­most creep­ily tar­geted ad­verts.

Of course, this is part of an ex­change that has been fun­da­men­tal to the growth of the in­ter­net: per­sonal data for free ser­vices. “That ex­change has wo­ven the whole fabric of the in­ter­net,” says Collins. “But it was a deal with the devil and is now hav­ing con­se­quences.” Par­tic­u­larly if the users are not three grown men in a board­room, but a five-year-old brows­ing at home. Then, says Collins, “a lot of this data cap­ture, which cre­ates richer and richer pro­files of chil­dren, is es­sen­tially il­le­gal”. Such ar­gu­ments are now be­ing tested in court. Max Schrems, a lawyer, says na­tional data pro­tec­tion au­thor­i­ties (like Bri­tain’s In­for­ma­tion Com­mis­sioner’s Of­fice) have a “cul­ture of non-

en­force­ment”. (The ICO’S web­site ac­tu­ally lists 171 cases of fines and other ac­tion, but none of a size to worry the world’s big­gest tech com­pa­nies.)

“The in­dus­try has re­alised it can do what­ever it wants and get away with it,” Schrems says from Aus­tria, one of four EU coun­tries (with France, Bel­gium and Ger­many) where he has filed com­plaints. The aim is to build to class ac­tion suits against in­ter­net giants for il­le­gal data har­vest­ing that could re­sult in fines more likely to make their eyes wa­ter. There is a long way to go. As things stand, he says, “park­ing vi­o­la­tions are more en­forced than your fun­da­men­tal right to pri­vacy”.

Back in Lon­don, we have browsed a mere five sites in 54 min­utes, but trig­gered a cas­cade of 1,871 re­quests – more than 34 a minute. Later, he sends me the full log. It’s 195 pages.

It is, says Collins, “the plumb­ing of the in­ter­net, and it has to change. What has to hap­pen is that we re­build a lot of the in­ter­net specif­i­cally for chil­dren,” he adds. That would suit him fine. Su­per­awe­some sells the soft­ware to do pre­cisely that. And it’s a big mar­ket – bud­gets for dig­i­tal ads tar­get­ing chil­dren are pre­dicted to hit al­most £1bil­lion next year.

But there is a big­ger is­sue at stake: if such ef­forts do end up forc­ing the devel­op­ment of a dif­fer­ent in­ter­net for chil­dren, why should they tol­er­ate ex­ploita­tion of their data when they grow up? That could lead to change across the web. And then, Collins says, the way we do things to­day will look com­i­cally anachro­nis­tic, if not crim­i­nal. “In­ter­net users to­day are like peo­ple who started smok­ing at 12 be­cause they were told it was fine; we’re told the same about giv­ing away so much per­sonal data. But it’s so ob­vi­ously not. And in­ter­net users in 10 years’ time will laugh at the no­tion that it was ever con­sid­ered fine.”

In 10 years’ time we won’t be­lieve we once thought this was OK

Web of in­trigue: the sites your child vis­its may ap­pear to be child-friendly, but what data are they col­lect­ing on him or her?

Newspapers in English

Newspapers from UK

© PressReader. All rights reserved.