One small step… … and a giant data footprint for your child
The children’s data protection law is all we need, right? Harry de Quetteville puts it to the test and is shocked by the results
What does your child get up to on the internet? Perhaps, very occasionally, if there’s nothing on Cbeebies, you allow them to fire up Youtube on your ipad and watch a
Peppa Pig video or two.
Or maybe they are a little older and keen on the world-building game
Minecraft – so lauded for its creative aspects that it even has an “education edition” for use in the classroom.
Or perhaps, at 13, they have just opened their first Instagram account and are sharing snaps with friends. Or tuning in to Twitch to watch experts play Fortnite. Who isn’t! Where’s the harm in it? Maybe even you have mastered the Floss.
Clearly, these sites claim to entertain, not exploit, children. After all, collecting any information that could be deemed personally identifiable about a child under 13 (16 in some countries) is now illegal – a breach of GDPR-K, the new Eu-wide children’s data protection law that came into force in May this year.
Most popular sites set theoretical age limits. Google, which owns Youtube, notes that “to sign in to Youtube, you must have a Google account that meets the minimum age requirements” – that’s 13 in Britain. But, you don’t have to sign in.
So, just how much information is being collected about them – and you?
To find out, I decided to run a simple experiment to give me, a parent of two boys, four and six, an idea of what the major tech platforms are up to during the typical digital journeys of young users.
That’s how I found myself in a boardroom in central London with Dylan Collins and Joshua Wöhle, CEO and CTO of Superawesome, a British company that builds “kid safe” digital technology. Wöhle introduced me to “Charles” – a piece of software able to monitor the flow of data between devices online – before navigating to Youtube on his smartphone.
Immediately, Charles became a blur of activity, revealing the request made by his device, the subsequent connection made to Youtube, and the video data being transmitted back.
So far, so predictable. But Charles also revealed how that data was transmitted to allow Google precisely to identify us – even though we weren’t logged in to Youtube. The first piece of information is the IP address – the identifying code of any device on the internet. Then there is the so-called “user agent”; the precise combination of how you are accessing the internet – what browser, operating system and so on – that can be so specific that it identifies you. The result was that, while the Peppa Pig video request was being sent, a host of other requests were also quietly being made in the background.
“I can see different IDS being sent,” says Wöhle, pointing out various lengthy numbers displayed by Charles. “I can see DSID, which is Google’s method of doing cross-device targeting, identifying me, whether I’m on my PC or on my phone or anything else. This is their way of correlating all that data.” While he talked, data requests were being made to more than 20 other domains beyond Youtube, to services that deliver online adverts, such as Google’s own Doubleclick.
And even though we had not officially declared our identity by logging on, those ads – for flights – were well targeted. “Technically, that was all anonymous,” says Wöhle, closing down the site. “But in reality you can see there are lots of data points that identify me.”
Above all, the privacy of internet users is blown by so-called Data Management Platforms (DMPS), which aggregate the details and data we leave as a trail behind after each visit online. DMPS can provide rich, full, profiles about each of us – from nicknames to postcodes to pets. For a price. Internet giants, like Google, have developed their own software, effectively allowing them to identify you, logged in or out, on whichever device you might be using, in whatever place, and “stalk” you with almost creepily targeted adverts.
Of course, this is part of an exchange that has been fundamental to the growth of the internet: personal data for free services. “That exchange has woven the whole fabric of the internet,” says Collins. “But it was a deal with the devil and is now having consequences.” Particularly if the users are not three grown men in a boardroom, but a five-year-old browsing at home. Then, says Collins, “a lot of this data capture, which creates richer and richer profiles of children, is essentially illegal”. Such arguments are now being tested in court. Max Schrems, a lawyer, says national data protection authorities (like Britain’s Information Commissioner’s Office) have a “culture of non-
enforcement”. (The ICO’S website actually lists 171 cases of fines and other action, but none of a size to worry the world’s biggest tech companies.)
“The industry has realised it can do whatever it wants and get away with it,” Schrems says from Austria, one of four EU countries (with France, Belgium and Germany) where he has filed complaints. The aim is to build to class action suits against internet giants for illegal data harvesting that could result in fines more likely to make their eyes water. There is a long way to go. As things stand, he says, “parking violations are more enforced than your fundamental right to privacy”.
Back in London, we have browsed a mere five sites in 54 minutes, but triggered a cascade of 1,871 requests – more than 34 a minute. Later, he sends me the full log. It’s 195 pages.
It is, says Collins, “the plumbing of the internet, and it has to change. What has to happen is that we rebuild a lot of the internet specifically for children,” he adds. That would suit him fine. Superawesome sells the software to do precisely that. And it’s a big market – budgets for digital ads targeting children are predicted to hit almost £1billion next year.
But there is a bigger issue at stake: if such efforts do end up forcing the development of a different internet for children, why should they tolerate exploitation of their data when they grow up? That could lead to change across the web. And then, Collins says, the way we do things today will look comically anachronistic, if not criminal. “Internet users today are like people who started smoking at 12 because they were told it was fine; we’re told the same about giving away so much personal data. But it’s so obviously not. And internet users in 10 years’ time will laugh at the notion that it was ever considered fine.”
In 10 years’ time we won’t believe we once thought this was OK
Web of intrigue: the sites your child visits may appear to be child-friendly, but what data are they collecting on him or her?