Skip to main content
https://www.highperformancecpmgate.com/rgeesizw1?key=a9d7b2ab045c91688419e8e18a006621

Facebook’s VPN app puts spotlight on kids’ consent

Facebook could face fresh scrutiny in Europe following a TechCrunch report on its use of a VPN app to monitor people’s smartphone activity — including teenagers as young as 13.

The Irish Data Protection Commission (DPC) told us it’s asked Facebook to provide more information on what data is collected via the market research program, codenamed ‘Project Atlas’, so that it can determine whether there are grounds for further investigation.

“The Irish DPC only became aware of this story through this morning’s media reporting. Before we can make any assessment as to whether or not there are any data protection concerns, we will need to understand better to what extent, how and on what basis the personal data in question is being processed and used. We have asked Facebook to provide us with this information,” said the DPC’s head of communications, Graham Doyle.

Under European union law there are special requirements for processing minors’ personal data. And, as we reported earlier, Facebook’s research program is open to people around the world — although the company has yet to confirm whether it has any teenage participants in Europe. (We’ve asked and will update this report with any response.)

If it turns out that European teens have been participating in the research effort Facebook could face another barrage of complaints under the bloc’s General Data Protection Regulation (GDPR) — and the prospect of substantial fines if any local agencies determine it failed to live up to consent and ‘privacy by design’ requirements baked into the bloc’s privacy regime. (Facebook’s international HQ is located in Ireland, which makes the Irish DPC the lead agency for any investigation of the project.)

Less aware of the risks

Setting out conditions applicable to consent for processing the personal data of children aged 13 or older, one section of text from the GDPR reads: “Children merit specific protection with regard to their personal data, as they may be less aware of the risks, consequences and safeguards concerned and their rights in relation to the processing of personal data.”

“Given that children merit specific protection, any information and communication, where processing is addressed to a child, should be in such a clear and plain language that the child can easily understand,” runs another.

The VPN app that Facebook has been using as a data-harvesting vehicle (since we reported on the story it’s closed down the iOS version of the app) requires participants give root access to their device — potentially affording the company a very high resolution view of their digital activity indeed.

According to an investigation we commissioned data continuously collected via the VPN app could include private messages in social media apps; chats from in instant messaging apps – including photos/videos sent to others; emails; web searches; web browsing activity; and ongoing location information.

Although Facebook has also not confirmed exactly what data types it pulls via the program.

Participants are offered payments of up to $20 (in e-gift tokens) to incentivize them to sign up to have their data harvested on an ongoing basis, with the program open to people aged 13-35.

Facebook says parental consent is required for minors aged 13-17. But it’s not clear how robust the company’s age verification process is — after BBC journalist Dave Lee reported being able to sign himself up to participate in Project Atlas, earlier today, as a “14-year-old boy… with two kids”.

“It required no proof of parental consent at all. I’ve just been sent a link to download the iOS app, ” he added via Twitter.

So while Facebook previously told us less than 5% of the (unknown number of) participants in the research program are teens it’s not clear whether it can make that sort of assertion — or indeed put any verifiable figure on children’s participation in the program — if its age verification process fails at the first hurdle.

We’ve reached out to Facebook with questions and to the app testing companies it’s been working with to administer the program — namely Applause/uTest and BetaBound — to ask how they verify the age of participants and how parental consents are collected. At the time of writing none had replied.

In an earlier statement, provided in response to our first report on Project Atlas, Facebook defended the initiative, saying:

Like many companies, we invite people to participate in research that helps us identify things we can be doing better. Since this research is aimed at helping Facebook understand how people use their mobile devices, we’ve provided extensive information about the type of data we collect and how they can participate. We don’t share this information with others and people can stop participating at any time.

Questions over verification

Returning to the GDPR, Article 8 — which concerns conditions application to children’s consent for processing personal data — states data controllers must make “reasonable efforts” to verify consent when processing children’s personal data:

The controller shall make reasonable efforts to verify in such cases that consent is given or authorised by the holder of parental responsibility over the child, taking into consideration available technology.

And in further guidance on conditions for processing children’s data, the UK’s data protection agency says “data protection by design and by default” must be the baseline.

“Transparency is also key,” it continues. “You can raise children’s (and their parents’) awareness of data protection risks, consequences, safeguards and rights by: Telling them what you are doing with their personal data; Being open about the risks and safeguards involved; and letting them know what to do if they are unhappy. This will also help them make informed decisions about what personal data they wish to share.”

Facebook has said parental consent forms were “signed” and also claims it provided “extensive information” about the data being collected. But plenty of questions remain over exactly how robustly it verified participants’ ages; how parental consents were obtained; as well as the quality and accessibility of the information provided to parents and teens.

One UK-based EU data protection expert we asked for a view, Pat Walshe, suggested the approach to consent described in the article would not pass muster under GDPR.

As well as offering up to $20 a month in incentivize teens to sign away their privacy, Facebook’s program also included a referral scheme — which meant users could increase their ‘earnings’ by recommending a friend — aping the ‘growth hacking’ tactics deployed by app developers everywhere hoping to spark a viral run for their latest release.

But a viral run on kids’ privacy wouldn’t be at all cool.  

In instances where minors signed up to be watched by Facebook the program appears to have rewarded them for pestering their peers to do the same.

Yet an age verification system that can’t distinguish an adult male from a 14-year-old boy seems unlikely to be able to correctly identify a child younger than 13 who’s — say — pretending to be an adult in order to get some sweet e-gift rewards…

Last fall the children’s commissioner for England published a report raising concerns about how extensively minors’ data is being collected and shared across the board, in both the private and public sectors, writing that: “Children and parents need to be much more aware of what they share and consider the consequences.”

The UK’s ICO is currently working on an Age Appropriate Design Code of Practice — which a spokeswoman told us is due out later this year, following responses to a call for evidence last summer.

Comments

Post a Comment

Popular posts from this blog

Uber co-founder Garrett Camp steps back from board director role

Uber co-founder Garrett Camp is relinquishing his role as a board director and switching to board observer — where he says he’ll focus on product strategy for the ride hailing giant. Camp made the announcement in a short Medium post in which he writes of his decade at Uber: “I’ve learned a lot, and realized that I’m most helpful when focused on product strategy & design, and this is where I’d like to focus going forward.” “I will continue to work with Dara [Khosrowshahi, Uber CEO] and the product and technology leadership teams to brainstorm new ideas, iterate on plans and designs, and continue to innovate at scale,” he adds. “We have a strong and diverse team in place, and I’m confident everyone will navigate well during these turbulent times.” The Canadian billionaire entrepreneur signs off by saying he’s looking forward to helping Uber “brainstorm the next big idea”. Camp hasn’t been short of ideas over his career in tech. He’s the co-founder of the web 2.0 recommendatio...

Drone crash near kids leads Swiss Post and Matternet to suspend autonomous deliveries

A serious crash by a delivery drone in Switzerland have grounded the fleet and put a partnership on ice. Within a stone’s throw of a school, the incident raised grim possibilities for the possibilities of catastrophic failure of payload-bearing autonomous aerial vehicles. The drones were operated by Matternet as part of a partnership with the Swiss Post (i.e. the postal service), which was using the craft to dispatch lab samples from one medical center for priority cases. As far as potential applications of drone delivery, it’s a home run — but twice now the craft have crashed, first with a soft landing and the second time a very hard one. The first incident, in January, was the result of a GPS hardware error; the drone entered a planned failback state and deployed its emergency parachute, falling slowly to the ground. Measures were taken to improve the GPS systems. The second failure in May, however, led to the drone attempting to deploy its parachute again, only to sever the line...

How the world’s largest cannabis dispensary avoids social media restrictions

Planet 13 is the world’s largest cannabis dispensary. Located in Las Vegas, blocks off the Strip, the facility is the size of a small Walmart. By design, it’s hard to miss. Planet 13 is upending the dispensary model. It’s big, loud and visitors are encouraged to photograph everything. As part of the cannabis industry, Planet 13 is heavily restricted on the type of content it can publish on Instagram, Facebook and other social media platforms. It’s not allowed to post pictures of buds or vapes on some sites. It can’t talk about pricing or product selection on others.   View this post on Instagram   A post shared by Morgan Celeste SF Blogger (@bayareabeautyblogger) on Jan 25, 2020 at 7:54pm PST Instead, Planet 13 encourages its thousands of visitors to take photos and videos. Starting with the entrance, the facility is full of surprises tailored for the ‘gram. As a business, Planet 13’s social media content is heavily restricted a...