Security

[Original posted at altimetergroup.com]

Like many parents, I try to take steps to keep my kids safe online, making sure that they understand not to share personal information online, or even to use their real names. They know how to write appropriate emails, and I constantly monitoring what they do, the emails they send, and most importantly, engaging in a constant dialog with what they are doing online.
But when I logged into my Google Buzz account this evening, I found that my 9 year old daughter had posted the following:

Pretty innocuous, but it was PUBLIC! I saw it because Buzz conveniently made me a follow of hers. I pride myself on staying ahead of my kids, but this time, my kid got ahead of me. She used Buzz without fully understanding that what she thought was a private conversation with her friends was in fact very much public.

Fortunately, this was her only Buzz posting. But what was most disturbing was looking at her friends’ conversations and realizing that some of them were chatting with complete strangers, and in some cases, sharing personal information like emails. Absolutely terrifying as these are 4th graders who have no clue.

I quickly turned off Google Buzz, (but I didn’t totally disable it, more on that below), dashed off an email to the parents of the friends she had been chatting with inside of Buzz (again, all in public, with their real names), and then finally took a long hard look at the situation.

First, I discovered that buried in Google’s terms of service somewhere is that children under the age of 13 are not allowed to have Gmail accounts. But unlike Facebook, which requires that people enter their birthdates when setting up accounts, Google makes no such attempt to educate people signing up for Gmail that such a provision is in place. As a result, while Google is absolved of responsibility because of the TOS, it could and should do a better job of complying with the Child Online Privacy Protection Act (COPPA). [UPDATE: Google does in fact ask for birthdate when signing up, and sends users who are under 13 to the FTC page about COPPA. Obviously, I violated Google's TOS by putting in MY birthdate and then giving account access to my child.]

Second, I think Google will have a second wave of privacy problems to address in Buzz. The easiest thing to do as a parent is to simply disable Buzz, meaning that the Google profile and all followers are deleted — permanently. But the reality is, my child has actually figured out how to use Buzz and seems to enjoy it – unlike most adult users of Gmail! But managing groups, privacy settings, etc. would be required for her to continue using it and I’m not confident as a parent that she’ll be able to figure all of that out. We’ll give it a try, but unless her friends also keep the conversation private, it will all be for naught.

So while I applaud Google for taking quick steps to manage the privacy backlash on Google Buzz, I think Buzz will bring to the fore the quiet reality that many people have enabled Gmail for their kids (and which Google loves because it ensures a new generation of Google devotees).

Without an overhaul and the addition of true parental controls in Gmail, this will remain a problem for Google, and a potential PR nightmare. Imagine parents (and kids) checking out their Buzz accounts to find that “iorgyinbathrooms” is following them, which is exactly what happened with my child’s account!

Does your child have a Gmail account? If so, have you talked to them about what Google Buzz is and how they should be properly using it? Please take action, which may be as dramatic as completely disabling Buzz on your child’s account. Do this as soon as possible, as I’m concerned that unsavory characters are already exploiting this parental control loophole.

Update Part 1: I received a response from a Google spokesperson, with permission to post it here:

“We designed Buzz to make it easy to have conversations with your friends about the things that interest you. Keeping kids safe online is very important to us. You must have a Google account to use Buzz, and we require all new Google account users to provide birthdates to keep children under 13 from signing up for accounts. Since we launched Buzz, we’ve listened to the feedback from our users and have made many product improvements to address their concerns. It’s still early, and we have a long list of improvements on the way. We look forward to hearing more suggestions and will continue to improve the Buzz experience with user control top of mind. Even as we roll out changes, we think it’s important to remember that there’s no substitute for parental supervision to keep kids safe on the Internet.”

Update Part 2: I had a chance to speak with Scott Rubin, who runs the child safety and public policy program at Google. As a parent of young children himself, Scott understands the need for parents to be able to control what their children see and do online. He pointed out that Google earlier this month enabled Safety Mode on YouTube and that the company continues to develop ways to give people in general better control. Scott acknowledged that things went wrong with Buzz and that some improvements were made quickly, and also that there’s more to come. We also discussed an interesting situation regarding children between 13 and 17 — those are are actually allowed to have Gmail accounts of their own. There are very few controls within the Google universe that give parents control, and Scott expressed an interest in continuing the dialog about what Google can do to ensure child safety.

So if you have suggestions on parental control features you’d like to see Google add, please include them in the comments below.

Update Part 3: As you can see in the comments on the original blog post, I’ve been branded both an irresponsible parent for giving my child access to email and also a responsible one for taking precautions. I’m often asked what I do as a parent so I thought I’d share some details of the madness to my method. First, there is no such thing as perfect, full-proof parental controls for the Internet short of sitting down with them and watching every keystroke. But that’s exactly what my husband and I did, starting early and stressing basic Internet safety such as not downloading files, sharing personal information, learning to exercise judgment online. Over time, we gave our kids more and more freedom to do things on their own, and put in place clear consequences if they broke the rules. Believe me, there have been many mistakes made and a lot of learning along the way! But each time, no major harm was done and they become more aware of all the pitfalls that being online entail.

Email was initially sent from our machines and our accounts with full supervision, then without supervision, and finally they were given their own accounts. But I still get copies of everything that they get, and they are allowed to email only people in their address book that are preapproved. This incident has made me rethink what email service we use for the kids, especially since we’re in violation of the Gmail TOS, and I’ll be looking into other options.

YouTube is accessible only from a public PC in the kitchen, and their PCs are in the family room with screens that I can easily see from the kitchen. We also have K9 monitoring software installed that blocks/allows sites and tracks everything they see and use. But my favorite software is TimesUpKidz, which limits their online time to one highly-anticipated hour a day, and then only during certain times. I love it because it removes my need to constantly tell them to get off the computer!

But more important than any piece of software, the thing that I believe keeps them most safe online is the constant communication and conversation we have together about their online activities. When I talked with my daughter about Buzz this morning, I told her that I saw the post that she wrote, and she readily said that she was looking forward to getting comments on it from her friends. When I told her that the posts were public, she said that she had no idea, and immediately agreed to stop using Buzz. She knows that she isn’t ready for a public presence and the reasons why. Our conversation about Buzz was part of our every day, normal conversation about being safe online, discussed in a relaxed way over breakfast. She and her brother frequently ask about things they hear about from their friends or things that they see online, and my hope is that as they enter the tumultuous teenage years, that we will continue having these conversations (although I think I’m be way to optimistic about that!)

Each family has to decide for themselves what works for their kids, and I understand that some people will disagree with my approach. But it seems to be working for us, and for now, the Google Buzz issue has been resolved. I’m no fool — I know dangerous situations are always lurking around the corner, but I hope that the security controls we’ve put in place plus the ongoing conversations we have will be enough to keep the worst situations from happening.