Online Privacy: Not a Children’s Game

Online Privacy: Not a Children’s Game

On my walk home from getting my morning coffee – or, as I prefer to think of it, “work fuel” – I spotted something I’d never seen before. Do you know what a “Bye Bye Buggy” is? Think of it as a cross between a stroller and a roller coaster car. A preschool teacher was pushing six of her charges in one of these gadgets. My niece-by-marriage, herself the product of a family where four or five children to a pair of parents is pretty common, had had her second child only a week before. I took out my phone to take a picture of the buggy – I was going to send it to her, and ask if she thought we should be saving up for one…

When the teacher saw me raising my phone, she asked me to stop, and not take a picture: “Nobody wants to have their kids on some stranger’s Facebook page.” (Which is why you see the catalog link above.)

Standards and expectations of privacy are not the same around the world.  In the United States, we tend to have a more forgiving model of online policy than in many other jurisdictions; unlike the European Union, we don’t have the notion of a “right to be forgotten,” for example. Even so, we view privacy issues involving children through a much stricter framework. Most people believe their privacy risks as adults are principally financial in nature – disclosure of passwords to banking and shopping sites, compromises of credit card and account information, and the like. But for children, we tend to view everything about them – their existence, even – as information that is personal and confidential.

It’s not hard to see why. Kids don’t have the critical awareness to protect their own information. And a very small amount of that information – the child’s name, the parents’ names, the address and telephone number – can potentially be used to convince schools and other caretakers that a stranger is in fact a trusted friend of the family. Of course, most organizations that care for children have systems of control for this, but the potential to spoof still exists.

Children’s Online Privacy Protection Act (COPPA)

That’s why in the United States we consider children’s privacy differently from that of adults in a legal sense, via the Children’s Online Privacy Protection Act (COPPA). Enacted in 1998, COPPA requires that websites that allow children to register clearly identify the information they are capturing and how it will be used, that site operators allow parents to review and delete any information provided and to block future collection, that the information collected be restricted to the minimum amount required to perform the site’s function, and that parents can block the disclosure to third parties of any information collected.

Unfortunately, while we have legal expectations of stricter privacy standards for children, what we sometimes see in practice is laxer implementation.

…Which brings us to VTech

A Hong Kong-based consumer electronics manufacturer, VTech is known for their manufacture of low-cost cordless telephone systems. But they have also staked out a major presence in online-connected items, such as baby monitors, cameras, watches, and tablets. These child-friendly items feature an online store for expanding their capabilities by adding games, books, and other content, as well as a portal through which parents can monitor and control their kids’ activities. Chat logs, photos, videos, and other user-created content is also stored.

A further hitch is that, in the process, parents are encouraged not only to enter their own information, but to create subaccounts for the children, and turn over their names, addresses, and dates of birth. One could argue that this information is useful for the operation of the site – perhaps they send birthday cards to the young users – but one would then need to recognize the added protection requirements.


VTech announced last month that they suffered a breach in which stored information for almost five million parent accounts and over six million children’s accounts were stolen, including not only the login information and personal profiles, but photos and videos as well. (The addition of the photos and videos, of course, increases the potential trust exposure for children and caregivers.)

As breaches go, this one seems to be a spectacularly poor example on two fronts: not only the data and network protection aspect, but also, the tone-deaf response.

Hackers acknowledged (to the press – the company was unaware of the breach till they were informed by the hackers through Motherboard) that they acquired the information via a SQL injection attack. This attack could have been prevented by almost any decent intrusion detection/prevention system (IDS/IPS) or next-generation firewall (NGFW) or unified threat management (UTM) gateway – not to mention a breach detection and protection system such as Lastline Enterprise that can monitor suspicious network activity and block dangerous connections.

But in addition, the stored passwords were encoded only with a simple MD5 hash that is vulnerable to fast brute-force dictionary attacks – especially given the fact that children’s passwords are likely to be simple, non-obfuscated words.

The “icing” on the vulnerability “cake” is the fact that the sites were not protected by SSL encryption, making all information vulnerable to snooping on the network as well as to man-in-the-middle attacks.

Especially with the sort of information that was compromised – given the emotional response to an issue involving children – one might expect a sober, concerned response. Instead, VTech opted at first to minimize the importance of the attack because no credit card information was disclosed!

The tone-deafness of the response, the minimizing of the impact of disclosing the identities, addresses, and appearances of the children using the system, did not go unnoticed. Many security experts, from consultants to government actors around the world, took them to task for not going the extra mile where information about children is concerned, and for expecting customers to be more concerned about their credit card numbers than about their children’s potential safety.

VTech subsequently engaged forensic expertise, but did it long after the breach. We can hope they learn how not to experience a repeat performance. And it’s not clear what the ongoing effect of this will be on their business.

What are some of the lessons here, for parents and for site operators?

For parents:

  • Be diligent in exercising your child’s COPPA protections. Review data, delete and block anything your instincts tell you is unnecessary, and balance the need to disclose vs. the need to protect to your own comfort level.
  • Teach your children that passwords not only need to be easy for them to remember – and not written down – but also, difficult to guess. This involves not only the type of words and names and numbers to avoid, but also, how to use schemes such as initial letters of the words of a phrase, as well as non-alphabetic symbols they can remember, to build passwords.
  • Also, get them accustomed to the idea of using different passwords for different sites.

For operators:

  • When you collect data, be thorough in your COPPA compliance – failure to do so can have not only direct financial impact, but perhaps more important, reputation impact that will dog your business for years to come.
  • Weigh the value of any data you collect against the risk if it is disclosed. Every item that is “nice to have” but not essential is a potential liability.
  • Most important, create a culture of accountability. More damage may done to the ongoing success of a company by shirking responsibility than by the actual breach.
  • Whatever you choose to collect, protect it. Work with security staff to be sure security solutions are in place, adequate, and up-to-date. (Or, in smaller organizations, if you’re Chief Everything Officer, read the guidance for security staff as well.)

For security staff:

  • Cover the basic security blocking-and-tackling. Protect the perimeter from common network-based threats with an NGFW or UTM; find (and, preferably, block) well-defined threats on servers with IDS/IPS; deploy endpoint protection; protect websites and other essential protocols with SSL/TLS.
  • Assess the paths by which information can leave the organization, and be sure they are adequately covered.
  • Don’t get lazy with updates. Keep certificates valid, and update engines, and especially, signatures, as the new versions become available.
  • Recognize that a growing number of attacks, even on smaller and less prominent organizations, are complex, multi-phase, polymorphic attacks; add advanced malware protection to your toolkit.