By Bree Fowler,
Consumer Reports
The digital lives of many children are born shortly after they are, when
their parents start posting baby pictures on social media. Over the years a
child's digital trail lengthens, as the child and parents share more
information online.
Safeguarding children's online privacy should be a family priority, security
experts say, but the challenge is becoming more complicated.
One new wrinkle is the advent of connected toys. It was recently revealed
that one toy company might have left information from more than 800,000 user
accounts highly vulnerable to hackers, exposing more than 2 million audio
messages shared between children and their loved ones.
Meanwhile, the online risks presented by social media sites haven't gone
away. Here's how parents can protect their children's online privacy.
Be Wary of Connected Toys
Kids are more connected than ever. Even toys as simple as a teddy bear now
often come with a Bluetooth or WiFi connection that can send information
back and forth between the toy and a smartphone app or a server somewhere.
That was the case with CloudPets, a line of “smart” stuffed animals that
lets family members record personal messages for a child using a smartphone
app, then send them through the internet to the toy for the child to hear.
Children can also record their own messages using the stuffed animal and
send them to an approved list of recipients.
But researchers recently concluded that the toy’s makers didn’t adequately
protect it servers, allowing hackers to gain access to user emails and
secured passwords, along with audio recordings. The researchers complained
that Spiral Toys, which owns the brand, had ignored repeated warnings about
the problem.
According to a Spiral Toys statement, the company was notified of the
problem on Feb. 22 and "took immediate and swift action to protect the
privacy of our customers," requiring all customers to create new, stronger
passwords. The company said it hadn't seen evidence that message data had
been leaked.
It wasn’t the first time a children's product was affected by security
problems. In 2015, data stored by tech toy maker VTech was breached,
compromising the profiles of 6.4 million kids, along with the 4.9 million
parent accounts that they were connected to. The information in the
children's accounts included names, ages, and genders, the company, based in
Hong Kong, said at the time.
How could such data be used? Experts say a terrifying worst-case scenario
would be an attempted abduction, but a more likely outcome would be eventual
credit card fraud or identity theft. Privacy risks recently prompted German
officials to tell parents to get rid of an internet-connected doll called
"My Friend Cayla."
So what should parents do? Supplying toy companies with information about
your child may help them provide a more customized play experience. But it's
up to you to decide whether that benefit is worth the information being
shared.
One question to ask is where data is stored. If it's just on the toy or in a
smartphone app connected by Bluetooth, the risks might be relatively small.
But the concerns are bigger in cases like CloudPets and VTech, in which data
gets sent to a server somewhere where it can potentially be stolen by
hackers.
Either way, there’s no harm in playing it safe: You can always enter a fake
birthday or name. Or just pass on buying such toys in the first place.
Think Before You Post
Just like their physical security, your children’s digital security starts
with you, especially when they’re too young to fend for themselves. So think
before you post, and make sure you’re limiting who can see the information.
“I think trying to convince parents to not post photos of their newborn is
probably impossible,” says Lance Cottrell, chief scientist at the
cybersecurity firm Ntrepid. But parents may have unrealistic expectations of
privacy. “It’s like I want to hire a skywriter for my marriage proposal, but
for nobody else to read it.”
The mere act of releasing your child’s name, gender, hometown, and birthday
to the world gives hackers something to work with. But there are
common-sense ways parents can keep those posts from causing problems, mainly
by limiting who can see them.
For instance, using Facebook privacy settings, you can set your posts to go
to just your “friends,” rather than the entire world. If you want to limit
that circle even more, create a list of “close friends” and set your posts
to be visible only to them. A closed Facebook group, which requires you to
approve everyone who requests access, can work, too. As a bonus, it will
keep you from clogging the feeds of your non-baby-crazy friends.
Parents should also think twice before posting pictures that could reveals
hints of a location, such as photos taken in front of their home or child’s
school, says Mike Raggo, chief research scientist at ZeroFOX, a social media
security company. On a related note, it's also wise to wait until you get
home before posting vacation photos. You don’t want to reveal to would-be
burglars that you’re away from home.
Talk to Your Kids
“The talk” doesn’t just refer to sex anymore. Talking to your kids about
proper internet usage and the consequences that bad online behavior can have
is almost as important, but hopefully not as uncomfortable, a subject.
And it’s a wide-ranging topic, too. Just like their parents, kids need to
know everything from how to set a strong password to how to spot phishing
emails, as well as what can happen if they send an angry tweet or post a
suggestive picture, says Michael Moniz, CEO and founder of the cybersecurity
firm Circadence.
On top of that, kids can face cyberbullying and need to know what to do if
one of their classmates posts a threat of violence on social media.
“We’re ships and travelers moving through the cyber world,” Moniz says. “If
you’re anything of value, you’re going to be a target and parents have to be
aware of that. We have to be good guides and give our kids the skills they
need to navigate it.”
Most importantly, kids need to be reminded that what they post online
becomes part of their “digital DNA” that will always remain online “no
matter how much they try to scrub it away,” he says. Those posts will follow
them when they apply to college or for a job down the road.
Be a 'Friend'
Moniz says that he required his own kids to give him their passwords if they
wanted to have social media accounts, though he acknowledged that other
parents see that as too “big brotherish.”
But the bottom line is parents need to keep tabs on their kids’ social media
accounts one way or another, whether by just being their “friend” or by
using software that monitors their activities.
And when parents see their child’s peers do something inappropriate online,
they should talk to their child about it and use it as a teachable moment,
Moniz says.
On the other hand, Cottrell warns that if parents become too intrusive or
even hostile to their children’s activities, it could prompt the kids to
move to another social media platform that their parents don’t know about,
or to set up shadow accounts.
“You need to remember that they’re digital natives and are probably better
able to navigate the internet than you are,” he says.
Be a Parent First
These technology judgment calls aren't just about safety.
Remember that dad who would stand in the front row with his giant camcorder
during your childhood ballet recitals, blocking everyone’s view?
Social media has made that so much worse. Now you have crowds of parents
with smartphones shoving each other to get the perfect shot. And they’re so
worried about creating the perfect Instagram post that they’re not enjoying
what they’re watching.
Sometimes it’s better to just focus on the kids, says ZeroFOX co-founder
Evan Blair.
“People are spending a significant amount of time not parenting. They’re
taking away the enjoyment of the moment,” he says. “We need to be less
focused on ‘likes’ and more focused on our relationships with our children.”
“As a parent in the digital age, I struggle with this, too," he says. "How
much is too much?”
Bree Fowler
