The new monitoring service SafetyWeb raises some serious questions about its compliance with the Child Online Privacy Protection Act. There’s also some potential safety problems with how it could be misused.
The service’s description is rather simple. You enter an email address, and then the service scours the web (and presumably, its own built up database) and builds up an online profile based on the social networks that person has joined. In this way it appears similar to the service that Rapleaf used to offer. The service then promises to monitor the actions of the targeted person on those social networks and report those actions to you.
When I tried it with one of my email addresses, it found several social network services I have joined. It did not find all of them. Only on one of those did I join with that email address, so they must have had some way to figure out the rest were me. None of them were false positives where they identified someone else as me — but my name is rather unique.
Our Policy Towards Children
The Site is not directed to persons under 18. If a parent or guardian becomes aware that his or her child has provided us with personally identifiable information without their consent, he or she should contact us by email at: email@example.com.
This seems to go against the spirit, if not the letter, of COPPA. COPPA applies to:
the operator of any website or online service directed to children that collects personal information from children or the operator of a website or online service that has actual knowledge that it is collecting personal information from a child
They are collecting children’s information — the “parent” that signs up tells them the child’s email address, name and age. Their website is not “directed at children” but they are given “actual knowledge” that they are collecting children’s data. They even have the “parent” check a box that states: “I certify that I’m the Parent of this child.”
Perhaps they think that they are not collecting personal information from a child, since they get it from the parent. But the entire point of the service is to monitor what the child does online — to go and collect that information from the child’s online profiles and present it to the “parent.”
They need to double check that their service is COPPA compliant, because it appears that they are covered by COPPA. A simple statement that their website is not “directed to persons under 18″ does not change the fact that this is a commercial service whose stated purpose is to collect information from children and to sell it to people who “certify” that they are the parents of that child.
The FTC appears to be taking a serious tone on the mixed issue of children’s online safety and privacy. They recently denied the application of a non-profit to become a COPPA “safe harbor” — meaning a service that would monitor and certify websites for compliance with COPPA. Their denial letter took strong umbrage at the fact that the non-profit itself did not follow COPPA — even though it did not have to:
The Commission feels strongly that any organization – including a non-profit organization – to which it grants safe harbor status should itself comply with COPPA when interacting with children online. In the case of i-SAFE, which promotes itself as a leader in educating children on Internet safety, the failure to provide COPPA protections is particularly troubling. This failure also would undermine i-SAFE’s authority to enforce other website operators’ compliance with COPPA.
Safetyweb’s cavalier attitude towards COPPA indeed does not inspire confidence in them as purveyor of a legitimate parental monitoring service.
Safety / Stalkerware
The other major problem with the service is how they handle the safety issue. How do they know anything about the relationship of the person ordering the monitoring and the one being monitored? I never completed my transaction above, but they were about to allow me to order the monitoring of a target their service reported as being 35. All they appeared to require was that the person doing the ordering check a box agreeing to the terms and conditions, as well as another box that certified they were the parent of the child.
The FTC recently acted against a provider of stalkerware. Key to that case was that the simple fact that inappropriate uses were against the terms of service should not insulate the provider of the service from liability.
Safetyweb should also take note of the New Hampshire case Remsburg v. Docusearch. Liam Youens paid 150 dollars to Docusearch for several pieces of personal information about Amy Boyer. He had maintained a website where he documented how he was stalking her. With this information, Youens tracked her down, killed her, and committed suicide. A New Hampshire court said Docusearch had a duty to exercise reasonable care that they did not cause harm when selling this information:
The threats posed by stalking and identity theft lead us to conclude that the risk of criminal misconduct is sufficiently foreseeable so that an investigator has a duty to exercise reasonable care in disclosing a third person’s personal information to a client. And we so hold. This is especially true when, as in this case, the investigator does not know the client or the client’s purpose in seeking the information.
There’s a benefit of widespread knowledge of the existence of this service. It lets people know their online profiles can be monitored and mined. What we’re seeing here is the consumer facing side of something that is surely going on behind the scenes — starting with an email address, marketers and other data mining companies can compile extensive profiles of individuals. Perhaps this awareness will lead to some outrage, and support for regulation.
Safetyweb has hired a leading expert in children’s online safety and privacy issues. They should be able to adequately address these issues.