A recent report by Danah Boyd and others reveals that turning parents and children into liars is a principal effect of the Children’s Online Privacy Protection Act, or COPPA. According to Consumer Reports, 7.5 million kids under 13 have joined Facebook. Since Facebook prohibits kids of that age from the service, that’s 7.5 million children who lied in the signup process. And most of them got help in telling the lie from their parents. According to Boyd’s study, the vast majority of parents were aware that their children joined Facebook before reaching 13; in fact, more than two-thirds of these parents helped their under-age kids join.
That’s a lot of lying.
COPPA more or less forces Facebook into excluding thirteen-year-olds. The law and the FTC regs implementing it set stringent limits on the kinds of information that web services can collect from kids under 13 in the absence of “verifiable parental consent.” Obtaining verifiable consent requires mail, fax, phone calls, or credit card numbers; email is allowed only if accompanied by a cryptographically secure digital signature. It is quite deliberately a hassle. And once the consent is received, the service is charged with knowledge that the customer is a child, which triggers special legal protections and limits, not to mention FTC and state attorney general oversight.
All in all, unless you’re running a site focused exclusively on preteens, you’d be crazy to let them join. Facebook isn’t crazy. It excludes children. But staying off Facebook isn’t really an option for kids with a social life, or grandparents for that matter. So the real effect of the law and Facebook’s policy is to force children and their parents to lie about the child’s age.
Teaching kids to lie isn’t exactly a government policy to be proud of. But federal law has another unintended legal consequence in store for those parents and kids. As Orin Kerr and I have pointed out, Facebook users who violate the site’s terms of service also violate the Computer Fraud and Abuse Act, at least according to the Justice Department. Which would make every one of those parents and children guilty of a federal misdemeanor.
By my count, that’s well over ten million misdemeanors, not to mention ten million privacy victims.
Now, you might ask, “Who the hell is the government to take away the decision whether my kids can join Facebook?” Actually, most parents feel exactly this way. When the study asked them who should have the final say about whether or not their child should be able to use online services, 93% chose the parents, 3% opted for the company providing the service, 2% chose the government, and 2% would leave the decision to the child.
So how did we end up with an online regime that is this intrusive, stupid, and unpopular?
It wasn’t easy. It took a lot of lobbying, and the story may help explain why we have so many stupid privacy rules.
First, in the 1990s, when parents and children were just beginning to go online, no one knew what that would be like. There was a lot of free-floating anxiety. By the late 1990s, the Federal Trade Commission and groups like the Consumer Federation of America were maneuvering to focus that anxiety on fear that evil websites would extract information from trusting youngsters without parental knowledge. My guess is that the Commission and the consumer groups wanted an overarching online privacy law, and they thought that a law focusing on children’s privacy would be a good first step.
The FTC released a study in 1998 that painted the online industry in dark colors:
The results with respect to the collection of information from children are … troubling. Eighty-nine percent of children's sites surveyed collect personal information from children. While 54% of children's sites provide some form of disclosure of their information practices, few sites take any steps to provide for meaningful parental involvement in the process. Only 23% of sites even tell children to seek parental permission before providing personal information, fewer still (7%) say they will notify parents of their information practices, and less than 10% provide for parental control over the collection and/or use of information from children. The Commission's examination of industry guidelines and actual online practices reveals that effective industry self-regulation with respect to the online collection, use, and dissemination of personal information has not yet taken hold.
Later, in testifying before Congress, the FTC highlighted a few extreme examples:
One child-directed site collected personal information, such as a child's full name, postal address, e-mail address, gender, and age. The site also asked a child extensive personal questions about financial information, such as whether a child previously had received gifts in the form of stocks, cash, savings bonds, mutual funds, or certificates of deposit; who had given a child these gifts; and whether a child had put monetary gifts into mutual funds, stocks or bonds. The site also asked for family financial information including whether a child's parents owned mutual funds. Apparently in exchange for providing this information, a child was entered into a contest. Elsewhere on the Web site, contest winners' full names, age, city, state, and zip code were posted.
Another child-directed site collected personal information to register a child for a chat room. The information included a child's full name, e-mail address, city, state, gender, age, and hobbies. The Web site had a lotto contest that asked for a child's full name and e-mail address. Lotto contest winners' full names were posted on the site. For children who wished to find an electronic pen pal, the site offered a bulletin board service that posted messages, including children's e-mail addresses. While the Web site said it asked children to post messages if they were looking for a pen pal, in fact anyone of any age could visit this bulletin board and use the Web site information directly to contact a child.
Those examples would have a lot less power today, partly because the gathering of online data doesn't seem as alien or scary as it did in 1998. We've given our email addresses to a lot of sites without being stalked by predators. We also know that there are practical limits on web services data collection and usage. Sites that ask kids for too much information are unlikely to prosper because, as Boyd’s study shows, parents play a pretty big role in their preteens’ decision to join a service.
But in 1998 the FTC's stories were seen as disturbing portents of a dystopian future. And how could we head off this future? Not to worry; the FTC also had a solution. Casting itself as a vigilant defender of parental rights, the Commission told Congress that the solution was – what else? – an expansion of Commission authority over online privacy practices: "As a result of our activities over the past three years, the Commission has developed significant expertise regarding children's privacy. … The Commission strongly supports the approach adopted in this legislation."
The bill was enacted later that year.
Where were the privacy groups while this was going on? On the case, sort of. The Center for Democracy and Technology testified in favor of the overall bill, but it wanted changes to give parents even less knowledge about their kids’ online activities; it asked (with some success) for modification of provisions that would have given parents access to any information their child provided to a website and alerted them when the child gave his email address to a website.
If you were a parent in 1998, you probably felt pretty good when you heard about COPPA’s passage. You’d been told that it was going to protect your kids’ privacy by empowering you. But in fact, it mainly empowered a government agency to decide what your kids can do online. And the privacy groups you thought were on your side? They were more interested in protecting your kids from, well, you.
This isn’t just history. The story of COPPA is by and large the story of most privacy legislation: a new technology emerges, followed by a “privacy panic” over how it might be misused (often engineered by interested agencies and privacy groups), followed by hasty legislation with large-scale unintended consequences -- and, soon, a new class of privacy victims.
If I were a libertarian, I’d be particularly troubled by the FTC’s role in this drama. In the name of privacy and parental control, we let the FTC create a legal regime that expanded government’s authority over the Internet and took away parents’ ability to control their childrens’ online memberships, at least without lying.
And this weird mix of the authoritarian and the libertarian is not a bug unique to COPPA; it is a deliberate feature embraced by most of the privacy lobby whenever they talk about setting privacy rules for the private sector. Considering how many supporters of privacy legislation tend to be dubious about government authority, it’s remarkable how often privacy legislation empowers some bureaucrat to regulate some part of the economy more aggressively.