July 14, 2020

Improving Protections for Children’s Privacy Online

CITP’s Tech Policy Clinic submitted a Comment to the Federal Trade Commission in connection with its review of the COPPA Rule to protect children’s privacy online. Our Comment explains why it is important to update the COPPA Rule to keep it current with new privacy risks, especially as children spend increasing amounts of time online on a variety of connected devices.

What is the Children’s Online Privacy Protection Act (COPPA)?

As background, Congress in 1998 gave the FTC authority to issue rules that govern how online commercial service providers should collect, use or disclose information about children under the age of 13. The FTC issued the first version of the Rule in 2000 which requires providers to place parents in control over what information is collected from their young children online. The Rule applies to both providers of services directed to children under 13 as well as those serving a general audience who have actual knowledge that they are collecting, using, or disclosing personal information from children under 13. This Rule was subsequently revised, after a period of public comment, in 2013 to account for technological developments, including the pervasive use of mobile apps. In 2019, the FTC announced it was revisiting the Rule in light of ongoing questions about the efficacy of the Rule in a data-fueled online marketplace and soliciting public comment on potential improvements to the Rule. 

Core Recommendations to Update the COPPA Rule

Our Comment makes three main points:

  • We  encourage the FTC to develop rules that promote external scrutiny of provider practices by making the provider’s choices about how they are complying with the Rule available in a transparent and machine-readable format. 
  • We recommend that the FTC allow providers to rely on an exemption from collecting or tracking information related to “internal operations” only under extremely limited circumstances, otherwise the exception risks swallowing the rule. 
  • We offer some suggestions on how education technology providers should be responsive to parents and recommend that the FTC conduct further studies about how such technology is being used in practice. 

We elaborate on each point below.

Enabling Effective External Compliance Checks Through Transparency

One of the central challenges with the COPPA Rule today is that it is very difficult for external observers (parents, researchers, journalists or advocacy groups) to understand how an online provider has decided to comply with the Rule. For example, it is not clear if a site believes it is in compliance with the Rule because it argues that none of its content is directed at children or because it has implemented rules that seek appropriate consent before gathering information about users. Making a provider’s choices on compliance transparent will enable meaningful external scrutiny of practices and hold providers to account. 

Under the COPPA Rule providers are responsible for determining whether or not a service is child directed by looking to a variety of factors. If the service is directed at children, then the provider must ensure they have verified parental consent before collecting information about users. If the audience is of mixed age, then the provider must ensure that it does not collect information about users under the age of 13 without parental consent.

The determination about whether a service is child directed, as the FTC explains, includes factors such as “its subject matter, visual content, use of animated characters or child-oriented activities and incentives, music or other audio content, age of models, presence of child celebrities or celebrities who appeal to children, language or other characteristics of the Web site or online service, as well as whether advertising promoting or appearing on the Web site or online service is directed to children . . . [and] competent and reliable empirical evidence regarding audience composition, and evidence regarding the intended audience.” If the service is child directed and children under the age of 13 are the primary audience, then it is “primarily child directed.” If services that are child directed, but do not target children as the primary audience, they are “child directed, but mixed audience” services under the COPPA Rule. 

If a mixed audience service seeks to collect information about users it can choose to implement an age gate to ensure it does not collect data about underage users. An age gate is, a mechanism that asks users to provide their age or date of birth in an age-neutral way. 

Our principal recommendation is that the COPPA Rule should be revised to explicitly facilitate external scrutiny by requiring providers to make their design choices more open to external review. Specifically, we suggest that the FTC should make sites or services disclose, in a machine-readable format, whether they consider themselves, in whole or part, “directed to children” under COPPA. This allows academic researchers (or parents) to examine what the provider is actually doing to protect children’s privacy. 

We also recommend that the FTC establish a requirement that, if a website or online service is using an age gate as part of its determination that it is not child directed, it must publicly post a description of the operation of the age gate and what steps it took to validate that children under 13 cannot circumvent the age gate. 

In addition, drawing on our work on online dark patterns, we suggest that the FTC examine the verifiable parental consent mechanisms used by providers to ensure that parents are being given the opportunity to make fully informed and free choices about their child’s privacy. 

Finally, we suggest some ways that platforms such as iOS or Android can be enlisted by the FTC to play a more effective role in screening users and verifying ages.

Restrict Providers from Relying on the “Internal Operations” Exception

Another significant issue with current practices is that providers rely on an exception for providing parental notice and obtaining consent before collecting personal information when they use persistent identifiers for “internal operations.” The 2013 revisions to the Rule included this new exception, but required it to be used for a limited set of circumstances necessary to deliver the service. It appears many providers now use that exception for a wide variety of purposes that go well beyond what is strictly necessary to deliver the service. In particular, users have no external way to verify whether certain persistent identifiers, such as cookies, are being used for impermissible purposes. Therefore, our Comment urges the FTC to require providers to be transparent about how they rely on the “internal operations” exception when using certain persistent identifiers and limit the circumstances when the providers are allowed to use such an exception.

Give Parents Control Over Information Collected by Educational Technology Service Providers

Finally, our Comment addresses the FTC’s query about whether a specific exception for parental consent is warranted for the growing market of providers of educational technology services to children (and their parents) in the classroom and at home. We recommend that the FTC should study the use of educational technology in the field before considering a specific exception to parental consent. In particular, we explain that any rule should cover the following issues: First, parents should be told, in an accessible manner, what data educational technology providers collect about their children, how that data is used, who has access to the data, and how long it is retained. Parents should also have the right to request that data about their children are deleted. Second, school administrators should be given guidance on how to make informed decisions about selecting educational technology providers, develop policies that preserve student privacy, and train educators to implement those policies. Third, the rule should clarify how school administrators and educational technology providers are accountable to parents for how data about their children are collected, used and maintained. Fourth, the FTC needs to clearly define what is meant by “educational purposes” in the classroom in considering any exceptions for parental consent.

* The Comment was principally drafted by Jonathan Mayer and Mihir Kshirsagar, along with Marshini Chetty, Edward W. Felten, Arunesh Mathur, Arvind Narayanan, Victor Ongkowijaya, Matthew J. Salganik, Madelyn Sanfilippo, and Ari Ezra Waldman.

Every move you make, I’ll be watching you: Privacy implications of the Apple U1 chip and ultra-wideband

By Colleen Josephson and Yan Shvartzshnaider

The concerning trend of tracking of user’s location through their mobile phones has very serious privacy implications. For many of us, phones have become an integral part of our daily routine. We don’t leave our homes without and take them everywhere we go. It has become alarmingly easy for services and apps to collect our location and send them to third-parties while the user is unaware. Location tracking generally works poorly indoors. Tracking services can infer your general location up to a building using current technologies like GPS, WiFi, cellular triangulation. However, your movements inside can’t be precisely tracked. This level of obfuscation is about to disappear as a new radio technology called ultra-wideband communications (UWB) becomes mainstream.

In its recent iPhone launch, Apple introduced the U1 ultra-wideband chip in the iPhone 11. Ultra-wideband communications use channels that have a bandwidth of 500Mhz or more, with transmissions at a low power. In this blog post, we would like to give a brief introduction into the technology behind the chip, how it operates and discuss some of its promises as well as implications for our day-to-day activities.

Figure 1: UWB consumes a wide bandwidth, at 500+Mhz. In comparison, a broadband WiFi channel is 20Mhz.

Why would users want ultra-wideband? On the iPhone 11 Pro product page, Apple says, “The new Apple‑designed U1 chip uses Ultra Wideband technology for spatial awareness — allowing iPhone 11 Pro to understand its precise location relative to other nearby U1‑equipped Apple devices. It’s like adding another sense to iPhone, and it’s going to lead to amazing new capabilities”. For now, the features available to the U1 chip are restricted to “[pointing] your iPhone toward someone else’s, and AirDrop will prioritize that device so you can share files faster”. 

However, as the number of devices equipped with a UWB chip grows, it will enable a broad spectrum of applications. UWB is not a new technology, but we are seeing a renewed interest due to vastly improved operational distance. Over the years, researchers have developed a variety of UWB applications such as estimating room occupancy, landslide detection, and human body position/motion tracking. Perhaps the leading use case for UWB technology has been precise indoor localization, with accuracies between 10-0.5cm. Indoor localization  is the process of finding the coordinates of a target (i.e. a phone) relative to one or more fixed-point anchors that also contain UWB radios. The relative coordinates are then mapped to a reference (e.g. blueprints) to provide an absolute location. High-accuracy localization is especially useful in contexts where traditional GPS is not accurate enough, or cannot reach. A number of other technologies have been explored for indoor localization, such as WiFi and Bluetooth, but the accuracy of these techniques is on the order of meters1, not centimeters.

The key to enabling centimeter-level localization is the wide bandwidth of UWB. Transmissions that occupy a broad bandwidth are short in duration and known as pulses or impulses. These short duration impulses allow accurate measurement of time of flight (ToF): the time it takes for a signal to propagate from point A to point B. Radio frequency (RF) waves travelling through air have a velocity that is very close to the speed of light. This means that if we can accurately measure time of flight, then we know the distance between A and B.  Similar to how bats use echolocation to sense their environment, UWB pulses can be used to sense distances between two transmitters. The shorter the duration of the impulse, the more precise the distance measurement will be. There are a few different ways to use this information for localization/positioning, but the most common for navigation is time difference of arrival. This system relies on having three or more anchors that are also equipped with UWB chips. The anchors have synchronized clocks. To calculate the position of the phone, the anchors forward their ToF measurements to a central service that knows the absolute location of the anchors (e.g. mapped onto blueprints) and calculates where the phone is located relative to the anchors. 

Figure 2: Time Difference of Arrival (TDoA) UWB localization system 

For now indoor localization is not common, since most buildings do not have an UWB anchor infrastructure. However, in October 2019 it was announced that Cisco is teaming up with Czech company Sewio to integrate UWB chips in wireless access points. This is a major step towards enabling ubiquitous indoor localization, as it will make it much more likely that any building with WiFi can also support indoor localization. The new Cisco access points will support IEEE 802.15.4z, an ultra-wideband communications standard that was designed by the UWB Alliance, an organization that receives input from members like Apple, Decawave, Samsung and Huawei. Apple’s U1 chip adheres to the same standard, so the U1 and the Cisco access points will be able to communicate. If an Apple U1 chip responds to ranging exchanges initiated by the Cisco access points, then it is a simple matter of the owner of the network running a location calculation service to obtain the Apple U1 chip’s position. 

What makes the current generation of UWB chips stand out is that for the first time they will be deployed in mobile phones, which for a lot of people is an inseparable part of their daily routine. While it is promoted by Apple as just another sensor to “Share. Find. Play. More precisely than ever,“ this technology has the power to disrupt existing societal norms. Suddenly businesses will be able to track an individual’s location within their stores down to the centimeter, which gives them the power to track which products you look at in real-time. Similar to the debated facial recognition technology, UWB localization offers a new capability to capture and ultimately profile identities of a user. Essentially, the new chip is a marketer’s dream in a box. Shops already track your purchases, leading to cases like the infamous 2012 case where Target unintentionally divulged a teen’s pregnancy to her father. When a store has UWB-enabled access points, it will be easy to monitor a phone’s location indoors and track what you considered purchasing in addition to what you actually purchase. Even without UWB, Cisco already has a feature that lets stores track your presence via phone WiFi, “to engage users and optimize marketing strategies”. 

This WiFi tracking is possible even if your device is not associated with the network, because devices with the WiFi chip enabled periodically send out probe packets to discover which networks are available. A similar technique could be used with UWB to enable even more precise tracking throughout the store. This means that your location information could be used even if location permissions are closely monitored for apps on the phone. The Cisco/Sewio announcement off the bat mentions a “location-based marketing in retail” as a potential use case. In a mall-wide network setup, the routers could retain information that will enable inferring your movements in other stores as well.  Essentially, offering a physical world analogy to web tracking. Companies like Five Tier, JCDecaux and other use existing location tracking technologies to display ads to the users in the vicinity on nearby screens, even billboards. Current WiFi-based phone tracking lets retailers monitor which store you are in, but with UWB, companies will be able to monitor which products you are looking at. This information could be used to push targeted ads that could follow you both physically and online. Imagine going to browse for jewelry, and then seeing billboards for diamonds follow you as you drive home, and have that continue on your web browser and smart TV once you get home. 

Historically companies have opted to chase the marketing dream instead of respecting users’ privacy. Companies like Google and Facebook argue that they provide users with adequate privacy controls, but privacy researchers disagree. Furthermore, privacy choices are often eroded either by bugs or misleading requests. One recent incident report by Brian Kreb, details how Apple continues to collect location information, despite location-based system services being disabled. According to Brian, Apple’s response stated, “this behavior is tied to the inclusion of a new short-range technology that lets iPhone 11 users share files locally with other nearby phones that support this feature, and that a future version of its mobile operating system will allow users to disable it”.  And even if location services are reduced or disabled, some apps constantly try to get users to turn these services back on. As Figure 3 shows, some messages are deceptive, causing users to believe that the app won’t work without re-enabling high-accuracy (WiFi-assisted) location. And even if the apps using location data are trustworthy, choosing to leave high precision location services enabled can still allow stores with UWB infrastructure to closely track you without your explicit consent by using one-way ranging with probe packets2 (see 7.1.1.2 in Application of IEEE Std 802.15.4).

Figure 3: Some mobile phone apps repeatedly encourage users to turn on location permissions that are not actually necessary.

UWB technology could disrupt our preconceived privacy expectations about how our location data is shared and used. In a recent empirical study Martin, Kirsten E., and Helen Nissenbaum show that “that tracking an individual’s place – home, work, shopping – is seen to violate privacy expectations, even without directly collecting GPS data, that is, standard markers representing location in technical systems.”  

It can also offer potential benefits to the consumer. For example, we can envision an UWB localization service that helps you find a specific store inside a large mall, navigate underground tunnel systems such as those featured in the cities of Montreal and Seoul, or helps you navigate to the precise location of where an item is located in a store. Nevertheless, given the current state of privacy policies, confusing controls, and with the current privacy regulations being poorly equipped to address the potential violation of users’ privacy expectations in public places, without proper oversight, there is a significant risk in these types of technologies being misused for nefarious purposes such tracking and surveillance. As these technologies become pervasive, it becomes vital to fully consider the implications of these techniques on our way of life, specifically the effect they have on the established societal norms and expectations.

In this blog post we outlined what UWB is and how it can be used to track location with unprecedented accuracy. While accurate location tracking could be useful, users often find that their data is used in unexpected ways that requires close reading of dense legal agreements. This flow of information is legal, but still violates users’ privacy expectations. These expectations are even more deeply violated when a phone’s location can be tracked despite carefully selected privacy settings on the device. Although this level of ubiquitous centimeter-level tracking is not yet a reality, the pieces are rapidly falling in place. Now is the time to act, before the norms of privacy erode further. Regulators, businesses and end-users need to work together to design a system that can benefit both businesses and customers without unexpected consequences for the customers. 

We would like to thank Helen Nissenbaum for providing feedback on the early drafts.


Footnotes

1. Research projects in wifi localization have achieved accuracies of 10-30cm, but commercially available localization solutions are accurate within meters.
2. Recall that probe packets are sent out periodically to let your device sense which networks you can join. All a retailer needs to do to track your location is collect the timestamps that your device’s probes arrive at their anchors. Some users may erroneously believe that encryption protects them from this kind of tracking, but only packet payloads (not headers) are encrypted. Sequence numbers and source IDs are contained in the UWB standard packet headers.

2020 Workshop on Technology and Consumer Protection

Christo Wilson and I are pleased to announce that the Workshop on Technology and Consumer Protection (ConPro ’20) is returning for a fourth year, co-located with the IEEE Symposium on Security and Privacy in May 2020.

As in past years, ConPro seeks a diverse range of technical research with implications for consumer protection. Past talks have covered dating fraud, ad targeting, mobile app data practices, privacy policy readability, algorithmic fairness, social media phishing, unwanted calls, cryptocurrency security, and much more.

Unlike past years, ConPro 2020 will accept talk proposals for early stage research ideas in addition to short papers. Do you have a new project or idea that you’d like to refine? Are you curious about which project directions could yield the greatest impact? Pitch a talk for ConPro, and get feedback and suggestions from its diverse, engaged audience.

Each year of ConPro, I’ve been heartened by the enthusiasm towards research that can help improve consumer welfare. If this is important to you too, we hope you’ll submit a paper or talk proposal. We’re always excited to expand our community! The submission deadline is January 23, 2020.