As COVID-19 fears continue, children of school age have been shoe-horned into a new reality: online learning. Sidestepping the debate on how effective online learning is when compared to in-person, the little discussed threat right now is to children’s privacy.
Despite the general apathy regarding privacy in almost all parts of the world, special attention has always been given to children’s privacy – and for very good reason. The argument that adults “consent” to being spied on doesn’t really sit well when applied to minors.
So how is this new reality of online learning handling children’s privacy? Not very well, as it turns out.
Recent research by Top10VPN.com has revealed that at least 58% (33/57) of government-recommended online learning platforms posed a “high risk” to children’s digital privacy.
Almost a third (15/57) had no privacy policy to speak of. Nearly half (26/57) collected unnecessary amounts of personally identifying information (PII) and (33/57) stored location information.
All but 12 have open-ended or undisclosed data retention time limits, and 5 share PII with third parties. That’s not counting the three quarters (43/57) that employ ad tracking techniques, including from Facebook and Google.
Then there’s the security issues, which goes hand in hand. You can’t really protect anyone’s privacy if your infrastructure isn’t secure – and a third (19/57) fail in that regard as well. 8 not effectively using HTTPS, 12 using insecure cookies prone to hijacking, 2 submitting passwords in plain text without any encryption, and 5 with server-side vulnerabilities.
Each one of these issues alone should be a deal-breaker, especially when handling children’s information. But somehow all of these issues have slipped through the cracks and are not only allowed, but even recommended by governments.
To be clear, this isn’t exclusive to the US. In total, online learning platforms from 19 different countries were analyzed. Six of the 57 platforms were from the US. Two of those six included extensive advertising from Facebook and elsewhere, while five included Google’s ad tracking.
If you’re wondering ‘is this even legal?’, the answer is, unfortunately, yes.
Most countries have only self-regulatory bodies that review advertising aimed at children. Legislative efforts in the US have largely been thwarted by free speech activism and lawsuits, including by Disney. Although much advertising featuring cartoon characters has been blocked by the FCC.
Despite the GDPR requiring companies to require consent before any tracking, platforms from Germany and Italy aren’t completely safe either. Out of the three German platforms, Anton is the only one considered “low risk”.
In the US, the worst offender across the board is Scholastic Learn at Home. Khan Academy is only marginally better due to employing some children’s privacy protections, but it’s still quite heavy on trackers and advertising, and also using insecure cookies.
The least offending US option is Starfall – with only minor HTTPS issues to work on. Starfall also stands out as the only US option that does not employ advertisements, collect PII from children, sell any information, and only uses cookies that are absolutely required. Their cookies are also properly secured.
To the lay person, it may seem unwieldy or even impossible to run such a service in a secure manner while respecting the privacy of your users, but it’s really not – as a few notable examples have shown. All it requires is a bit of extra work and giving up advertising revenue, which is apparently too much to ask. Even of education platforms aimed at children.
As we’ve explored in our alternatives to Google piece, privacy-friendly options to practically every service imaginable certainly do exist (including Google’s Search!). Many are even superior in terms of feature-set. It’s only a matter of ditching the easy, pre-packaged, 1-click-deploy solutions and putting in the extra work to do it yourself.
Parents are advised to read privacy policies and never create an account using social media, as it gives the platform access to a trove of PII (both yours and your child’s). Use an ad-blocker, a VPN, and two-factor authentication. Clear browser cookies, turn off location sharing, and go through the settings to disable any invasive ones.