How COPPA Teaches Children to Lie
With the arrival last year of a tech-savvy superintendent in the Ithaca City School District, we’ve started to see some welcome changes in how our son Tristan’s 7th grade teachers are operating. They’ve responded to the superintendent’s call for increased use of technology by accepting many homework assignments electronically; they’ve also created class blogs for summarizing what goes on in class and for listing homework assignments. On the whole, we’re tremendously happy to see Tristan checking the blogs for what to do, submitting his homework in Google Docs, taking part in NaNoWriMo for English class, asking out-of-class questions of the teachers via email, and generally using the same kind of tools that we employ in our
day-to-day work.
There has been one dark cloud in this otherwise bright picture. Tristan won’t be 13 until January, but to participate fully in these technology initiatives, he has needed to set up a number of accounts, including a Google account and a Blogger account, among others. Thanks to the 1998 Children’s Online Privacy Protection Act (COPPA) in the United States, however, Google, Apple, and many other companies, most notably Facebook, include a blunt line like this in their terms of service:
You must be at least thirteen (13) years of age to use the Service.
Uh oh.
In the past, that text was generally hidden in dense legalese behind a link that, honestly, no one ever reads. Increasingly, though, birthdate has become a required field in signup forms, such that a simple bit of JavaScript math can prevent those under 13 from registering. Of course, the workaround is simple — you lie about your date of birth, and we’ve helped Tristan do just that on several occasions this year.
(In a move that has caused much online distress, if a child with a pre-existing Gmail account now provides an under-13 birthdate to another Google site, like YouTube, Google disables that account and threatens to delete it entirely unless the parent takes over ownership.)
The drafters of COPPA were aware that there would be legitimate reasons for parents to want their under-13 children to have accounts with certain online services, of course, so they provided for a way out via “verifiable parental consent.” Therein lies the problem. The allowed approaches include:
- Giving parents a form to print, fill out, sign, and return via mail or fax.
- Require the parent to use a credit card in connection with a transaction.
-
Obtain consent via email accompanied by a digital signature or digital certificate verified by a physical form or credit card.
I can hear those familiar with Internet services giggling already. Even if parents could be induced and trained to jump through such hoops, Web sites whose primary audiences are adults won’t spend the money to process physical forms, invent unnecessary charges, or deal with the support related to helping novices with digital signatures. Sites focused on children are willing to go through the trouble, since that’s their business, but general audience services like Google, Apple, and Facebook find it far simpler to require accountholders to be 13 or older. Interestingly, Twitter now has a clever way of phrasing the restriction (in its privacy policy, rather than its terms of service) that enables Twitter to terminate accounts, but
doesn’t restrict account creation by age upfront, a change from an earlier revision of the company’s terms of service.
Our Services are not directed to people under 13. If you become aware that your child has provided us with personal information without your consent, please contact us at [email protected] We do not knowingly collect personal information from children under 13. If we become aware that a child under 13 has provided us with personal information, we take steps to remove such information and terminate the child’s account.
But the blunt rejection of underage children by most sites is how we’ve ended up in a situation where parents are being asked to teach their children that it’s not just acceptable, but often necessary, to lie on the Internet. That certainly wasn’t the intent of COPPA, but a recently released study from danah boyd of Microsoft Research; Eszter Hargittai of Northwestern University; Jason Schultz of the University of California, Berkeley; and John Palfrey of the Harvard Law School looks in more depth at just what parents do and don’t do in relation to COPPA’s age restrictions, focusing on Facebook.
For instance, they found that:
- 55 percent of 12-year-olds have a Facebook account (along with 32 percent of 11-year-olds and 18 percent of 10-year-olds). In short, there are a lot of underage Facebook users. I’m sure that there are also tons of underage users of services from Google, Apple, Yahoo, and Microsoft.
-
82 percent of parents were aware that their children had created Facebook accounts, and of those, 64 percent helped to create the account, with even higher percentages of parents participating when the children were underage. The point here is that the vast majority of parents were notified of the age limit, and, in fact, 90 percent of parents helping underage children to create accounts acknowledged being aware of the age limit.
-
35 percent of parents thought that the age limit was a recommendation (like the PG-13 MPAA movie rating), not a requirement. And 78 percent felt that it was acceptable to allow an underage child to sign up for a service for a variety of reasons, largely bolstered by parental monitoring of online activities. So we can see that many parents don’t take the age limit seriously, either not seeing it as a requirement or seeing it as a rule that can be broken.
-
Most tellingly, in response to the question, “Who should have the final say about whether or not your child should be able to use Web sites and online services?” 93 percent of respondents said the parent should. 3 percent felt the company providing the service should have the final say. And amusingly, only 2 percent said that the government should have the final say, which matched exactly with the 2 percent of parents who said that the child should have the final say. (Snarky logic would thus conclude that parents trust the government and their children equally in this regard. Speaking as the parent of a 12-year-old who can’t be relied on to tie his shoes, that’s not a ringing endorsement of governmental
regulation.) -
Finally, when asked what role government should play in setting age limits on the use of Web sites, 48 percent felt that the government should require a recommended age rating, like movie ratings. 35 percent felt the government shouldn’t do anything, and only 18 percent felt the government should be enacting laws like COPPA.
With regard to the requirement for deception, the study’s authors point out that although adults may provide inaccurate information in online profiles (such as on dating sites), parents are uncomfortable with encouraging children to lie online. They write:
Providing inaccurate age information can also violate Web sites’ Terms of Service and enable risky interactions. Parents of elementary- and middle-school-aged children may not want their children to pretend as though they are in high school when interacting with other teenagers and, yet, providing a false age on Facebook conveys this incorrect impression. Because of this, strict age requirements often put parents in an uncomfortable position. So long as deception is the only means of access, parents are forced to choose between curtailing their children’s access and condoning lying. This is not an easy choice for many parents to make.
Ironically, danah boyd said in an interview with On the Media that police officers lecturing students in online safety also sometimes recommend that children lie about their location, which has resulted in there being more people online claiming to be from Afghanistan and Zimbabwe (the first and last countries when listed alphabetically) than there are people in those countries.
In the end, Tonya and I come down squarely in agreement with the majority of parents. Tristan hasn’t wanted a Facebook account, but we signed him up for Twitter several years ago so we could communicate with him in brief bursts when we were travelling (now he has a text message-enabled cell phone for arranging pickups from school events), and we certainly wouldn’t prevent him from getting school-related accounts because of COPPA. In fact, for any account that Tristan sets up online, whether it’s with Pandora, Edmodo, or Google, we ask that he get our permission if he must lie about his age and that he write down all the login information on a sticky note (which we keep handy in case he forgets it — this has already resolved one
late-night homework crisis). Eventually, we’ll have to move all those sticky notes into a system that Tristan maintains himself, although password wallet software isn’t currently a realistic option given the variety of computers he uses but cannot control.
Like many other parents, we think he’s mature enough to handle the places online where he’s going to end up, we monitor what he does online, and we feel that a clearly worded recommendation (and encouragement for parents to stay involved) would be far more effective than COPPA’s age limits and accompanying unintended consequences.
One thing that didn't quite fit in the above article is a comment about setting up an iTunes Store account for a child under the age of 13. When I recently set up Tristan's account, I began with the specific instructions in Apple's support article "Creating an iTunes App Store account without a credit card," at http://support.apple.com/kb/ht2534. In my first attempt, I entered his true age. This didn't work, and it locked out future attempts to set up an account under his name on the same computer. When I finally set up the account, I wrote down his fake birthdate, in case he needs that information for login at some later time.
This is really helpful, thank you. We had the painful experience of my daughter's Google account (email, docs, Picasa etc) being deleted. You mention that Google threatens to delete accounts unless parents take over ownership. But we didn't think that option was open to us because we both have our own accounts, and thought Google wouldn't allow you to create a pseudonymous account either. There certainly isn't an option for a parentally-managed child's account, confirmed to me by someone in Google HQ. We also didn't understand how we might be able to lie about our daughter's age and then be able in future to allow her to have a legitimate account. So all her stuff was lost without any recourse to retrieve it.
Yes, I've had trouble figuring out just how someone might be able to take over ownership of a child's account, but there are a number of posts in Google's support forums claiming it's possible.
We had a similar issue with Facebook. As it happens, my Tristan decided to create a FB account without our permission - which is another discussion.
After discussing the issue of creating an account without our knowledge, we debated whether or not to allow Tristan to use his FB account after he served his punishment.
In the end, we decided against it as his first interaction with FB would be to lie.
All of that is moot in two days as Tristan turns 13 which means both of my children are teenagers - sigh - which is another story ;-).
I think parents of teenagers deserve combat pay. :-)
It seems that giving a false age in contravention of terms of service may even be a criminal act under the Computer Fraud and Abuse Act (CFAA) in the USA. See, for example http://cdt.org/files/pdfs/CFAA_Sign-on_ltr.pdf.
Holy cats, that's silly - interpreting contractual breach as criminal activity.
Here's an interesting point of view of tech in education:
http://www.nytimes.com/2011/10/23/technology/at-waldorf-school-in-silicon-valley-technology-can-wait.html
Yup, we're very familiar with the Waldorf approach, since Tristan went there through 5th grade. I think it's totally appropriate for elementary school, in part because Tristan could use technology here at home if he wanted (for the most part, he didn't). The particular school here started to fall down for us in 5th grade, so we were happy to make the jump to the excellent Ithaca public schools in 6th grade, and this year feels entirely appropriate for Tristan to be using technology as it's used in the real world - school isn't about insulating children from the real world, it's mostly just caught in the past.
The Waldorf system, as I understand it, sees computers as tools, and as tools that are not much used by younger children, such as those described in the article. So, you wouldn't expect to see a computer in a Waldorf "kindergarten" or elementary school, but you would in a high school. The children would likely learn how to create things with a computer, or to construct a computer from component parts, but would nearly certainly not use a computer for entertainment or for an educational game (unless they'd made it themselves).
A Waldorf curriculum begins with the concrete (things you can touch in the real world, live drama, live music, etc.). It only slowly brings in abstraction (written words, ideas, recordings, anything on a screen). The idea is that this is a developmentally appropriate way to proceed and it lays fundamental learning/building blocks in a way that may seem slow at first, but that builds momentum. Of course, for any child, your mileage may vary!
We have an under 13 child, and I completely agree sites with age restrictions are doing nothing but teaching kids to lie--often with encouragement of the parents.
Although it's been a few years, Lego was the only site we found which doesn't have an age restriction--you just need to provide a parent's e-mail address for verification (if you're going to lie you can do it for age or e-mail, but if you want to be honest you can).
Had a weird error message when setting up iCloud recently on an iPod Touch, which turned out to be because of the birthdate supplied.
Given you generally can't change your birthdate on sites after signing up, there's going to be a lot of people stuck showing as older than they are!
I'm sure you've seen this recent news report:
http://news.cnet.com/8301-31921_3-57324779-281/doj-lying-on-match.com-needs-to-be-a-crime/
Making this "age misstatement" a federal crime leaves children (and probably their parents) open to an arbitrary or capricious goventment that might just decide to "make a lesson" of someone. I may read the wrong sites, but this doesn't seem to be all that uncommon.
Wow. Just wow. Next thing you know, failing to read, understand, and pass a written test based on a shrinkwrap license agreement will be grounds for imprisonment.
There are many products available on the Internet that allow families to be both COPPA and TOS compliant. Rather than teaching your children to mis-represent the truth you might consider other alternatives. This is one of those slippery slope issues, next might be "borrowing" copyrighted music from friends.
As much as that's a nice idea, I don't think it's realistic. You use what you have to use to interact as necessary.
Um, "realistic"? I think you might be confusing "realistic" with "easy and convenient". It's your decision but don't be surprised and frustrated with everyone else in our society making relative decisions. Be the change.
I think you are correct in making a recommendation to a teacher. But parents don't always have control over what teachers ask for.
Hah! Glad this has come up.
I'm also a father of a (12-yr-old) 7th grader, who was recently "required" to establish a google account (gmail, and docs). I wrote to the teacher, "Are you aware. . . age 13?" etc. and received an indirect (CMA?) response that simply said that, if I preferred it, my son's work could be submitted otherwise.
I settled on the work-around that I would be the account holder. He memorized his log-in and password, which I also know. He uses gmail and docs via computers at school and home, and I get to see everything (100% monitoring the e-mail traffic) in my Mail apps, and through Safari (if I want to read docs).
I should add that my son and I have discussed some moral and legal implications of lying about age online, although I concentrated on the potential dangers caused by unintended consequences. (We used different language.)
In sum, I don't think a 7th-grader can really understand the causality in internet behavior and the law. I barely grasp it. Simplifying it--lying about your age is usually bad--helps . . . for now.
Here are some jumbled thoughts to the subject at hand.
First of all I don't have children, but I do find it necessary that there are rules and regulations that try to established age requirements as well as encourage parental monitoring of minors who are using online tools along with the internet.
If schools are requiring "7th graders" to use "cloud" collaboration tools then perhaps the schools should provide these services themselves. A Mac Mini with Lion server is powerful and cheap enough to provide for a "homeroom" or maybe even a complete class year e-mail, calendaring, a Wiki, and other group and media tools. There are even all kinds of groupware available for Linux where even more savings can be found. These might be good real world possibilities to introduce young people to the abstract world of computing services. Group projects to set up and run software that shows cause and effect. I can even imagine children as they get older and who are so incline, creating and offering programs and services back into the school system. Not just home-ed or wood-shop programs but also "software smiths". The future's content is going to need "cloud" services to feed all the iPads, iPhones and Android devices that coming in the pipeline. Western civilization (I am an American living overseas) is evolving into a service based economy. The sooner "our children" are guided to future fields of businesses the beter.
An important argument for schools doing it themselves is for privacy reasons, but at the very least I see an opportunity for "Google and Co" to offer "enterprise" features to organizations such a schools and other youth associations like the Boy and Girl Scouts of America as well as others. At present Facebook has a feature where people who are members of established organizations can list the "network" they are a part of. (https://www.facebook.com/help/networks) There is no reasons, if enough school boards approach FB that they will not expand its network feature to allow school groups to be formed and managed. The same applies to Google and others. Parents need to be more involved and make suggestions to their schools, school boards and local agencies.
Is Google Apps different? Our kids all have accounts through our family google apps domain, and I am sure there were no age questions there. They also have Apps accounts through their schools...
Maybe the idea is that the burden of enforcement with Google Apps is on the administrator?
Anyway, this does explain why Google's Parental Controls are worthless.
I can't find anything about this in the terms of service for Google Apps - the administrator must be of legal age to sign a contract, but no mention is made of other users. I would guess that underage children would thus be covered, but I really don't know.
Just ran across this page at Google talking about how to re-enable accounts that have been shut down because of being owned by an underage child.
http://www.google.com/support/accounts/bin/answer.py?answer=1333913
Perhaps some sort of "under 13" or whatever age could be set up with a permanent tag in the ID that says "under 13." Similar to some states driver licenses that print the DOB in red and use a profile photo. Being older than dirt, I have a problem with encouraging a child of any age to lie. To them a lie is a lie, they don't distinguish between "real" lies and "white" lies. They will come back to bite you...
Yes, I think there could be interesting technological solutions, but the question is if the audience of under-13s is large enough for these general sites (as opposed to child-centric sites) for them to want to go to the effort.
I agree fully about the lying, as I think do most parents.
I lie routinely on the Internet about many personal details. I never give anyone my real date of birth, but a consitant fake one instead. When on chat programs like irc I won't even reveal my city or state, and in World of Warcraft chat I don't even tell people what time zone I am in. My kids both know that the Internet should not be trusted with accurate personal information. This is no more "lying" than it is lying to not give this information to random strangers on a bus.
The people writing these rules, Congress down to local teachers, in many cases just don't "get it".
When my kids were in middle school 10 years or so ago we were asked to sign a computer usage waiver. Basically it said that my wife and I were legally (criminally) responsible for anything that showed up on the screen of a computer being used by my kids. No exclusions for who caused it or if they did it under supervision or by direction of an adult in the room. I refused. So my kids were part of a small minority that did not get to used internet enabled computers.
I also did not sign the waiver that allowed my kids to be used in photos or videos that might be used to market commercial products. So they got left out of most school pictures.
And we were thought of as being ill informed. Oh, well.
For anyone reading this, you can file comments with the FTC about COPPA until 23 December 2011 (ignore the November deadline mentioned in this FTC article; the correct one is on the Web form linked at the bottom of the FTC article).
http://ftc.gov/opa/2011/09/coppa.shtm