Today is Safer Internet Day which marks the annual occurrence of parents thinking about their kids' online presence (before we go back to thinking very little about it tomorrow!) It's also the day the Courier-Mail here in my home state of Queensland published a piece on sharenting or as Wikipedia more accurately describes it, the practice of "sharing too much information" about your kids online. That's a worthy discussion to have on this day, although the opening paragraph started out, well... just read it:
Reported in today’s Courier-Mail here in Queensland: should parents “ask their toddlers for permission before taking a photo”? What say you, internet? pic.twitter.com/65m4gj9mZB— Troy Hunt (@troyhunt) February 11, 2020
I was invited into the local ABC Radio studio to comment on this piece and online safety in general so in a very meta way, I took my 7-year old daughter with me and captured this pic which, after discussion with her, I'm sharing online:
Discussion quickly went from sharenting to BYOD at schools to parental controls and all manner of kid-related cyber things. Having just gone through the BYOD process with my 10-year old son at school (and witnessing the confusion and disinformation from parents and teachers alike), now seemed like a good time to outline some fundamentals whilst sitting on a plane heading down to Sydney to do some adult-related cyber things!
And just a side-note before I jump into those fundamentals: I had a quick flick through the government's eSafety guidance for children under 5 whilst on the plane and it has a bunch of really good stuff. The opening para in the newspaper doesn't do justice to the sentiment of the document which was more around helping kids understand that there are different views to how each of us likes to have our images shared and frankly, that's a good discussion to have. I wanted to make sure that was captured here and it what seems like an otherwise pretty outlandish statement doesn't detract from the gov's paper.
1. Privacy is Personal
The obvious place to start is to recognise that views regarding privacy are a very personal thing. My views are shaped by a life that's very public due to the nature of what I do and as such, my kids receive more exposure than most (the picture above, for example). I know of other parents who adamantly don't want any trace of their kids on the internet whatsoever. On the other hand, we've all seen "insta" mums / dads who, in my view, go way overboard in the other direction hence the whole sharenting thing.
In any of these debates, the extreme ends of the spectrum tend to be just that - extreme - and the more common-sense approach is the middle ground. Yes, I occasionally post pics of my kids, but it probably amounts to once every couple of months and it's in the context of my profession and projects them in a healthy, positive light. For example, my son teaching kids to code in London a couple of weeks ago:
Teaching kids to code at #NDCLondon with @CodeCombat. And importantly, teaching them how to use secure passwords with @1Password ? pic.twitter.com/GyVCTkOErO— Troy Hunt (@troyhunt) January 30, 2020
Nothing bad will happen to him following this photo. He won't be emotionally scarred, nor will he grow up feeling like his privacy has been violated. Neither will my daughter when I share a video of her coding at home:
Got my 5 year old daughter coding up a storm on her school holidays, she loves it! This is on https://t.co/KRDFQU5VqA for those who are interested. pic.twitter.com/Qk5YKuMFrO— Troy Hunt (@troyhunt) June 26, 2018
But everyone needs to find their own balance here and dictating that there's one approach to fit all is frankly, pretty nutty. Which brings me to the next point:
2. Parents Set the Boundaries, Not Kids
Everyone I've spoken to today regarding that Courier-Mail intro agrees on one thing: it's ridiculous to ask a 2-year old for "consent". Not only does a child of that age have absolutely no idea what the social ramifications of sharenting are, there's all sorts of things we do as parents and impose on our children that they have little to no say in. Immunisation. Diet. Education. Religion. The list goes on (as the list of things some people now think you should ask your kids permission for...)
To be clear, we're talking about toddlers in that story and primary school children in my personal case and obviously the discussion will change as they mature. I talk more and more to my kids about online life not just related to my profession, but about their own day to day experiences. Over time they'll have more control and the balance of power will gradually shift from parents calling all the shots to the kids doing so. But imagine if you let kids of that age decide for themselves how the parenting should be done; my kids would be non-stop eating pancakes and watching YouTube!
More importantly though, the online presence kids have doesn't need to be an all or nothing affair or an opt-in versus opt-out, let's talk about privacy controls on social media.
3. Use Social Privacy Controls Liberally
On the one hand, it always surprises when people aren't familiar with basic privacy controls. But on the other hand, let's face it: Facebook menus and options aren't exactly the most intuitive. Be that as it may, you have a lot of control over who can see what:
As a rule of thumb with all things security and privacy related, apply the principle of least privilege or in other words, only share things with those who need to see them. Photos of kids, for example, might be something you choose to only share with family members - perhaps even only specific family members - and you have the controls available to do just that. I'm not of the "Delete Facebook" mindset because there's enormous social value in staying connected with family and friends and that often means sharing what's going in your own life as well as that of your kids'.
However, the internet being what it is, all the social privacy controls in the world won't do a bit of good if you screw them up (among other things that can go wrong), so let's talk about happens then.
4. Assume That Everything You Share is Public
I've never posted a naked photo of my kids to Facebook. Not when they were babies, not with privacy controls configured and not with any other precautions taken. The simple reason for this is that unlike when my parents took photos of me, say, playing in the mud as a 2 year old with no clothes on and put it in the family album (yeah, thanks mum and dad), placing such photos in a digital album creates all new risks. Faced with the privacy controls in that Facebook image above, you're one click - one single click - away from publishing images to the world instead of just to your closest confidants. I've done it before myself and if I can't always get this right when I spend my life thinking about security and privacy, you too will probably make the same mistake at some time.
I work on the assumption that regardless of my best efforts with privacy controls, anything I put on social media could one day be public. It's not just the risk of me messing up a setting, there's nothing to stop other people in my network from taking my pictures or my words and distributing them out beyond my control. That's not necessarily to say it would be done with malicious intent, it could be innocent in nature given the first point above about us all having different tolerances to privacy. And yes, we all have the right to privacy and the reasonable expectation that others won't violate it, but no, that's not always consistent with reality.
Lastly, consider all the other risks presented by the social media platforms themselves; Facebook has obviously had major issues relating to privacy in the past. Your data is viewed as a valuable commodity that many social media platforms have monetised without sufficiently informed consent and a bunch of online services then also get themselves hacked. Just picking incidents I've personally been involved with: VTech had kids names and photos breached, CloudPets left kids' voice messages exposed and TicTocTrack had security vulnerabilities that would allow anyone to track the movements of your kid. Proceed with the mindset of "assume breach" and share information accordingly.
5. Admin Rights are not for Children
Onto the whole BYOD thing and with my son now in year 5 and needing his own machine at school, this is a hot button topic for me. The first point here is super easy and for anyone working in the same industry as I do, it's also super obvious: kids should never have admin rights on machines. Admin rights grant them ability to install near anything they'd like (that includes malware, ransomware and remote access trojans), make configuration changes and for all intents and purposes, play "god" with the machine. Most companies don't let adults do that in the workplace, does anyone seriously think it's a good idea for young children?
The thing is that as with corporate life, the practical barriers posed by not having admin rights are very limited. There's usually a small, finite list of tools needed for the student (or employee) to perform the required tasks and they can either be pre-installed or added later by an administrator (AKA, a parent). Most of the time this is going to boil down to Microsoft Office (or equivalent) and a browser. My son has also been using OneNote which I installed from the Microsoft Store and then that's it, he's good to go.
Given the chance, kids will install every piece of crapware they can get their hands on. Chrome extensions seem to be a popular one amongst kids with more liberal access rights. I learned this recently as my son asked if he could install the Predator extension which "gives a clean and modern look to your default Chrome homepage" and has "epic themes". That's right up a 10-year old's alley! However:
This was what they call "a teachable moment" as we discussed what it would mean if the developer (who appears to have a parked domain but was previously a "pragmatic media agency" specialising in "hyperlocal targeting") can access everything in the permissions list above. And then, how much worse could it get?
Do you use a popular browser extension? How confident are you that the creator wouldn’t accept a $10k offer to hand it over only to have it then go rogue on you? https://t.co/hPfW5CJLUz— Troy Hunt (@troyhunt) September 5, 2018
Never, ever let kids install things on their machines without at least adult supervision and preferably, digital controls enforced by the parent. Which can actually be very easy:
6. Native Digital Parental Controls are Free and Easy
This is another one that parents should absolutely be on top of but frequently aren't. Windows and iOS have parental controls natively baked right into the operating systems. They're the two platforms my kids spend time on but there are also native controls for Android and native controls for macOS.
Right out of the box, I can easily control what the kids can do on the hand-me-down iPhones they have, for example:
They can use the devices only for a limited amount of time and only between limited hours of the day unless the app is "always allowed" (for example, the phone). They can request to download (and purchase) apps but they need parental approval. They can't change their passcodes. Their usage activity can be remotely viewed from a parent's device. This is all free and built into iOS, with similar controls available in the Microsoft ecosystem:
If you're a parent with a kid using one of these devices and you don't have the controls turned on already, start there. There are other third party products on the market which I wouldn't even consider unless there was a very compelling reason to use them over and above the native controls (and no - neither their marketing pitch or a financial deal stitched up with the school are compelling reasons). Never, ever, under any circumstances resort to spyware or as it's frequently known, stalkerware. Any product with the ability to read messages, view photos, log calls or provide similar levels of invasive access is a recipe for disaster. Firstly, there's all the precedents of these services suffering data breaches and leaking the aforementioned content all over the web. Secondly, their use in monitoring children is indistinguishable from their use in abusive relationships, something Eva Galperin from the EFF has been working hard to try and stamp out (with some great success stories too) which means they're less readily available now than what they once were. I still use the digital controls because they're great at doing what they do, but they're far from perfect...
7. Your Children are (Probably) Smarter Than You
I'll just leave this one right here as it's a perfect illustration of the heading:
I’m a responsible parent so I use the controls on iOS to limit screen time on the old iPhone my 9-year old uses. A white-listed exception is iMessage; he’s worked out he can send someone a YouTube vid then watch it in iMessage to circumvent the control. So proud ? pic.twitter.com/XyD0rq4YpQ— Troy Hunt (@troyhunt) April 27, 2019
Now again: if I can't get this right given what I do for a living, what hope is there for your average parent?! And that's just one of many, many ways that kids can skirt around the very controls put in place to limit their access. Not only will they be able to circumvent many of the controls, they'll be able to conceal it too. They'll see gore. They'll see porn. They'll behave in ways that don't align with your own values, just like we did when we were kids. Which is why this next section is so important:
8. Digital Parental Controls Are Not a Substitute for Actual Parenting
Digital parental controls are great at doing the sorts of things mentioned above. They're efficient, automated and pretty much "set and forget". But they don't understand nuances such as what certain content can mean for children or what sort of communication is appropriate within the constraints of the app limits. Digital controls can never replace the role parents play in how the kids use devices; they should be complimentary to parenting rather than a substitute for it.
Having the kids use devices in the living room rather than the bedroom is a perfect example of practical parental oversight. You hear what they're listening to, glance at what they're doing as you walk past and are on hand to answer questions as they come up. I sit with the kids when they do coding exercises (such as the earlier video with my daughter) and check out the homework my son does on his PC. This will inevitably be a pattern that changes as they grow up, form relationships and seek (and deserve) more privacy, but certainly at this age close parental oversight is absolutely invaluable and, I'd argue, essential.
9. It's Not about Screen Time, it's about What They Do on the Screen
As I was writing this up today I flicked my sister in law a draft copy and asked for input. Think of Cathy in an edutech context as you'd think of me in an infosec context; lots of content creation, travel, speaking and thought going into the topic. Plus, she's both a teacher and a mother of kids a similar age to mine so her opinion holds a lot of weight in my book.
She emphasised today (as she has many times in the past), that the amount of time spent on the screen isn't the issue, rather it's the activities the kids are involved in. Screen time can be mind-numbing, un-constructive, "chewing gum for the brain", as they say. It can also be thought-provoking, creative and educational and I'm sure we can all relate to examples at both ends of the extreme. She shared a New York Times piece from December titled Is Screen Time Really Bad for Kids which contains this great observation:
A screen-related activity may be beneficial or harmful depending on who is doing it, how much they’re doing it, when they’re doing it and what they’re not doing instead
I suspect that at some level we all know this but often don't recognise the parental involvement required to separate those harmful from beneficial activities. I certainly need to work on that more and I recognise that one of my early failing as a "digital parent" was to allow my son to focus more on "time spent on screen" than "activities performed on screen". Recently, the penny dropped that he was viewing the allowable screen time as a goal rather than a limit; "but I haven't even reached my target time yet!" Screen time now involves him asking to use the device and discussing what he's going to do on it which so far, is working out much better.
10. Technology is a Joyous Thing to be Shared with Your Kids
Every day, I marvel at the things we can do with the consumer devices we have at our disposal. I mean I seriously stop and think about how awesome it is and reflect back to when I was my kids' ages and what I had then. Rotary dial telephones. Fax machines. Floppy disks (if you could afford a computer). I want them learning how to use technology to the fullest extent possible as part of both their social and professional development and I want them to learn how to use it well.
Occasionally after posting a video of the kids coding or similar, I'll get comments along the lines of "let kids be kids, they should be outside playing". What a ridiculous statement! It's one of those extreme points of view I mentioned earlier and it assumes that firstly, screen time is a mutually exclusive thing to physical exercise and secondly, that it somehow detracts from a child's development rather than enhances it. This view today is no more insane than the view paleolithic parents had about limited their children's access to fire time (ok, not really, but it's a fun read ?)
Tech is fun. Understand how it works, set boundaries, find a healthy balance and have a laugh with your kids. Speaking of having a laugh:
Yep, this makes perfect sense. https://t.co/2AuzRSZ7HZ pic.twitter.com/Npt4Rgsmpn— James Roper (@jroper) February 11, 2020