Saturday, August 15, 2015

FTC Seeks Public Comment on Parental Consent for Children's Online Privacy

The Federal Trade Commission is seeking public comment on a proposed verifiable parental consent method that Riyo has submitted for Commission approval under the agency’s Children’s Online Privacy Protection Rule.

Under the rule, online sites and services directed at children must obtain permission from a child’s parents before collecting personal information from that child. The rule lays out a number of acceptable methods for gaining parental consent, but also includes a provision allowing interested parties to submit new verifiable parental consent methods to the Commission for approval.

In a Federal Register notice to be published shortly, the FTC is seeking public comment about the proposed Riyo verifiable parental consent method including whether the proposed method is already covered by existing methods under the rule and whether it meets the rule’s requirement that it be reasonably calculated to ensure that the person providing the consent is actually the child’s parent. The Commission also seeks comment on whether the program poses a risk to consumers’ information and whether that risk is outweighed by the benefits of the program. The comment period will last until Sept. 3, 2015.
Notice from the FTC.

To file comments.

How this might work:

Riyo’s method: “Face Match to Verified Photo Identification” (FMVPI)

Riyo would verify parental consent by using facial recognition technology to compare a parent’s face to a verified photo ID (this is based on a process that is already in use). First the parent takes a picture of their photo ID with their phone’s camera or webcam and it is authenticated. Then the parent is directed to take a picture of his or her own face. The two images are compared. They also use something called “Liveness Detection” which will detect whether the person is living by identifying slight facial movements (prevents a child trying to take a photo of a static image).
This "Riyo" policy is of questionable use.  From an e-mail that a concerned parent sent in:
A video describes "Face  Match  to  Verified  Photo  Identification" ("FMVPI") technology showing the individual uploading a copy of his driver's license and confirming his likeness with a "selfie". Riyo holds an exclusive license to the underlying Jumio technology confirming photo identification. Jumio is backed by top tier investors including Andreessen Horowitz, Citi Ventures and Facebook Co-Founder Eduardo Saverin.

The Department of Homeland Security recommends stricter handling of sensitive personally identifiable information (PII). The driver’s license and biometric identifiers are stand-alone sensitive PII. There’s increased risk to an individual if sensitive PII data are compromised.
My children are now adults, but I have a cautionary tale. In 2011 my then 19 year-old daughter merely clicked a button for a "Google Offers" coupon (a beta product to compete with Groupon) and "paid" for a product without entering credit card information on a website promoting it. She was shocked and asked me how that could have happened. It took sleuth work to figure out that Google had stored my credit card information for a tennis tournament she had participated in 2010 and had applied her new charge to my stored credit card without my consent. I complained to the FTC and never heard back.

There is nothing to stop Riyo from re-purposing PII. Nor is there anything stopping Google Ventures (or any other huge, profitable investors of companies that use PII for direct marketing) from investing in this company.