Controlling children’s passwords is a flagrant breach of their privacy
by By Claudiu Popa, Author and Lecturer in Fintech Cybersecurity, Information Risk and Enterprise Privacy Management, University of Toronto
As schools increasingly offer online learning, parents should examine how they manage their children’s accounts and passwords
Passwords, by definition, are secrets. We use them to identify ourselves to systems and gain authorized access to places that other people are denied access to.
Every online account is an identity, but only if it is reserved for the exclusive use of its owner.
But when it comes to the passwords of children, grown-ups often pull rank, claim ownership and exercise authority without a moment’s hesitation.
Over the past decade, there have been almost 10,000 data breaches involving personal information of all kinds, from financial transactions to health data. Data breaches are often enabled by the availability of stolen or leaked passwords that are quickly used to gain access to other sites. Although data breaches are never the victim’s fault, identity theft is a lot easier because people often choose the same password for use on different sites.
According to a McAfee study conducted in 2013, up to 74 per cent of parents control their children’s passwords. In other words, parents exercise more than just the right to inspect the child’s assets: they reserve the right to impersonate their child.
Elements of identity
By taking control over the key elements of children’s identity at a formative time in their development, adults run the risk of impacting the fragile mechanisms their children need to begin understanding abstract concepts such as the right to privacy.
Young brains use passwords as a foundational brick in building many of the structures they will need to understand the modern world. The freedom to control their own passwords has a direct and lasting impact on understanding not only the concept of identity, but also critical notions of confidentiality, trust and human rights.
In my work with schools, I often hear from youth and parents how adults maintain custody over their children’s accounts and passwords.
Children have a fragile understanding of the nature of access credentials and how they relate to their own identities. Although such abstract concepts as identity, pseudonymity and self emerge at different times, children have personal agency and their sense of self is affected by the social context in which it is constructed. The more control, the stronger the understanding of identity.
For starters, when a password is shared, it can absolve the account owner from wrongdoing as its shared custody blurs the line between account owner and point-in-time user. If someone sought to get away with nefarious acts, openly sharing a password would be the way to go, as they could more successfully cast doubt on their own culpability if it could simply be shown that someone else had access at that same time.
Online educational platforms
With the advent of student management systems and educational technology, cloud vendors and other providers have enabled school boards to create vast numbers of individual student accounts and set static passwords controlled by school boards. Canadian statistics are difficult to estimate due to a lack of enforceable security standards. However, in the United States, public schools have leaked 24.5 million records in 1,327 data breaches since 2005.
The simple act of keeping student passwords vastly increases the risk of identity abuses in the wake of data breaches, particularly in the absence of informed consent.
Upon closer examination and interviews with school officials, some of the most notable names in education technology enforce this restrictive setting by default.
The common-sense approach is of course to set an initial password and allow students to change them upon first access, but with tools such as Google’s G Suite for Education this practice has changed. Passwords are set — and can be reset — by teachers.
The rigid policies that maintain custody and control over children’s passwords should raise serious privacy concerns for parents. Because such newly standardized practices arbitrarily ensure that strangers maintain control over children’s personal identities, there are very real risks to privacy, safety and reputation.
Data and reputation
When account access is shared, so is accountability. When schools set up student accounts, they use tools like Google’s G Suite, Classroom and Microsoft Active Directory that enable them to control dangerously large numbers of identities. In the event of data breaches, it may come as a surprise to administrators to discover that accountability practically always falls onto school boards and districts.
Unfortunately, it’s easy to imagine scenarios in which irresponsible administrators, emboldened by the features of systems they scarcely understand and by the comfort of knowing they can be selective about the incidents they choose to disclose, jeopardize not only the invaluable personal data of students, but also the reputation of their employer.
For example, an administrator could use a student’s account to download illicit material or carry out unauthorized activities. Such activity would potentially cause long-term damage to the student’s reputation and reflect poorly on the organization that enabled such behaviour.
Parental and control and identity
But what about the pervasive instances where adults appropriate all of their children’s access credentials? When those overzealous account administrators are the children’s own parents, confusion over what exactly constitutes the right to privacy will continue as long as children are denied exclusive control over their own digital identities.
In fact, depending on the age and duration of such violations of children’s right to privacy, the development of strong personal identities may be impacted, particularly at a time when so much of modern existence is tied to their digital identities. Such confusion may explain or at least be related to the experimental online behaviours of youth and even those of adults.
The need to keep children safe by monitoring their activity must stop short of intrusion. Arguments for such actions are unjustifiable because of an abundance of simple tools — such as DNS filtering — that now exist to help enforce parental controls and protect the whole family when surfing the internet.
According to the Privacy Commissioner of Canada, young people are also more likely to be aware of and use restrictive privacy controls compared to older Canadians.
In my personal experience, discussions on such topics always begin with a fallacy: that the interests of youth differ from those of parents. Children and young adults can easily understand the need for safe online practices and apply them equally effectively without the spectre of surveillance.