Wednesday, December 19, 2012

FTC updates COPPA for 21st Century; some provisions could have hidden consequences for ISP;s and ordinary sites


The Federal Trade Commission has updated its interpretation and administration of the COPPA act, with a press release today, link (website url) here.

One of the most important provisions is to include geolocation as personal information that may not be collected about minors without parental consent.  Other information now regarded as “personal” includes server log information such as IP address (relative and absolute) and routing history.

Theoretically, the latter provision could affect even me (with doaskdotell.com) because I can see IP addresses on server logs, and in some cases identify who might have done the access or Google search.  

This capability was actually important in doing forensics on an incident with one of my web postings when I was substitute teaching in 2005.  I’ll have to stay tuned on this one, to see if there is any downstream impact.   (There more details about that incident on the "Bill Boushka" blog for Jiuly 27, 2007.) 

I don’t normally monitor server logs, because I don’t have time.  Website advertising services encourage webmaster to know how to mine their logs (as well of Urchin) so I do think there can be future issues here. 

Another major provision closes a loophole that let third parties  (and kids’ apps) collect information.  Cecilia Kang explained, in a Washington Post article today (here), that a company like Facebook could not collect information (as with the "Like" button associated with Facebook handles on millions of sites) from websites that it knew collected information from children, but Facebook says it has no way to know that.  Google could have a similar problem with YouTube likes.  It is not apparent that the FTC has a "handle" (pun) on how this could be done. 

Natasha Singer, in a similar story in the New York Times on Wednesday, noted that advertising schemes that use cookies could run into trouble, because they would have no way of knowing when children access them (a conceptual problem we have already seen with COPA - as distinct from COPPA). This could hook up with "do not track" issues and provide an existential problem for the web environment we know today, with user-generated content supported by automated advertising. 

The FTC rule also mentions a “safe harbor” rule.  I don’t know if this has to do with potential third party liability (and possibly with the cookie issue, or the third-party implantation problem).  I’ll have to follow up on this concept with Electronic Frontier Foundation.  I’ll report again on it.  This could become very important, on the level of SOPA. 

No comments: