The researchers found the Children's Online Privacy Protection Act (COPPA), enacted to protect the privacy of children under the age of 13, indirectly puts their privacy at risk because some children lie about their ages when registering on social media sites.
To protect children's privacy, online social networks – such as Facebook and Google+ – take additional precautions such as not listing minors in searches of a high school or city and displaying only minimal information in minors' public profiles no matter how they configure their privacy settings.
In order to bypass these restrictions and join a social media site, children under 13 will sometimes lie about their ages, often saying they are over 18 years of age. The social network will then consider them adults and no longer take special precautions to protect their privacy.
By gathering and statistically processing the friend lists of these lying minors, the research team showed that it is possible to find most of the students in any target high school – including those registered truthfully – and create detailed profiles of them. The analysis strongly suggests there would be significantly less privacy leakage to third parties without the COPPA law.
The NYU-Poly Department of Computer Science and Engineering research team led by Professor Keith Ross, the Leonard J. Shustek Professor of Computer Science, with doctoral students Ratan Dey and Yuan Ding, found that by using Facebook – with modest online crawling, computational resources and simple data-mining practices – an attacker can create extensive profiles of most of the minors in any target high school.
These profiles include full name, hometown, high school, grade and profile picture, and for many students much more. This amounts to significantly more information than what is available in a minor's public profile on Facebook.
To demonstrate the attack, the researchers applied it to three high schools in different regions of the United States. An attacker could use such profiles for many nefarious purposes, including selling the profiles to data brokers, large-scale automated spearphishing attacks on vulnerable minors, as well as physical safety threats such as stalking, kidnapping and arranging meetings.
The NYU-Poly researchers calculated how much privacy leakage there would be with and without the COPPA law. The results suggest that an attacker can discover significantly more minors and build more extensive profiles than what would be the case without COPPA.
"The problem with the COPPA law is that it introduces an incentive for minors to lie about their age," Ross said. "Lying about their age not only puts their own privacy at risk, but those of other minors who do not lie. However, there are solutions that both the federal government and Internet services can implement independently or together to make online social networks safer for young users."
One possible solution is to repeal the law. But Ross said social media sites could also significantly improve children's privacy by disabling the friend reverse-lookup feature, by which a user who hides her friend list can still be discovered on a friend's page.
"It is also important that parents assess the privacy risks of their children in light of this new study," Ross said. "Children need to know that, just as in the physical world, the actions of their virtual friends affect them."