On the heels of the US State of Montana becoming the first state to ban the popular social media app TikTok,1 many parents are evaluating the risk associated with their children’s online presence. Recent initiatives in Europe and the United States have aimed to curb some of these harms, but it has come at the expense of privacy. Though there are dangers associated with children being online, it is imperative to not sacrifice privacy in an effort to protect minors.
The Dangers of Social Media
Social media can allow people to find community, make new friends, express themselves and stay in touch with long-distance friends and family. But there are also numerous dangers that can come from minors being online. Of note, much of the research on social media’s impacts focuses on minors, but it is also worth considering how these harms affect adults.
One such danger is privacy-related risk. Many social media applications (apps) collect excessive amounts of personal information. This personal information may then be shared with or sold to third parties. Figure 1 shows the information the Instagram app may collect. Collecting this much information is extreme, as many of these categories of data, especially health information, search history, browsing data and location, can contain sensitive information and are not needed for the app’s basic functioning.
Source: Apple App Store
In addition, photos of minors and photos posted by minors may be used to train facial recognition databases,2 and many people who post pictures online are unaware of their photos being used in this way. Some data brokers obtain and sell information that is posted on social media sites, often without data subject consent.3 This information, when combined with data from other sources, can be used for fraud or to violate minors’ privacy.
Social media may also allow minors to overshare information. There are privacy ramifications associated with oversharing. For example, a minor may have a public Instagram account with photos of friends wearing school t-shirts. This information makes it easy to determine where that minor goes to school and their location during school hours.
Social media can also be addictive. Notifications and the novelty associated with new posts and information can cause the brain to release dopamine, which feels enjoyable.4 Individuals from Generation Z, those between the ages of 18-26, spend a great deal of time online—approximately 16% spend more than 5 hours on social media and almost 31% spend 3-5 hours on social media.5 But there are serious concerns associated with spending so much time online. A study found university students who spent more than 3 hours on social media daily had higher rates of depression, substance abuse, stress and suicide.6 And the amount of time spent online correlates with cyberbullying behaviors.7
One of the most serious concerns associated with social media use is the effect it can have on users’ self-esteem and mental health. The US Surgeon General Vivek Murthy, MD, declared social media to be a hazard to teens’ health.8 A study found that teens who reduced their time on social media by 50% experienced an improvement in how they felt about their appearance and weight compared to those who did not reduce their time on social media.9
One of the most serious concerns associated with social media use is the effect it can have on users’ self-esteem and mental health.
Given the plethora of risk associated with social media use, it is understandable to be concerned about minors’ use of social media. But some recent legislative-related initiatives aimed at protecting children and teenagers online have, perhaps inadvertently, harmed privacy for minors and adults.
Utah’s Social Media Regulation Act
The US State of Utah recently passed the Social Media Regulation Act (the Act), which is comprised of two bills.10 It requires minors to have parental consent before signing up for a social media site and gives parents access to these accounts. It also prevents minors from using social media between 10:30 pm and 6:30 am and prohibits data collection on and ads targeted to minors.11 One of the bills requires social media enterprises to ensure that they are not building addicting platforms, and it allows social media enterprises to be sued if it is believed minors are addicted to or harmed by their social media sites.12
At first glance, the Social Media Regulation Act may seem like a good idea: parental consent and monitoring of minors on social media could counteract some of the related risk. But after further examination, there are concerns about privacy and the Act’s efficacy.
Given that social media sites are, for the most part, free to use, it is highly unlikely they will be designed and built in a way that is not addictive.13 Social media feeds are infinite and allow for unending scrolling. Cues such as reaching the bottom of the screen or building in natural places to take a break are not conducive to social media sites’ goal of keeping users engaged.14 So would social media enterprises need to design special interfaces for minors in Utah?
The specifics of how this Act would look in practice have not yet been established. But age verification other than simple self-identification, which is how social media sites are currently configured, comes with numerous privacy concerns. It is reasonable to assume that social media users of all ages would need to provide some proof of age. Chances are that some kind of official documentation (e.g., driver’s license) would be necessary to verify ages. But that kind of documentation also contains other sensitive information, including home address, height, weight and organ donor status. It is unclear if or how long that information would need to be stored by social media providers, and adult users would understandably be concerned with providing it to social media enterprises.
In the process of seeking to improve privacy for minors, this Act has diminished the privacy minors would have from their parents. Providing teens with privacy for their online accounts can help teach them accountability and the consequences of their online presence.15 It is also important to consider that not all parents provide their children with a safe environment. For example, a minor talking to friends about abusive parents could be in serious danger if those abusive parents can access private messages.
In addition to the privacy consequences of the Act, it is also unlikely that it will be effective in limiting some of the harm caused by social media. The Act assumes that minors are completely honest and forthright with their parents. A 2012 survey found that 70% of teens hide their online behavior from parents.16 (More recent data are not available.) Minors may also have multiple social media profiles and only allow family to know about one profile, keeping a separate, private profile for friends. One study found that nearly two-thirds of 8–11-year-olds have multiple social media accounts or profiles, with the most common reason being to have a separate profile just for family.17 And unless social media sites change their age verification and interface globally, it would not be difficult for minors in Utah to override the controls social media sites put in place. There are numerous free and easy-to-use virtual private network (VPN) services that minors can use to make it appear that they are not accessing social media in Utah.
Undermining Encryption
Social media is just one threat to children, and it is not the first frontier in which legislators have jeopardized privacy in the name of protecting minors.
Child sexual abuse material (CSAM) is a serious problem. In 2020, 65 million images and videos of child sexual abuse were discovered on the Internet.18 Knowing this material exists can revictimize those whose abuse is shared online.
In an effort to stop the spread of CSAM, some have advocated for limiting encryption. Legislation proposed in the European Union could require messaging services to scan the contents of messages for CSAM.19 Leaked documents reveal that some Spanish leaders support complete bans on end-to-end encryption by EU-based service providers.20
This is a security and privacy concern as many messaging applications, such as WhatsApp and Signal, use end-to-end encryption because it prohibits providers from being able to review message content. People want and need to be able to communicate privately and securely, and end-to-end encryption allows that to happen. The distribution of CSAM must be stopped, but the solution is not undermining encryption because the privacy implications for adults and minors would be severe. It is important to remember that something that could potentially filter CSAM would also have access to other information, such as private conversations and photos not containing CSAM. It is not possible to selectively limit end-to-end encryption only for CSAM.
Takeaways for Privacy Practitioners
Privacy professionals who work at enterprises that process minors’ data must act to ensure that minors are protected. At a minimum, this means complying with any age-related regulatory requirements around collecting and processing the data of minors. In the United States, the Children’s Online Privacy Protection Rule (COPPA) has requirements around processing children’s data, and many laws and regulations such as the EU General Data Protection Regulation (GDPR) and the People's Republic of China Personal Information Protection Law (PIPL) have specific requirements about processing and collecting minors’ data.
Enterprises whose data subjects include minors, especially social media sites, should ensure that there are processes in place to encourage all users to review their privacy settings. Default settings should be privacy preserving (e.g., social media posts should not be set to be public by default) for all users, not just minors. If proof of age is required to access a service (e.g., a copy of a birth certificate), it is essential to protect this information. Privacy professionals should explore how their enterprise business models relate to privacy (e.g., if the enterprise relies on selling data to third parties) and ensure that privacy objectives are not at odds with other enterprise objectives.
Privacy professionals must act as ambassadors. This means explaining the privacy impacts of an enterprise’s initiatives aimed at protecting children. Something that limits the privacy of adults will likely also limit the privacy of minors. Those working in privacy for government organizations should provide their input on laws, regulations and initiatives that may impact privacy. Legislators often do not have technical privacy knowledge—it is quite possible that those in Europe who have proposed scanning private messages do not understand why this is problematic and what its privacy and security implications would be.
Children’s online privacy is not just compromised by what they post; it is also from what their families post online about them.
Privacy professionals also should evangelize privacy outside of work; explain to friends and family the dangers of posting pictures of children online and oversharing. Children’s online privacy is not just compromised by what they post; it is also from what their families post online about them. Privacy professionals should encourage people to review their privacy settings and not post photos to public audiences.
The addictive nature of social media and the mental health implications of its use may be beyond the scope of privacy experts’ work. That said, informing executives of these impacts can be a good first step to explore ways in which design can be less addictive and detrimental to mental health.
Conclusion
Minors are online more now than ever before, and organizations are taking steps to protect them, but they should not sacrifice privacy in the process of protecting children. Privacy professionals who can be advocates for privacy and encourage people to think more critically about what is posted online can help create an online experience that protects children and preserves privacy.
Endnotes
1 Archie, A.; “Montana Becomes the First State to Ban TikTok,” National Public Radio, 18 May 2023
2 Clearview AI, “Clearview AI Principles”
3 Ikeda, S.; “Major Data Broker Exposes 235 Million Social Media Profiles in Data Leak,” CPO Magazine, 28 August 2020
4 Gripenstraw, K.; “Our Social Media Addiction,” Harvard Business Review, November-December 2022
5 Lebow, S.; “How Gen Z Consumes Media in 5 Charts,” Insider Intelligence, 21 December 2022
6 Op cit Gripenstraw
7 Kao, K.; “Social Media Addiction Linked to Cyberbullying,” UGA Today, 30 March 2021
8 Porter, J.; “US Surgeon General Says Social Media May Be Hazardous to Teen Health,” The Verge, 23 May 2023
9 Newton, D.; “Teens Who Cut Down on Social Media Have Higher Self-Esteem,” Psychology Today, 13 March 2023
10 Morrison, S.; “Utah’s Social Media for Kids Law Could Be Coming to a State Near You,” Vox, 25 March 2023
11 Miller, S.; “Utah Passes an Age-Verification Law for Anyone Using Social Media,” National Public Radio, 24 March 2023
12 Op cit Morrison
13 60 Minutes, “Facebook Whistleblower Frances Haugen: The 60 Minutes Interview,” 3 October 2021
14 Price, C.; “Trapped—The Secret Ways Social Media Is Built to Be Addictive (and What You Can Do to Fight Back),” Science Focus, 29 October 2018
15 Drexler, P.; “Why Teens Need Privacy Online,” Psychology Today, 6 December 2013
16 Sutter, J.; “Survey: 70% of Teens Hide Online Behavior From Parents,” CNN, 2 June 2012
17 UK Office of Communications (OfCom), Children and Parents: Media Use and Attitudes Report 2022, United Kingdom, 30 March 2022
18 European Commission, “Fighting Child Sexual Abuse: Commission Proposes New Rules to Protect Children,” 11 May 2022
19 Statewatch, “European Commission: ‘The Content Is the Crime,’ So Let's Break Encryption,” 24 May 2023
20 Newman, L. H.; M. Meaker; M. Burgess; “Leaked Government Document Shows Spain Wants to Ban End-to-End Encryption,” Wired, 22 May 2023
Safia Kazi, CIPT
Is a privacy professional practices principal at ISACA®. In this role, Kazi focuses on the development of ISACA’s privacy-related resources, including books, white papers and review manuals. She has worked at ISACA for 9 years, previously working on the ISACA® Journal and developing the award-winning ISACA Podcast. In 2021, she was a recipient of the AM&P Network’s Emerging Leader award, which recognizes innovative association publishing professionals under the age of 35.