Last week, the Times ran an article about a new website promising to be “Facebook for Kids”: School Together Now. According to the article, an ordinary mother of 3 got the idea for the site to allow parents to be more involved with their kids, and to give children aged 7-12 the benefits of social networking (Facebook, for example, limits membership to those older than 13). School Together Now is set to officially launch on the first of the year, but is already open for public registration and has been written up several times by the press.
We’ll leave the question of whether young children need a social network for sociologists and psychologists; there are difficult enough questions on how to design security for this vulnerable age group. Jonathan Anderson and I reviewed School Together Now and were disturbed with its lack of answers. The first thing we noticed was that logging in without entering any username or password provided full access via the account of the user “Amber Munt” (this works from the log-in box displayed after clicking “Children->Register/Login”). The next thing we noticed was the site’s About Us page, which states the goal of allowing advertisers to “Get themselves in front of their favourite customers (i.e. parents with deep pockets!)” Further investigation revealed a pattern of poor security choices driven by the desire for rapid commercialisation, which is inexcusable for a site specifically marketed at young children.
Linking online users to real-world people is a difficult problem, but it is particularly important in a social network for children. School Together Now, however, makes no attempt to ensure that users are who they claim to be. Creating an account requires just an email address and a name. Neither of these values is checked, so a user could be anybody: a child, an adult, a child predator, a web spider, or a spambot (we have already observed a profile consisting solely of information about an online Viagra distributor). Furthermore, no attempt is made to verify a user’s age. While this is difficult for a website to do reliably, it is good practice to at least require users to declare their age. Lying about one’s age provides evidence of malevolence which can be used during prosecution, and is a crime by itself in some countries. Currently, one can create an account giving unlimited access to the site without providing any false information or even agreeing to terms of service! The site similarly makes no effort to verify claimed affiliation with a school or a parent account. We were able to link our test account to any primary school we wished. Facebook, by comparison, requires a valid email address in a school’s domain to join academic sub-networks. Child accounts can also accept a parent link request with a single click. This is asking for trouble, as children might feel obliged to accept a request from generic names like “Mom” or “Dad”.
School Together Now’s information sharing model is also fundamentally broken. The default settings share all entered information, which could include email addresses and phone numbers, with all users on the site–who could be anybody. Although the website classifies users into groups like children and parents (and also “advertisers”), there are no restrictions on communication between them. Furthermore, all users can post information to forums, which are viewable to the global internet–even search engine caches! Information posted by users may be reviewed by moderators and deleted, but we were able to locate clearly sensitive information such as age, personal habits, school membership,and location, which had been left in forums for weeks. There is also a “private messaging” function which allows users to communicate directly with each other outside of the moderation system.
With these design choices, School Together Now has chosen to ignore industry best practices and official recommendations of the European Network & Information Security Agency (ENISA) and the Home Office. Registration at sites like Facebook and MySpace requires at least a valid email address, verified by a registration message (a valid school email to join a specific school network), and agreement to terms of use which includes a declaration of age. More restrictive sites, such as the travel site Couchsurfing, require physical verification of an address using the post. Online social environments aimed specifically at kids typically provide even more security. Disney’s Toontown Online game, for example, only allows free-form chat except between friends who have been verified out-of-band. This is appropriate for a children’s site, where the goal is to communicate with existing friends, not finding new ones. Finally, it is necessary to provide a clear mechanism to report abusive behaviour on each page of a site aimed at children. The current website implements two (incompatible) means of private messaging, but no clear system for reporting abuse! School Together Now has and has further ignored several ENISA recommendations such as having privacy settings default to the highest level.
As a result, information shared with School Together Now is as visible as that on a public internet forum. From a security perspective, though, School Together Now is far worse because it claims to provide a “safe and secure environment for children” (conceivably a violation of truth in advertisement guidelines). The perceived security encourages disclosure of private information by children, the site then functions as a convenient aggregation point for predators to trawl.
Why would a website, ostensibly started by a concerned mother, launch with such lax security? Why would the site have fewer safety measures than Facebook, which specifically excludes children for security reasons? Numerous coding flaws in the site indicate both rushed engineering and a preoccupation with advertising revenue: “Advertisers” are a user class, links to “Classified Ads” and “Job Postings” are prominently displayed throughout the site, and even children are encouraged to “Become an Affiliate” and “Start Earning Today!”
There are interesting questions about the nature of children’s internet experience in the future. Currently, popular children’s sites such as Toontown Online, Club Penguin, and Webkinz are primarily intended for playing games and have only very weak social networking features. If there is real demand for social networking for children, it’s not being met by the major players like Facebook and MySpace, although both are fighting aggressively to grow their user base. Major sites may be scared away from registering children for fear of bad publicity or legal liability-leaving the door open for smaller companies like School Together Now to target this demographic despite completely inadequate security. Fools rush in where angels fear to tread.