"Facebook has evolved from a simple dorm-room project," CEO Mark Zuckerberg wrote, after a firestorm erupted last year over the social network's data-sharing policies. Yet, one year later, Facebook still seems to be run like a dorm-room project, particularly if you consider how ineffectively it discharges its responsibilities towards children.
To parents and observers, it has been obvious for some time that many pre-teens use Facebook in direct violation of the service's rules. You don't need a Harvard education to understand why that's so: those kids lied about their age and Facebook took them at their word.
Just how big a problem Facebook's laxity has spawned is detailed in a just-released report published by Consumer Reports. Here are some of its findings:
Underage use is indeed widespread. Of the 20 million minors who actively used Facebook in the past year, 7.5 million -- or more than one-third -- were younger than 13, according to projections from Consumer Reports's national 2011 State of the Net survey of U.S. online households. Yet Facebook says that you must be 13 to join.
Many users are very young. More than five million Facebook users were 10 and under, and their accounts were largely unsupervised by their parents.
Children are at risk. One million children were harassed, threatened, or subjected to other forms of bullying on the site in the past year.
Facebook has mechanisms to try to detect underage users, but hasn't gotten its story straight about how effective they are. In March, a member of Facebook's Advisory Board, Mozelle W. Thompson, told a cyber-safety committee of Australia's Parliament that Facebook removes 20,000 underage users per day. But a Facebook spokesperson told us that such a figure wasn't accurate, though she wouldn't provide a more accurate one.
Judging by the number of pre-teens that use Facebook according to Consumer Reports, either the company's detection measures aren't very effective at identifying underage users, or those measures have been overwhelmed by the sheer number of children who can easily open an account by lying about their age.
To its credit, Facebook recently introduced a new Family Safety Center, where parents and children can learn about safe practices and access safety tools, including a "social reporting" system through which victims of bullying or harassment can report such incidents to someone they trust. But such tools don't address the problem of underage users; they're for the teens who are legitimate Facebook users.
Where's the government? So far, laws and regulations, such as the Federal Children's Online Privacy Protection Act (COPPA), haven't helped get Facebook to be more responsible about this problem. So long as Facebook didn't actually know the age of underage users at the time it let them sign up, the company could plausibly claim that it obeyed the letter (if not the spirit) of the law.
This plausible deniability may soon become a lot less effective. Jon Leibowitz, chair of the Federal Trade Commission (FTC), which enforces COPPA, recently told Consumer Reports that the FTC may soon act to tighten age verification by online services.
It's time to move forward. There is no generally accepted method for verifying the age of online users. But here's how two commercial web sites have successfully fought online fraud:
Ticket exchange service StubHub requires sellers to use a credit card number as security and, if they renege on an offer, StubHub can charge their card to buy the required tickets for the purchaser. eBay lets buyers rate sellers, which creates a public reputation for each seller that reflects how well they have served their customers.
Facebook could adapt either of these approaches to its own needs: it could discourage age fraud by requiring new account holders to submit a credit card as security and impose a stiff termination fee should it find that account in use by a pre-teen. Or it could allow adult members whose age it has verified to vouch for other members' honesty about their ages, with appropriate sanctions for violators. Neither approach is perfect. And Facebook may well devise a better solution itself, but doing virtually nothing to prevent millions of underage children from using Facebook is not an acceptable course.
The technology whizzes who operate Facebook are ingenious enough to put a huge dent in this problem. But that would require them to be proactive about it. And so far it appears that they haven't learned enough from their experience last year, when they were slow to change their practices and only did so when sufficient public pressure had arisen.
It would be a disservice to the public Facebook's executives claim to serve if they continue operating the network like a dorm-room project until they are shamed into acting responsibly, or legally compelled to do so.
To voice your opinion on this issue and discuss it with me and other Consumer Reports editors, visit our Facebook page.
Al Franken: Facebook's Proposed Privacy Plan Puts Users at Great Risk
Anonymity is not a desirable feature of open networks, which are necessarily based on a certain level of trust which cannot be established without authentication. Some noncommercial services such as file sharing may choose to accept self-signed (pseudo-anonymous) certificates as authentication, but it is ultimately in the best interest of these services to authenticate connections, even without real-world identities, in order to protect against man-in-the-middle attacks.
Authentication and encryption of all traffic is the only way forward for the Internet against the relentless onslaught of identity theft, censorship, spying, and abuse. We need to know that our data is being exchanged only with authorized parties which are positively identified. Otherwise we can only use the Internet under the assumption that we are broadcasting to the world.
I will never offer a credit card number as a crude means of authentication. This is a shockingly (and obviously) terrible idea. Think Playstation Network. We should never be required, in the name of authentication, to share an identifier which we would not be willing to share with any criminal. We must assume that such shared identifiers will eventually find their way into the wrong hands.
This is the reason for public key certificates. The only identifier we need to submit is a completely public identifier which we may freely share with anybody. The public key is a claim of digital identity (that may be bound to a real-world identity by a regulated authority) which is backed up by a cryptographically-paired private key that is never exchanged with anyone over any medium.
We need an objective basis for trust on the Internet. Otherwise freedom and privacy are both paradoxical for anyone exchanging sensitive data over the network.
Problem solved.
It is a parental responsibility to monitor their children's online habits. Parents need to be aware if their child is bullying another as much as if their child were being bullied. What is wrong with expecting parents to hold their kids accountable for inappropriate behavior?