Call for smart home devices to bake in privacy safeguards for kids

A new research report has raised concerns about how in-home smart devices such as AI virtual voice assistants, smart appliances, and security and monitoring technologies could be gathering and sharing children’s data.

It calls for new privacy measures to safeguard kids and make sure age appropriate design code is included with home automation technologies.

The report, entitled Home Life Data and Children’s Privacy, is the work of Dr Veronica Barassi of Goldsmiths, University of London, who leads a research project at the university investigating the impact of big data and AI on family life.

Barassi wants the UK’s data protection agency to launch a review of what she terms “home life data” — meaning the information harvested by smart in-home devices that can end up messily mixing adult data with kids’ information — to consider its impact on children’s privacy, and “put this concept at the heart of future debates about children’s data protection”.

“Debates about the privacy implications of AI home assistants and Internet of Things focus a lot on the the collection and use of personal data. Yet these debates lack a nuanced understanding of the different data flows that emerge from everyday digital practices and interactions in the home and that include the data of children,” she writes in the report.

“When we think about home automation therefore, we need to recognise that much of the data that is being collected by home automation technologies is not only personal (individual) data but home life data… and we need to critically consider the multiple ways in which children’s data traces become intertwined with adult profiles.”

The report gives examples of multi-user functions and aggregated profiles (such as Amazon’s Household Profiles feature) as constituting a potential privacy risk for children’s privacy.

Another example cited is biometric data — a type of information frequently gathered by in-home ‘smart’ technologies (such as via voice or facial recognition tech) yet the report asserts that generic privacy policies often do not differentiate between adults’ and children’s biometric data. So that’s another grey area being critically flagged by Barassi.

She’s submitted the report to the ICO in response to its call for evidence and views on an Age Appropriate Design Code it will be drafting. This code is a component of the UK’s new data protection legislation intended to support and supplement rules on the handling of children’s data contained within pan-EU privacy regulation — by providing additional guidance on design standards for online information services that process personal data and are “likely to be accessed by children”.

And it’s very clear that devices like smart speakers intended to be installed in homes where families live are very likely to be accessed by children.

The report concludes:

There is no acknowledgement so far of the complexity of home life data, and much of the privacy debates seem to be evolving around personal (individual) data. It seems that companies are not recognizing the privacy implications involved in children’s daily interactions with home automation technologies that are not designed for or targeted at them. Yet they make sure to include children in the advertising of their home technologies. Much of the responsibility of protecting children is in the hands of parents, who struggle to navigate Terms and Conditions even after changes such as GDPR [the European Union’s new privacy framework]. It is for this reason that we need to find new measures and solutions to safeguard children and to make sure that age appropriate design code is included within home automation technologies.

“We’ve seen privacy concerns raised about smart toys and AI virtual assistants aimed at children, but so far there has been very little debate about home hubs and smart technologies aimed at adults that children encounter and that collect their personal data,” adds Barassi commenting in a statement.

“The very newness of the home automation environment means we do not know what algorithms are doing with this ‘messy’ data that includes children’s data. Firms currently fail to recognise the privacy implications of children’s daily interactions with home automation technologies that are not designed or targeted at them.

“Despite GDPR, it’s left up to parents to protect their children’s privacy and navigate a confusing array of terms and conditions.”

The report also includes a critical case study of Amazon’s Household Profiles — a feature that allows Amazon services to be shared by members of a family — with Barassi saying she was unable to locate any information on Amazon’s US or UK privacy policies on how the company uses children’s “home life data” (e.g. information that might have been passively recorded about kids via products such as Amazon’s Alexa AI virtual assistant).

“It is clear that the company recognizes that children interact with the virtual assistants or can create their own profiles connected to the adults. Yet I can’t find an exhaustive description or explanation of the ways in which their data is used,” she writes in the report. “I can’t tell at all how this company archives and sells my home life data, and the data of my children.”

Amazon does make this disclosure on children’s privacy — though it does not specifically state what it does in instances where children’s data might have been passively recorded (i.e. as a result of one of its smart devices operating inside a family home.)

Barassi also points out there’s no link to its children’s data privacy policy on the ‘Create your Amazon Household Profile’ page — where the company informs users they can add up to four children to a profile, noting there is only a tiny generic link to its privacy policy at the very bottom of the page.

We asked Amazon to clarify its handling of children’s data but at the time of writing the company had not responded to multiple requests for comment.

The EU’s new GDPR framework does require data processors to take special care in handling children’s data.

In its guidance on this aspect of the regulation the ICO writes: “You should write clear privacy notices for children so that they are able to understand what will happen to their personal data, and what rights they have.”

The ICO also warns: “The GDPR also states explicitly that specific protection is required where children’s personal data is used for marketing purposes or creating personality or user profiles. So you need to take particular care in these circumstances.”

The Punkt MP02 inches closer to what a minimalist phone ought to be

There’s an empty space in my heart for a minimalist phone with only the most basic functions. Bad for my heart, but good for a handful of companies putting out devices aiming to fill it. Punkt’s latest, the MP02, goes a little ways to making the device I desire, but it isn’t quite there yet.

Punkt’s first device included just texting and calling, which would likely have worked as intended if not for the inconvenient choice to have it connect only to 2G networks. These networks are being shut down and replaced all over the world, so you would have ended up with a phone that was even more limited than you expected.

The MP02 is the sequel, and it adds a couple useful features. It runs on 4G LTE networks, which should keep it connected for years to come, and it has gained both threaded texting (rather than a single inbox and outbox — remember those?) and Blackberry encryption for those sensitive communications.

It has nice physical buttons you can press multiple times to select a letter in ye olde T9 fashion, and also lets you take notes, consult a calendar, and calculate things. The battery has 12 days of standby, and with its tiny monochrome display and limited data options, it’ll probably stay alive for nearly that even with regular use.

Its most immediate competition is probably the Light Phone, which also has a second iteration underway that, if I’m honest, looks considerably more practical.

Now, I like the MP02. I like its chunky design (though it is perhaps a mite too thick), I like its round buttons and layout, I like its deliberate limitations. But it and other would-be minimal phones, in my opinion, are too slavish in their imitations of devices from years past. What we want is minimalism, not (just) nostalgia. We want the most basic useful features of a phone without all the junk that comes with them.

The Light Phone 2 and its nice e-ink screen.

For me, that means including a couple things that these devices tend to eschew.

One is modern messaging. SMS is bad for a lot of reasons. Why not include a thin client to pass text to a messaging service like WhatsApp or Messenger? Of course iMessage is off limits — thanks, Apple — but we could at least get a couple of the cross-platform apps on board. It doesn’t hurt the minimalist nature of the phone, in my opinion, if it connects to a modern messaging infrastructure. No need for images or gifs or anything — just text is fine.

Two is maps. We sure as hell didn’t have maps on our featurephones back in the day, but you better believe we wanted them. Basic mapping is one of the things we rely on our phones for every day. Whatever’s on this minimal phone doesn’t have to be a full-stack affair with recommendations, live traffic, and so on — just location and streets, and maybe an address or lat/long lookup, like you’d see on an old monochrome GPS unit. I don’t need my phone to tell me where to eat — just keep me from getting lost.

Three, and this is just me, I’d like some kind of synchronizing note app or the ability to put articles from Pocket or whatever on there. The e-ink screen on the Light Phone is a great opportunity for this very specific type of consumption. Neither of the companies here seems likely to add this feature, but that doesn’t change the fact that it’s one of the few things I regularly use my phone for.

Light Phone 2 is possibly getting music, weather, and voice commands, none of which really screams “minimal” to me, nor do they seem trivial to add. Ride-share stuff is a maybe, but it’d probably be a pain.

I have no problem with my phone doing just what a pocketable device needs to do and leaving the more sophisticated stuff to another device. But that pocketable device can’t be that dumb. Fortunately I do believe we’re moving closer to days when there will be meaningfully different choices available to weird people like myself. We’re not there yet, but I can wait.