Safeguarding podcast – Hackable Humans with Stephen Balkam CEO FOSI
By Neil Fairbrother
In this safeguarding podcast we discuss with CEO Stephen Balkam some of the work of the American Family Online Safety Institute (FOSI). We also discuss a number of potential and actual US laws that will have an impact on online child safety not just in the US but also around the world: the refresh of Child Online Privacy and Protection Act aka COPPA2, the Children and Media Research Advancement or the CAMERA Act, the Kid’s Internet Design and Safety act or the KIDS Act, and the California Consumer Privacy Act, the CCPA.
http://traffic.libsyn.com/safetonetfoundation/SafeToNet_Foundation_podcast_-_Hackable_Humans_with_Stephen_Balkam_CEO_FOSI.mp3
There’s a lightly edited for legibility transcript of the podcast below for those that can’t use podcasts, or for those that simply prefer to read.
Neil Fairbrother
Welcome to another edition of the SafeToNet Foundation’s safeguarding podcast where we talk about all things to do with safeguarding children in the online digital context. The online digital context comprises three areas, technology, law and ethics and culture with child safeguarding right in the centre of this Venn diagram, and it encompasses all stakeholders between the child using a smart phone and the content or person online that they are interacting with.
Families are an important part of keeping children safe online. While children are social media savvy, but naive in life, parents are life savvy and generally naive about social media, and one organization that is set up to close this gap is the Family Online Safety Institute or FOSI. And joining me from Washington in the US is the founder and CEO Stephen Balkam. Welcome to the podcast, Stephen.
Stephen Balkam, CEO FOSI
Thanks so much for having me, Neil.
Neil Fairbrother
Stephen, could you give us a brief resumé of yourself so we have an understanding of your background and where you’re coming from and what FOSI is all about?
Stephen Balkam, CEO FOSI
So obviously I’m born and raised here in the US, came over to the UK when I was a teenager. Went through your wonderful educational system, landed at Cardiff university, got a degree in psychology, moved to London, lived there for many years, mostly working in the non-profit sector, firstly in Kentish town, then Islington. I even ran the National Step-Family Association in 1990 out of Cambridge.
Moved back to the States and have been involved in internet related non-profits ever since. I was the first executive director of the Recreational Software Advisory Council in 1994. We launched a web labelling system in 1996 that Microsoft and others incorporated. In 1999 we created the Internet Content Writing Association, the more globalized system. Came back to the UK, we received EU funding from the Safer Internet Program to translate the system into various European languages.
And then around 2005 when this thing called Web 2.0 started to happen social media sites, first MySpace, then Facebook and Twitter and YouTube and all the rest, we realized that the self-labelling of websites, was not going to scale, particularly since kids were starting to create the content we used to try and keep them away from.
So we returned to the US and within two years, decided to rename the organization and set up FOSI, the Family Online Safety Institute, in 2007 as a forum, as a place to bring government, industry, non-profit sectors, the researchers, the educators and others to collaborate and to innovate in the space of online safety. And we have an annual conference every year in November. We just had our 13th here in DC. We have regular Hill events up on Capitol Hill. We also have European events. We’re planning an event right now in London for probably May and we’re very active in the Asia-Pacific region as well. I was in China a couple of months ago. I’m due to fly out again, although with the virus issue going on, I may not be. But we also get involved in things like Safer Internet Day and, and a range of not just our events, but other people’s.
Neil Fairbrother
Okay. And I watched some of the videos from your conference at the back end of last year and they’re well worth watching if people have time. They’re all on your website. I believe
Stephen Balkam, CEO FOSI
They’re both on our website, www.fosi.org, and we also have a YouTube channel. And yeah, there’s some very entertaining talks. We brought the Project Rocket Sisters over from Australia. We’ve been featuring authors with their new books, some pretty lively debates about artificial intelligence and stuff like that.
Neil Fairbrother
Okay. Now a key part of keeping children safe online and keeping their families safe therefore is legislation, and most social media companies used in the Western world are based in the US and most of those are based in California. So legislation and laws that are passed in the US at both a Federal and a State level, have an international, if not a global reach. And I’d like to explore some upcoming US legislations and the impact that they may have on children’s online safety. And the first of those is the revised version of COPPA, the Child Online Privacy and Protection Act, and I think this is known as COPPA2. What changes are being made there, Stephen?
Stephen Balkam, CEO FOSI
Well, before I respond to that, let me just say something. The way you typified that, I would have totally agreed with say a couple of years ago. I do believe that COPPA, the Child Online Privacy Protection Act, which is now what, 21 years old, has been pretty much the ruling piece of legislation that has been exported around the world. And very typically it means that you have to be 13 to get onto social media. Prior to 13 social media sites and others have to ask permission from parents to collect personal information about their children.
Where I would slightly now differ is that the passing of the GDPR [the General Data Protection Regulation] in Europe has changed the landscape dramatically, and is actually for the first time as it were, a European regulation is now having a big impact over here in the States. I would also add, by the way that the ICO, I don’t know if your listeners would know, it’s the information, what does ICO stand for?
Neil Fairbrother
It’s the Information Commissioner’s Office
Stephen Balkam, CEO FOSI
Right. Their recent announcement is having a profound ripple effect over here. So we’re actually seeing the regulatory landscape shifting from across the Atlantic for the first time in pretty dramatic ways.
Neil Fairbrother
Yeah, it is a very interesting moment as you say. The ICO’s proposals are all to do with privacy, privacy by design which is exactly what COPPA is all about as well. So there seems to be this convergence happening which is probably a good thing.
Stephen Balkam, CEO FOSI
Well, it’s certainly a thing. And I would throw into the mix by the way, the eSafety Commission in Australia, Julian Inman-Grant the eSafety Commissioner and they have some rather interesting powers that we don’t see in other countries. And for that matter, New Zealand has NetSafe, which also has powers given to it through its parliament. So we’re seeing a variety of models and as I mentioned earlier, I was in China just a month ago and of course they have their own much different model to say the least.
So but anyway, back to COPPA. It’s very hard to tell at this point what actual changes will be made. There is a consultation period now that has ended and we are awaiting certainly in the next few weeks to months a response to that consultation by the Federal Trade Commission. In the meantime, we heard yesterday that there will be new draft legislation being proposed from Congress well at least from two congressional offices on a COPPA 2.0 and we have not yet seen the details of that, that will literally come out tomorrow. But let’s just say that COPPA, which by the way is not about online safety, it’s really about online privacy for children.
Neil Fairbrother
Yes, perhaps you could just clarify the difference there for us, Stephen?
Stephen Balkam, CEO FOSI
Well that’s not to say that privacy or privacy is not part of safety, but it is in its original design. was geared to ensure that children were not marketed to by commercial companies online. And by the way, the age of 13 was rather arbitrarily chosen. I don’t think there was a great deal of scientific research as to say whether it should have been 12 or 16 or anything else.
13 was selected, and because of that selection, you would see the emergence of policies and practices by the new social media companies of saying it’s going to be way too hard and onerous and costly for us to go after parental permission of minors. So therefore we will just simply say, as Facebook has done, as Twitter has done, as YouTube has done, you have to be 13 to be on this platform. And that has in the minds of ordinary parents has come to be seen almost like a movie rating.
I know you guys have the BBFC, we have the MPA over here and the movie rating system, you know, rates by age, the appropriate, you know, age in which a child should see a movie. Now in this country at least those are seen as advisories, those are seen as guidance and not seen as the law. But if parents even know about COPPA or even know about the age restrictions, they think of it more in terms of the movie rating system and we see parents who actively encourage their 12 or 11 or 10 year olds to get onto Facebook, possibly because they want to communicate, make sure that they can send photos and videos to grandma or because they have a private chat room for the whole family or they want to share you know, their victories in their local soccer game, whatever.
There’s a phenomenon of parents actively encouraging their children to lie about their age, to get them on to sites like Facebook. It’s almost exactly the opposite of what we would want parents to do in terms of encouraging good digital behaviour, digital citizenship online. And that their very first introduction to social media is a falsehood. It is not a great place to start.
Neil Fairbrother
Well, indeed. And regarding 13 in the same way as you regard a movie rating, the content [on social media] though is often not like a 13 rated movie. It is often [like] X or triple X rated…
Stephen Balkam, CEO FOSI
Well and here again the movie rating and the comparison between social media or the internet and movies really breaks down. I mean if you go and see a movie, you are consuming a narrative that lasts an hour and a half to two hours and has passed some human review. Whether you agree with the rating or not, it is the one way consumption of content.
You know, we talk about the three Cs. The first C is Content, but it’s also not just consuming content, but it’s the creation of content that we need kids to be wise about. It’s also about Contact and who you allow to contact you. And finally the third C is Conduct, how you conduct yourself online, which speaks to things like cyberbullying and sexting. So there’s three Cs. Each C has two elements to it. And only one of those has some kind of equivalency to watching a movie or a television show.
Neil Fairbrother
Okay. So would it help then if there was not just an age gate, which are pretty useless, pretty feeble really. Would it help if there was an age verification system? Would that not make compliance with COPPA a lot easier?
Stephen Balkam, CEO FOSI
Well, okay, so I’ve been involved in a couple of congressional commissions looking exactly at that issue. And admittedly this was several years ago, but at the time at least there technologically there wasn’t a clear and obvious solution that didn’t also create new problems. I mean, here’s the real vexed issue. You have to somehow determine the difference between a 12 and a half year old and a 13 and a half year old and to do that, you have to depend upon things that 12 and a half and 13 and a half year olds typically don’t have, certainly not in this country. So you really can’t get a driver’s license until you’re 16 or 17 here, you typically can’t get a credit card until you’re 18. You know, on and on and on. The identifiable and easily usable ideas online typically are not around for 10, 11, 12, 13, 14 year olds.
So then you have to go to other means, and that often requires collecting even more information from kids than you would otherwise want to have or should have. And then once you have that information, those databases themselves are potentially liable to be hacked, or used in inadvertent ways that the creator’s never thought of in the first. So it’s a vexed problem.
Now if you’re China you have a personal ID number and you have facial recognition, but so far most of the countries in the West have declined to go that route.
Neil Fairbrother
Yeah, indeed. And in fact, some of our soon to be ex-EU colleagues have National ID cards, which famously in the UK, we don’t know. I appreciate that we don’t know the exact detail of COPPA2 at the moment, but I think there’s a fairly broad consensus of some of the things that it might contain. Extending the protections for privacy to 13, 14, and 15 year olds, for example, changing what’s called the “knowledge standard” from actual to constructive. Do you see those as being part of the new version of COPPA?
Stephen Balkam, CEO FOSI
I would not be surprised that, certainly in the proposed legislation tomorrow, which is different I have to stress from the COPPA review that’s currently going on with the Federal Trade Commission. I would not be surprised at all to see if both of those elements would be in the legislation and typically in this country anyway, draft legislation is floated out there to see if there’s any kind of pickup and then if it does start to move and compromises typically take place.
What’s different about the FTC review is they have the powers to, having gone through the consultation or having responded to the various different elements, they could simply change the regulation and then everyone has to fall in line. So I just want to make that clarification. I think it’s highly likely that the draft legislation we’ll see tomorrow we’ll see an increase to 16. And my guess is that it will also say that a constructive knowledge would be the, you know, the basis upon which all of this is built.
Neil Fairbrother
Okay, good. Could you just clarify what actual and constructive knowledge is? What is the difference? What does that mean?
Stephen Balkam, CEO FOSI
Well, yeah, first of all, I read psychology at Cardiff. I did not read the law, so I’m not a lawyer. I’m just trying to make that a statement first. My understanding is that actual knowledge is a child or a minor simply declaring their age and you know, either with proof or not proof and basically saying this is who I am and this how old I am. Constructed knowledge is one, and this is typically we use the ESPN, which is the sports network which is as an online site, constructive knowledge could be that, well, it’s obvious that your kids are on this site because kids love sports. So there’s a kind of a general you know, a notion, a common sense notion if you will, that of course kids are on this because kids love basketball and football and soccer and so on and so forth. So it’s rather vague. But I think that’s what they’re, they’re the in a sense they then want to put the onus back on the provider to do that.
Neil Fairbrother
So it’s kind of an inferred knowledge as opposed to specifically defined?
Stephen Balkam, CEO FOSI
Right now. First of all, I want to say right up front that I can totally sympathize with what both potential legislators are trying to do here and various advocacy groups are calling for. There are however unintended consequences with this. One of the big pushes, back in the 2,000s when we received our funding from the EU, one of the things that the Safer Internet Program was established to create, and one of the pillars, was more content for kids. And there was an awful lot of euros and pounds and dollars spent on trying to encourage content creators to create good content for kids. Now one of the problems is that COPPA and then for instance, a newer iteration of COPPA does, is it puts a barrier to that innovation, that it puts a far more legal obstacles in the way, particularly of small start-ups and other smaller companies who can’t afford the lawyers and the regulatory people to be on staff.
And then on top of that, the fear of being fined, which of course has happened increasingly here, if the FTC fines companies that have fallen foul of COPPA, whether knowingly or not, that that’s one issue. Another issue is, and I know in Europe there was quite a movement prior to the passing of GDPR, I’m talking about the rights of teens to access content.
Certainly for a 14 or 15 year old, who by the way may well have been online already for a number of years, I’m suddenly having to be asking their parents’ permission to access sites that prior to that they were perfectly free to access, including access to sites that parents might object to. Particularly if it’s a sexual identity site or some such thing. So these solutions which seem and appear on the surface to be common-sensical and, and obvious unfortunately come with their own unintended consequences.
Neil Fairbrother
Yes. One of the other features of the proposed COPPA2 legislation would appear to be an “eraser button” for children in particular to delete content that they’ve posted in a way that doesn’t violate the First Amendment. Often in America these kind of issues butt up against the written constitution and is regarded as a speech issue. But nonetheless, this is equivalent I think to the European “Right to be Forgotten”, where we treat this as a data issue. Now superficially at least we’ve got the age in COPPA to going up to 16, and we’ve got the equivalent of a Right to be Forgotten. So is this what you mean by GDPR from Europe influencing what’s going on in the US?
Stephen Balkam, CEO FOSI
For sure. I mean, Senator Markey, who is a Senator from Massachusetts, is a huge fan of GDPR. I mean, every time he speaks on the topic and he has his own proposed legislation he raises that as the gold standard and this is what we need over here. Now he is in a minority of legislators in this and you know, and there are 99 other senators who were rather busy at the moment for other reasons. And, and that’s also why I remain a little sceptical about how fast legislation could actually pass in this Congress at least. Who knows where we will be by the end of the year? There will be obviously a new House of Representatives, a third of the Senate will have changed and we may or may not have a new President. So on the broader scale, I think that there is an appetite for a Federal privacy law, which may or may not then incorporate some of the changes to COPPA. On the other hand, there has just been such dysfunction on this side of the Atlantic on getting anything done, I wouldn’t put money on it.
Neil Fairbrother
Okay. Now, the second piece of legislation that has been talked about to a greater or lesser degree in the States is called the Children and Media Research Advancement or the CAMERA Act. What is the CAMERA Act?
Stephen Balkam, CEO FOSI
Well, it’s a pretty straight forward plea for government funding of research into the impact of social media, of AI, of the devices and so on, on our kids. And back to Senator Markey, it was his proposal and we are all in favour of that.
You know, I should have mentioned right at the beginning that FOSI’s work covers three areas, public policy, industry best practices and something we call good digital parenting. Well, in the public policy side, we’re strong believers in evidence based approach to legislation, not “Daily Mail headlines”, which then get into draconian laws by the end of the week. But we need the evidence. I mean, we do a bit of research. Pew does a bit of research. I mean there’s some scattershot work being done, and I shouldn’t say it in a derogatory way, but we don’t have the kind of funds that the federal government has. And Camera I believe incorporates a total budget of $95 million over five years and we’d give it to the National Institute of Health, which is the premier body for this kind of research. So could not agree more all about it. We’ve signed on to it. We’d like to see other governments in other parts of the world do similar work.
Neil Fairbrother
Okay. Now Senator Markey as you rightly say, is extremely busy in this area because he’s also associated with yet another proposed legislation called the Kid’s Internet Design and Safety act or the KIDS Act as it’s called. And that sets out six areas for new regulation and now this is looking at things like the design or implementation of features within apps or on websites such as auto play video, endless scrolling and so on. This sounds very similar to Safety by Design from Julie Inman-Grant who we mentioned earlier.
Stephen Balkam, CEO FOSI
Senator Markey is also a big fan of the Australian model, which would not surprise you. So yeah, I mean the staffers on these in these bodies are very active and lively in terms of finding models from other parts of the world. Now that’s not true of all of the Senate offices. I mean, in fact, we’re rather parochial. We barely think about Canada, never mind the rest of the world. But in Markey’s case, he’s a Europhile and he also admires the Australia model.
Neil Fairbrother
Okay. So whereabouts in the American system is the KIDS Act?
Stephen Balkam, CEO FOSI
Oh, it is in that category of well, let me be charitable here. Senator Markey is one of the most active Senators up on the Hill, and he produces a lot of draft legislation, a great deal. And he, by the way, spearheaded COPPA all those years ago, back in 1999.
There has not been a great deal of other legislation that has actually not just seeing the light of day, but has got bipartisan support, seen its way through both Houses and been signed by a President. So it is often, I have to say rather aspirational, and a declaration of, you know, your local Senator is hard at work, you know, to protect your kids, kind of thing. And I’m trying to be charitable. That’s not to say that this won’t happen, and I will put a big caveat.
If a Federal Privacy bill does start to move and there was all kinds of signs last year that 2019 was going to be the year of the Privacy bill. It didn’t happen, and you know, I just came from a conference called “The State of the Net” yesterday where everyone is now saying 2020 is the year of the bill. If it does start to move, I would definitely put money on Markey and others attaching their various Bills from the CAMERA Act to the KIDS Act etc onto this “Omnibus bill”. Whether those additions see its way through both Houses and the President signs it is another matter. But that would be one way in which something like the KIDS Act might see the light of day.
Neil Fairbrother
Okay. One privacy Act that has recently come into effect in the US is at a state level with the California Consumer Privacy Act, the CCPA. What is that all about? What are the intentions of that Act?
Stephen Balkam, CEO FOSI
Well, again, you know, my view of that is very much a state level, well, let me put it this way. There’s been a lot of frustration in different state capitals, and this of course is where our model differs dramatically from, say, the British model, considerable frustration that the Feds or the, you know, the US government has not moved on this.
So States are allowed to go ahead and pass their own Bills which apply to their State. Now when your State is California and most of the top tech companies reside there, and never mind that most of the rest of the 49 States want to do business in that State, then when California passes a Bill or an Act like this one everyone pays attention and everyone has to pretty much adhere to it.
Now we do have something called “pre-emption” in this country and it could be that a Federal Privacy Bill, even though it’s passed after a Bill like this one, and it was passed in June of 2018, a Federal Bill could pre-empt this act. So just wanted to frame it in that way.
You know, it has a lot of similarities with GDPR and although at the same time it’s also getting folks a lot longer too, you know, to adhere to it. I think the only effect we’ve seen is a lot more notifications that cookies are on this site and it’s almost as if we now have sort of warning fatigue in this country at least going to websites that we’ve gone to for quite a long time and are now having to click approve or not approve.
Neil Fairbrother
Yes and regardless, you always click “yes” to the cookie anyway. Now we are amazingly almost running out of time, but I would like to focus a little bit on the reasons why privacy is so important, and it may sound an obvious question to ask. There was some research that came out I think yesterday from a cybersecurity company called Terbium and that showed that information and data about children had been stolen and I think the example they gave was from a hospital and this information ended up being sold on the dark web for £10 pounds per child. It’s basically identity theft. So what are the consequences for child safety there, because here we’re talking about privacy, but there are real child safety implications for this. So what do you see as the consequences of that kind of breach of privacy?
Stephen Balkam, CEO FOSI
Well, this is what I was conveying earlier about the issue of age verification for younger kids and the collection of data about them over and above what would normally be the case if they were 18 and above. Because then you create these databases of personal identifiable information, which inevitably because it’s data has the potential of being hacked. Nothing is 100% secure.
So that’s just a sort of reiteration of the unintended consequences of going after age verification and younger kids. You know, we talk about safety, security and privacy as the basis upon which you build the pyramid, which we call Digital Citizenship. Next layer up is Digital and Media Literacy, and then the final layer is Rights and Responsibilities. But without feeling secure and safe and private, you know, it’s very hard to build the skills that you need both as a child, and as an adult, of being a fully-fledged good digital citizen.
You know, as we keep finding out it is extremely hard unless we are vigilant and unless we continue to keep our browsers and our operating systems up to date and use antivirus software and so on and so forth. You know, it’s very hard to not be prone to these sorts of hacks and viruses spread. And you know, if you get that alluring looking email that invites you to click on that attachment from someone you don’t really recognize or even if it is someone you recognize, but it still seems odd or strange, it’s best to respond and say, did you really send this to me, It feels a little suspicious? We have come a long way and considering how naive we were say back in the 90s and early 2000s, but I’m afraid we are still prone as humans to being easily hackable.
Neil Fairbrother
Yes. Do you think that a 100% child safety online, is even achievable or will there always have to be some compromise where we will just have to accept that there will always be some victims of the worst kind of atrocities that we’ve read about and heard about.
Stephen Balkam, CEO FOSI
Well, no, there’s no such thing as 100% safe. We talk about making the online world safer for kids and their families because there is no guarantee that everyone will always be safe if we do the following things. One thing we do talk about is something we call the Culture of Responsibility, which talks about government’s role, industry’s role, law enforcement, parents, teachers, but also the kids themselves.
And here I think is a really important point. We talked about resiliency and how to both build and encourage kids to be resilient because they will encounter horrible content. They will encounter bullying of some sort. They will encounter hoaxes and scams and so on and breaches of their privacy for that matter. So how do we help our young people to quickly recover from these sorts of online challenges? And by the way, how do we give them the agency?
That’s a very sort of trendy word at the moment, but how can we teach them how to report bad stuff that they’re witnessing? How do they report it online? How, for instance, do they report it to the police if it needs to be escalated? How do we talk to our kids in such a way that they can easily talk to us even if it’s some very disturbing porn they might’ve seen?
If we don’t keep open lines of communication with our kids and if we shame them or blame them for stuff that they see or hear, they’re not going to tell us and it’s unlikely they’re going to report it either. So it’s kind of down to us to be good digital role models ourselves. And of course us not to pile on if there’s some kind of bullying going on online and to be respectful in the way in which we post comments on social media. It’s really down to us parents to also show our kids how to deal with this stuff.
Neil Fairbrother
Stephen, I think on that note where we were going to have to end it. Thank you so much for your time. It’s fascinating. I look forward to seeing what happens with these legislations as they unfold in in the US and very best of luck with your next conference over here in London.
Stephen Balkam, CEO FOSI
Well, thank you and hope you guys can make it. We’ll let you know.