Data security & COPPA: RockYou like a hurricane
Are there hotter topics these days than data security and kids’ privacy? An FTC law enforcement settlement with the social networking site RockYou ticks both of those topical boxes and challenges a course of conduct the FTC says made it easier for hackers to access the personal information of 32 million users. The complaint also alleges the company collected info from kids in violation of the Children’s Online Privacy Protection Act.
What was going on at the RockYou site? In addition to playing games and using other features, RockYou allowed Scorcese wannabes to create slideshows of their uploaded photos. To register and save content for later, users had to provide a valid email address and the password for that address — as well as their birth year, gender, country, and zip code.
Once users filled out the registration fields, RockYou sent a welcome email with an activation link. When returning to the site, users were prompted to create another password. But they didn’t have to change it and could just re-enter the password of their email address.
The FTC’s complaint alleged that RockYou’s practices posed a significant risk of harm to consumers. First, the company stored passwords in clear text, allowing unauthorized access to private data stored in RockYou accounts. Second, the FTC alleged that RockYou’s practice of initially collecting email account passwords and storing them in clear text — even temporarily — created the risk of unauthorized access to people's email. How so? It’s not unusual for people to use the same password for different accounts. Thus, the FTC alleged that RockYou’s practice of storing RockYou account passwords in clear text with users’ email addresses increased the likelihood that if intruders gained access to users RockYou passwords, many users’ email accounts also would be exposed to unauthorized access.
What about kids who visited RockYou? For a two-year period, RockYou accepted registrations from children under 13. During that time, it collected email addresses and associated passwords — along with birth year, sex, zip code, and country information — from approximately 179,000 kids 12 and under. As a result, children were able to create personal profiles and upload content, including photos. Once kids were registered, they could post comments about other slide shows and people could comment about their public content, too. The FTC says all this was done without the parental consent required by COPPA.
The FTC charged that RockYou violated COPPA by:
- not spelling out its collection, use and disclosure policy for children’s information;
- not getting verifiable parental consent before collecting kids' personal information; and
- not maintaining reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.
The company’s practices rendered those statements false, alleged the FTC. In addition, the FTC charged that the company’s security failures put kids’ personal information at risk.
The proposed settlement bars deceptive claims and requires RockYou to put a data security program in place that includes independent third-party security audits every other year for 20 years. It also requires RockYou to delete information collected from kids under age 13 and mandates future COPPA compliance. RockYou will pay a $250,000 civil penalty for the alleged COPPA violations.