Children face all sorts of dangers while they browse the Internet. Can using parental control tools help protect them? The answer, according to a recent study, is no.
Surfing the Internet has become more of a necessity than ever during the pandemic, for adults and children alike – with all the related risks. While there are many parental control tools designed to help parents monitor and manage their offspring’s online activities, a broad-based study conducted by the Concordia Institute for Information Systems Engineering (CIISE) reveals that these tools may come with their own risks. In fact, instead of keeping children out of harm’s way, most of the tools can leave them even more vulnerable.
Researchers working on the study, Privacy Report Card for Parental Control Solutions, designed an experimental framework, then put various types of tools under the microscope, including network devices, Windows and Android apps, to find potential gaps. “We studied all the popular parental control tools,” says Mohammad Mannan, an associate professor at Concordia University and co-author of the study.
All sorts of problems
The researchers’ task was complicated, as their experimental framework had to be adapted to each type of product tested. The results were straightforward, and can be summarized in just a few words: the vast majority of parental control tools contain major loopholes that jeopardize the confidentiality and security of user data.
Among the gaps: transmission of unencrypted personal information to the parental control server, unsecured back-end databases that are poorly configured or unidentified, deficient authentication procedures, failure to verify parental consent, acceptance of extremely weak passwords (four or fewer characters), failure to advise parents of suspicious activity, the existence of back doors, etc.
Parental control tools collect all sorts of data: what the kids are doing, who they’re talking to, and their Facebook and YouTube history. The security flaws we’ve discovered show how easy it is to gain access [to the data]. Not to mention that with geolocation, you can also find out where the child is, which can eventually place him or her in danger.”
Mohammad Mannan, associate professor at Concordia University and co-author of the study
It’s also worth noting that security flaws can jeopardize parents’ personal information as well, and even compromise their accounts. “Some applications are just as powerful as corporate systems,” Mannan says. ”The administrator has total power. He or she can install or remove an app or block an account. That kind of power can be used to control children’s devices.”
Who’s to blame?
Why are there so many problems? Mannan points to the poor design of parental control tools. “Most of them are designed as if the data they deal with weren’t sensitive, when in fact they are.” What’s even more surprising is that solutions do exist, and they’re easy to apply.
The problems we observe are not new, and they’re not hard to solve. We’ve known how to fix the problems for years now.”
Mohammad Mannan
Why haven’t manufacturers fixed the problems by now? The CIISE study is the most broad-based report ever published on the subject, but it’s not the only one to reveal problems with parental control tools. “I would say there’s been a lot of negligence,” Mannan says. “But well, obviously there could be reasons I don’t know about that would explain why so little has been done.”
The companies in question were notified of problems with their products while the study was being conducted, but only a small proportion of them (three out of 20) took steps to solve the problems. “The others didn’t reply, or didn’t approach us till the findings were released – even though we were offering to help them free of charge,” Mannan recalls.
Is the researcher optimistic about what will happen now? Not really. “If there are going to be changes, we need to adopt strict rules on digital privacy,” he says. “And those rules will also need to be applied.”
Today, manufacturers of parental control tools are making a lot of money selling their products, without assuming any responsibility. From a business standpoint, why would they? They’re never penalized…”
Mohammad Mannan
We should note that a sizeable proportion of the tools that were analyzed contravened the rules of the Children’s Online Privacy Protection Act (COPPA) in the U.S., which imposes some requirements on operators of websites and online services in order to protect children under 13.
Where do we go from here?
So, should consumers avoid buying a parental control tool? “Personally, I no longer recommend this type of product,” says Mannan, who advises consumers to check out tools they may already have without realizing it. “Google, Apple and Windows include their own parental control tools,” he says. “People may not get all the functions they’d like, but they won’t be letting an enemy into their computer.”
The study concludes by making recommendations for businesses, including fixing vulnerabilities, adopting best practices, and limiting the collection, storage and transmission of data, as well as using trackers, setting up secure channels for sending personal data, and making sure users are notified of any suspicious activity. Mannan also suggests that children be made aware of the risks of technology. “Parents need to keep their kids informed promptly, as they do with other dangers. Because this new reality is part of life now.”
The study
Privacy Report Card for Parental Control Solutions (Concordia Institute for Information Systems Engineering, 2020) presents an experimental framework for the systematic evaluation of confidentiality and security problems with the most popular parental control tools available on various platforms, including network devices, Windows and Android apps. The most complete study conducted on the topic to date, it reveals all sorts of vulnerabilities in terms of security and confidentiality and offers recommendations to developers of parental control tools.