Parental Consent Verification Proposal Opposed by Two Groups on Privacy, Other Grounds

The company’s president told us that’s not so, and that neither group tried to verify with AssertID any of what’s in the comment released Saturday before filing it with the agency. The comments weren’t available on the agency’s website, and it might be a few more days before that filing and any others made close to Friday’s deadline are available, said an FTC official. Only two comments were posted in FTC file P135415 at our deadline (http://1.usa.gov/1fcZett).

The parental consent verification method isn’t “reasonably calculated” to ensure that the person who gives consent is the kid’s parent, which “harms the public” because parents must “disclose a substantial amount of information without explanation,” said CDD and EPIC (http://bit.ly/19usy7w). Operators taking part in the AssertID program need “disclose only minimal information regarding information collection practices,” said the groups’ filing (http://bit.ly/18lwBop). “The application contains many ambiguities and omissions.” The application’s public version had some redacted information.

Only when a parent reaches a trust score, such as 7 of 10, can information be seen on the website or mobile app the child wants to use, along with COPPA-complaint disclosures, said CDD and EPIC. “Parents will likely learn about these other services through advertisements on the AssertID Portal, which is one way the company plans to monetize its users. The application does not discuss what happens if the trust score dips below 7 after consents have been granted, other than implying parents lose control of their consent/declines on the portal.” AssertID’s request is the first under what the agency calls a common consent mechanism, said the groups.

The company will use its parental consent website portal to show parents other sites and apps that might interest them, and kids’ information won’t be shared with such services unless permission is given, said AssertID President Keith Dennis in an interview Monday. It’s “absolutely wrong” for CDD and EPIC to say the site won’t provide disclosures until a trust rating has been achieved, he said. “Everything required by COPPA and more is available to the parent” once registered with the company, he said. “We only want the parent to have access” to a child’s information, which is “done to protect the child’s privacy, and the parents,'” Dennis said of registration.

Family and friends of a permission-giving parent must answer a “series of questions” for AssertID to verify the parent’s identity, said the comment filing. “Behind the scenes, AssertID will now have access to the parent’s complete friends list (first and last name, profile picture), as well as any information on the parent that is available under the ‘basic’ authorization settings in Facebook. AssertID uses the parent’s friend list to analyze ‘an individual’s social-graph’ or ‘web of trust’ as a second step to verification in establishing a ’trust score.'” A “core technology” of the company founded in 2008, which began work on the COPPA product three years later, is “to verify an individual is who they claim they are, through the social graph, so we need to access a user’s graph,” said Dennis. “The gorilla out there is Facebook ... so we need to know who their friends are, who their verifiers are."

Website or mobile app operators can choose the verification method they want AssertID to offer, which include allowing it only via social media or also letting it be done with a credit card or government ID, said Dennis. “We divulge that personal information to absolutely no one, except the friends and family that the parent requests for verification.” Website or app operators provide a parent’s email address and kid’s name, and all AssertID tells the site or app is whether the parent has been authenticated, said Dennis. “We provide no information to the website operator about the parent and the child” other than that, he said. “All we provide is whether or not the parent granted consent or declined consent or requested that in the future consent be revoked.” AssertID is funded only by executives and is waiting for FTC approval before starting the service, said Dennis. Potential clients don’t want to sign up until the agency gives its OK, he said. “In general, operators are so afraid of the consequences of being out of compliance with COPPA, that we are not going to move until we have FTC approval. So we are not in sales mode at this point."

The commenters based their concern on what was in AssertID’s application, not in any other statements from the company, and so if it made a new filing, CDD would review the material anew and support it if the concerns were addressed, said CDD Legal Director Hudson Kingston in an interview. “What’s in the application itself is what really matters, so we didn’t put too much stock on information outside of it.” Proposing a form of verified consent “that’s better than anything out there” won’t be opposed by anyone, and the first-of-its-kind application is like a “work in progress,” said Kingston. “If they decide to reapply, then of course we would give them a chance."

What’s in the application doesn’t say parents can opt out or get more privacy information without going through the entire verification process, said Kingston. It’s unclear if all the information AssertID asks about, such as a parent’s photo and full name, needs to be provided to complete the process, he said. “Until you log in, divulge a lot of information about yourself, link that information to your child, have a lot of third parties verify that information,” one can’t necessarily get the COPPA disclosure materials, he said. “It does seem to come at the end of a long process.”