Profiling high-school students with facebook: how online privacy laws can actually increase minors' risk

Abstract

Lawmakers, children's advocacy groups and modern society at large recognize the importance of protecting the Internet privacy of minors (under 18 years of age). Online Social Networks, in particular, take precautions to prevent third parties from using their services to discover and profile minors. These precautions include displaying only minimal information in registered minors' public profiles, not listing minors when searching for users by high school or city, and banning young children from joining altogether. In this paper we show how an attacker can circumvent these precautions. We develop efficient crawling and data mining methodologies to discover and profile most of the high school students in a targeted high school. In particular, using Facebook and for a given target high school, the methodology finds most of the students in the school, and for each discovered student infers a profile that includes significantly more information than is available in a registered minor's public profile. Such profiles can be used for many nefarious purposes, including selling the profiles to data brokers, large-scale automated spear-phishing attacks on minors, as well as physical safety attacks such as stalking, kidnapping and arranging meetings for sexual abuse. Ironically, the Children's Online Privacy Protection Act (COPPA), a law designed to protect the privacy of children, indirectly facilitates the approach. In order to bypass restrictions put in place due to the COPPA law, some children lie about their ages when registering, which not only increases the exposure for themselves but also for their non-lying friends. Our analysis strongly suggests there would be significantly less privacy leakage if Facebook did not have age restrictions.