Data protection among children and young adults

In this article, Dr. Kisfaludi Gábor shares some methods to measure how students aged 8 and 20 consider, classify and protect their data, what factors affect them and what adults can do to strengthen their awareness.

Date 2016-03-30 Author Hungarian Safer Internet Centre
picture
Being a Certified Information Systems Auditor for 15 years, as well as a father of school children aged between 8 and17 years, I've been delivering 45-minute interactive lectures for students of similar ages for the last four years. During this time, I've met about 3,000 boys and girls and about 300 parents and teachers in various types of schools, from the summer camp of the elementary school to 19-20-year-old adults just before the maturity exam, in small towns all over the country and in the capital.
 
What data has this segment got which needs protecting?
Obviously, the data they have includes their own personal information, such as data for natural identification, digital identification, health status, accessibility, availability, financial and business information. However, they can also be knowledgeable about personal data belonging to others through sharing.
 
Since I had no opportunity to check their technical abilities (these have been controlled by their teachers in informatics classes in any case), I focused on the well-known PEBCAK. PEBCAK is an acronym, standing
for Problem Exists Between Chair And Keyboard – it's technical slang, meaning that that the root of the problem is human behaviour/negligence/lack of knowledge. As all those in the IT security business know well, this is always the weakest point in the system.
 
Method
In doing such an analysis, I chose a risk-based approach, i.e. what types of information should be protected in this segment, how big could the damage be, what's the probability of the occurrence of such damage and what type of control(s) could be installed to diminish the overall damage.
 
Sampling is a widely-accepted method in audit, so I used experiments to examine the situation.
 
Experiment #1 - Perceived values of different data, privacy vs authority
Setup: I'm lecturing in school, showing power and authority over the students using either my voice or by commanding them.
 
Exercise: I ask the pupils who has an ID card with them now.
 I choose one of those who indicate that they have it available to bring it to me, and borrow it for a second or two. There's been no one so far who has simply denied to do so.
 
Then I ask for something like a credit card to see if anyone has one to hand. Sometimes the answer is "Yes". Then I ask whether he or she would be willing to share it with me.
 This time, the student is more suspicious and is not so certain that they should provide it voluntarily. But, sometimes the students do hand it over while asking what I intend to do with the card.
 
Then I ask the student whether they would be willing to share the PIN code with me. At that point, almost all of the students realise that they shouldn't share this with a stranger.
 
Analysis: We have a class discussion once all belongings have been returned to the owners. My question is: why had the students given me ANY of their documents?
 
The answers from the students included:
  • You're a teacher and we ought to provide you with this information.
  • It's not a big deal to show you an ID Card. There's nothing you could do with this!
  • I have no balance on my credit card.
My next question was: did you consider saying no at any time during this process?
 
Point 1: The exercise shows that perceptions of the value of the different data are vastly different. Privacy is much undervalued as compared to any money that is readily available.
 
Point 2: Perceived power learnt during education is imprinted so much that it suppresses the perceived risk.
 
Point 3: (Any)one can be put in situations where his or her perception misleads them. This is pretty obvious for students in a classroom: just because I was standing in front of the class, they perceived me to be a teacher even if no one had ever told them so.
 
Experiment #2: Value of personal information under different circumstances 
Setup: This time I'm the nice guy. I give them paper clippings with a promotional offer from a local newspaper.
 
Exercise: Here is the offer: you get a free scoop of ice cream of your choice by filling out the form voluntarily with a couple of pieces of data ranging from name, age, gender, date of birth, phone number, email address, shoe
size, preference of ice cream, perfume brands, etc.
 The form also asks for the permission of data handling and refers to the regulation of privacy and data protection of the ice cream company.
 
One scoop of ice cream costs about 200,- Ft (0,60 EUR) that can be obtained at the local ice cream booth in exchange for this little piece of paper being filled in and signed.
 
My question is this:
  • Would you like a FREE scoop of ice cream?
And later:
  • Was this ice cream really free?
  • Have you given nothing or something?
  • Wasn't it rather a business of exchange?
  • How much does it cost you to provide them with the data?
  • How much does it cost them to get your data?
  • How long does it take you to eat one scoop of ice cream?
  • How long can they use your data for?
  • Have you asked for and read the regulation of privacy and data handling of this company that you just accepted?
  • Can you delete the data? If yes, how?
  • What can you do if your data is shared with a third party?
  • Is it always a bad choice to share personal information with others?
Analysis: This segment is easily bribed with very cheap gifts even if they do have the money for the items they want. When in a purchasing situation, young people tend to focus on having the item as soon as possible, regardless of consequences. When they realise that they actually sold their own data, they either consider it to be a fair price or they start worrying.
 
I then showed them a short video demonstrating that sharing of personal data can cause direct financial damage.
 
In conclusion, when the students realised that they do not know whether they can withdraw their permission (and, if yes, how), and whether it can be shared to a third party, the vast majority declare that it should be forbidden to share any data with anyone.
 
In the session, we agreed that we must always share data with others but there must be procedures that identifies who is asking for such information, and for what purpose.
 
Conclusion
In conclusion, I feel that the students I have encountered mostly lack:
  • information;
  • knowledge;
  • real life experience;
  • interest – they do not understand the concept and the importance of data protection, along with the perception of the power of retreat in case things go wrong;
  • power/respect to some adults or to certain situations – this makes them even more vulnerable to social engineering attacks than older people who are generally more suspicious.
The good news is that this generation is keen on and able to share information among themselves, sothere's a better chance of them developing good practices.
 
However as knowledgeable adults and parents, the ultimate responsibility remains with us. That can only be done by knowing what our kids are doing (detective control) and by being able to show them how to take control (teaching by example as a preventive measure) while supporting them in case things go wrong (corrective control).
 
© Dr. Kisfaludi Gábor, 2016
by Gábor Kisfaludi, PhD, MBA. CISA (Folyondár u. 68. Érd, H-2030 dkg11hu@gmail.com, LinkedIn: https://hu.linkedin.com/in/dkg11hu)
 
 
Read more about the Hungarian Safer Internet Centre.
 

Related news