From Protection to Empowerment: Reframing the Conversation on Youth Privacy Education

Matthew Johnson
MediaSmarts

The paper was commissioned by the Office of the Privacy Commissioner of Canada as part of the Insights on Privacy Speaker Series

September 2011

Disclaimer: The opinions expressed in this document are those of the author(s) and do not necessarily reflect those of the Office of the Privacy Commissioner of Canada.

Related video: Insights on Privacy: Matthew Johnson and Kate Raynes-Goldie


It is a mistake to think that young people, and especially teenagers, do not care about privacy; is there anything more quintessentially teenage than a locked diary? It is true, though, that youth think about privacy in different ways than adults do, and it is also true that, much like adults, their sense of the risks to their privacy is often inaccurate. Understanding how they see privacy, and respecting their priorities in terms of managing their privacy, is key to education and public awareness efforts and to reframing the public conversation about youth and privacy.

To begin with, it's useful to distinguish between two privacy concerns, which we might call personal information and personal identity. The first relates to data that identifies us, ranging from basic facts such as our names and contact information to Social Insurance Numbers, credit ratings and the tracked records of what we do online. The second is the representation of who we are online: our social networking profiles; posts, videos, comments attached to our names; what other people have to say about us, and so on. Both are important, and poor choices in handling either can have serious ramifications, but it's safe to say that youth are generally more concerned with personal identity than with personal information. Young people's interest in controlling their identity, however, gives us an opportunity to make them aware of key privacy concerns – and equip them with the skills they need to manage both their identities and their personal information online.

As part of any education effort, youth should be made aware of the three ways in which information about them is communicated: through publishing, collection and retransmission. Publishing is the term used to describe activities such as creating or posting to a social networking profile, uploading a video, image, or other media file to a sharing or streaming site, leaving a post or comment on a discussion board, and so on. Obviously, it takes a conscious decision on someone's part to publish information about themselves – though not always an informed one. That being said, this is the area in which youth are most likely to take steps to manage their privacy: the Pew study Reputation and Social Media (2010) found that young adults were most likely to take steps such as changing privacy settings, de-tagging photos and limiting the information available about them online. While this is primarily a personal identity concern – youth are mostly worried about how their friends will perceive them and the possibility that unintended audiences, such as their parents, will have unwanted access to what they publish – it is one that is relevant to personal information as well. The website PleaseRobMe, for example, shows how using services such as Twitter and FourSquare could compromise your privacy by showing where you are at a particular time (or rather, where you weren't – at home). Similarly, while it's been shown that publishing basic contact information online does not increase the risk of stranger contact or online sexual exploitation, researchers at Carnegie Mellon University have shown that U.S. Social Security numbers can be guessed with tremendous accuracy based only on a person's place and date of birth ("Carnegie Mellon Researchers Find Social Security Numbers Can Be Predicted From Publicly Available Information," July 6, 2009) – information frequently published on social networking sites. While there's no evidence that the same is true for Social Insurance Numbers, this illustrates how publishing personal information that seems inconsequential may have serious repercussions.

Data collection refers to the process by which information about someone is gathered by someone else. This may be done with the conscious knowledge of the subject, for example when youth enter a contest or fill in a survey on popular sites such as Runescape or Neopets; with the subject's consent (informed or not), or when young people choose to use a site that tracks where they go and what they do while there (and, in some cases, even after they leave the site); or without the subject's knowledge or consent, such as "datascraping" programs that harvest publicly available information from social networks or "keylogging" malware that records everything typed on a computer. Concerns here focus mostly on personal information, such as demographic information and consumer preferences (both of which provide an important revenue stream for many websites that cater to children.) At the same time, personal identity can also be compromised through these techniques – as those Missouri Facebook users who found their photos used in ads for a grocery store in the Czech Republic discovered. A final form of collection that should be noted is direct monitoring of what youth do online, whether by employers, schools or parents.

Retransmission refers to what youth choose to do with other people's personal information or identity. Opportunities to transmit others' information are constant, from forwarding photos sent by cellphone and tagging photos with friends' names to invitations to provide friends' e-mail addresses and other personal information in exchange for chances to enter a contest, earn points to access premium website content or other inducements. This demonstrates the fact that privacy management is not simply a matter of making decisions to limit the information available about you, or of projecting a desired online identity: it is also an ethical question. The issue of sexting – sending and receiving nude or provocative photos – illustrates this vividly. Research has shown that many more youth receive sexts than send them (see for example Sexting: A Brief Guide for Educators and Parents, Cyberbullying Research Center, 2010), which suggests that the original recipients (or third parties with access to the photos) are often retransmitting them. While this is clearly a case of youth making unwise choices regarding what they will publish, when cases of sexting become public it is generally because someone else has made a poor choice about what to retransmit.

What does all this mean with regard to privacy education in the K-12 sector, as well as public awareness about youth privacy issues? To begin with, it is clear that privacy education efforts must be cast in terms of privacy and reputation management. Telling youth simply not to publish information about themselves online will be ineffective, in part because it will be ignored but also because publishing is only one part of the problem. Similarly, we know that scare tactics are ineffective in reaching youth. Rather, privacy education needs to make youth feel as though they are more in control of their privacy and their online experiences – while also making them aware of the limits of that control. As well, we need to respect young people's own attitudes and priorities towards privacy.

While most organizations and government bodies concerned with privacy focus on personal information, it is clear that for most youth managing personal identity is a much higher priority. It is, of course, essential that youth learn to manage both, but we may have better success if, in the words of the educational reformer John Dewey, we "start where the learner is" and use their existing interest in managing their online identities to make them aware of the necessity of managing their personal information.

Another takeaway is that privacy education must begin early. Despite age restrictions, preteens and children are participating in social networks – nearly half of children aged 9-12 in the UK are using them, according to a study at the London School of Economics, and there is little reason to believe things are any different in Canada. Data collection, meanwhile, begins as soon as youth go online. For that reason, we need to start teaching privacy management and associated digital literacy "life skills" as early as possible and, ideally, make these educational resources available at the times and places when children begin to go online. Considering the popularity of the iPad among young children, for instance, iPad apps which teach basic privacy management skills in an age-appropriate way could be very effective tools for developing lifelong privacy habits and skills. Similarly, operators of child-oriented websites – particularly those which have a public service orientation, such as the CBC and TVO children's sites, though the participation of commercial sites might be valuable as well – could host or promote such resources. Privacy management – along with other digital literacy skills – should also be incorporated into school curricula at both the elementary and secondary levels, and teachers must be provided with both professional development opportunities and resources for classroom use.

When it comes to public awareness, finally, how we perceive youth privacy has to change. First, it must move from a focus on specific steps and technical skills to an understanding of privacy management as part of a group of interconnected skills and habits, all of which are ultimately derived from critical thinking and ethical decision making. Parents and educators need to become more aware of the intensely commercialized nature of the sites used by youth – especially those popular with young children – and the privacy concerns that result from that. The examples cited in this article show us that youth are not mere victims of privacy invasions but, more often than not, choose willingly to publish their information, allow it to be collected, or retransmit that of others. Though these choices are not always wise ones, or made in full knowledge of the possible costs and consequences, they are not naive: rather, they are typically made in expectation of the rewards – in terms of attention, social capital, or access to online content – that will result. For that reason, our public conversation on privacy must move from an emphasis on youth protection to one on youth empowerment.

Date modified: