Privo: Secure kids’ identities online
20 October, 2015
category: Corporate, Digital ID, Government
In the coming weeks we will be running features on past pilots for the National Strategy for Trusted Identities in Cyberspace (NSTIC), here is one from Privo.
Privacy Vaults Online, Inc. (PRIVO) certifies client compliance with regulations related to children’s privacy. The company delivers services for registration and parental permission management.
PRIVO was awarded $3.2 million in 2013 to pilot tools for keeping families safe online and helping service providers comply with the Children’s Online Privacy Protection Act (COPPA). The end goal is a solution that provides families with COPPA-compliant, secure credentials. PRIVO will be working on deliverables through the end of the year.
“When we deliver this framework, it will address both COPPA for commercial purposes and the Family Educational Rights and Privacy Act (FERPA) for education,” says Denise Tayloe, CEO and co-founder of PRIVO. “It will house a directory of compliant relying parties, identity providers, attribute providers and a new type of provider that our framework addresses, consent management authorities.”
Objectives
- Build the Minors Trust Framework
- Refactor PRIVO’s existing technology and map it to the Minors Trust Framework, enabling the company to deliver parental consent at Internet scale
- Create curriculum explaining consumer data privacy rights and responsibilities surrounding custodial account management, a social responsibility program for employers and a lesson plan to teach kids to create safe passwords.
Lessons learned
“You really have to take into consideration impacts on the organizations that are attempting to consume these credentials. It is not easy for relying parties to drop what they’re doing, change a behavior and adopt new privacy preserving capability,” says Tayloe.
We learned that kids don’t know their parent’s email address, explains Tayloe. “In the world of COPPA, you’re reliant on a child to initiate the process, and you can only collect an online identifier from a child in order to do that.”
“Anytime you’re dealing with somebody other than the originator of the account – i.e., a parent has to consent for a child for disclosure of their information – you have drop offs along the way,” Tayloe explains. “So usability is really critical, and I don’t believe that we budgeted enough within our own pilot to handle the actual streamlined nature of what we need to deliver to the marketplace to get widespread adoption. So we’ve been back refactoring the new stuff as we’ve been trying to take it to market.”