1.
Children's fingerprints on the web -
the end of PII Authentication?
Abigail McAlpine

2.
Abigail McAlpine
Cy b er S ec u rity Researc h er ( Ph D)
from the Secure Societies
In stitu te at Th e Un iversity of
Hu d d ersfield

3.
Children's fingerprints on the
web - the end of PII
Authentication?
Abigail McAlpine

4.
AM
Background
• Cyber Security Researcher (PhD) from the Secure Societies Institute at
the University of Huddersfield
• Research on Personally Identifiable Information (PII) of children aged
(11-16) on Social Networking Services (SNS) focussing particularly on
the most commonly used platforms according to Ofcom’s “Children
and parents: media use and attitudes report 2018
• Human-based cyber security research, particularly focusing on the
“what” and “where” of sharing online when it comes to children’s
information
• Research is still in collection, public, parents and children
• My background pre-PhD was in business and marketing as a
marketing manager

5.
AM
Brief Illustrated Guide to a PhD
• http://matt.might.net/articles/phd-school-in-pictures/5
Imagine a circle that contains all of human
knowledge:

6.
AM
Brief Illustrated Guide to a PhD
• http://matt.might.net/articles/phd-school-in-pictures/6
By the time you finish elementary school, you
know a little:

7.
AM
Brief Illustrated Guide to a PhD
• http://matt.might.net/articles/phd-school-in-pictures/7
By the time you finish high school, you know a
bit more:

8.
AM
Brief Illustrated Guide to a PhD
• http://matt.might.net/articles/phd-school-in-pictures/8
With a bachelor's degree, you gain a specialty:

9.
AM
Brief Illustrated Guide to a PhD
• http://matt.might.net/articles/phd-school-in-pictures/9
A master's degree deepens that specialty:

10.
AM
Brief Illustrated Guide to a PhD
• http://matt.might.net/articles/phd-school-in-pictures/10
Reading research papers takes you to the edge
of human knowledge:

11.
AM
Brief Illustrated Guide to a PhD
• http://matt.might.net/articles/phd-school-in-pictures/11
Once you're at the boundary, you focus:

12.
AM
Brief Illustrated Guide to a PhD
• http://matt.might.net/articles/phd-school-in-pictures/12
You push at the boundary for a
few years:

13.
AM
Brief Illustrated Guide to a PhD
• http://matt.might.net/articles/phd-school-in-pictures/13
Until one day, the boundary
gives way:

14.
AM
Brief Illustrated Guide to a PhD
• http://matt.might.net/articles/phd-school-in-pictures/14
And, that dent you've made is
called a Ph.D.:
@mattmight

15.
AM
The Secure Societies Institute (SSI)
• “Research staff and students from across the seven Schools work
collaboratively to address global security challenges as diverse as
terrorism, modern slavery, child sexual abuse and cyber crime.” –
Prof Rachel Armitage
• Nearly 100 staff and post-graduate researchers from The University
of Huddersfield working on a variety of inter-disciplinary research
projects in the hopes of addressing security topics nationally and
internationally.
15https://research.hud.ac.uk/institutes-centres/ssi/welcome/

16.
AM
Contents
• What is PII?
• What PII is collected by SNS?
• Marketing vs Security
• Ofcom report
• Parental awareness
• SNS Timeline
• Features on SNS
• Sharenting
• Fraud
• Why PII is used
• Actions for tech/users 16

17.
AMWhat is Personal Identifiable
Information (PII)?
• Personal data is information that relates to an identified or identifiable
individual.
• What identifies an individual could be as simple as a name or a number or
could include other identifiers such as an IP address or a cookie identifier,
or other factors.
• If it is possible to identify an individual directly from the information you
are processing, then that information may be personal data.
• https://ico.org.uk

18.
AM
What is PII?
• Even if an individual is identified or identifiable, directly or indirectly,
from the data you are processing, it is not personal data unless it ‘relates
to’ the individual.
• When considering whether information ‘relates to’ an individual, you
need to take into account a range of factors, including the content of the
information, the purpose or purposes for which you are processing it and
the likely impact or effect of that processing on the individual.
• It is possible that the same information is personal data for one
controller’s purposes but is not personal data for the purposes of
another controller.
18

19.
AM
What are SNS?
• SNS – Social Networking Services
• These include Facebook, Twitter, Instagram and more
• Discord/Slack other messaging services
Add a footer 19

20.
Children's fingerprints on the
web - the end of PII
Authentication?
Who is the girl on the left?

21.
AM
Marketing potential
• We can guess her age is probably between 11-14 (Wider guess of
10-16)
• We can reasonably articulate an idea of her assigned gender
• We can see her uniform – idea of location, confirmation of age
group
• We can see she has her own phone – she seems very attached

22.
AM
In marketing this would be seen as
rich data – worth investing time
and money into…
• With this information we could curate a customer persona, we could adjust
marketing, we could curate a timeline of potential sales funnels to pitch.
• This information is still very valuable to us
• We don’t need to know her identity
22

23.
AM
In security
• There’s potential to use this information in future fact finding to collate a
bigger picture of her identity
• Basic OSINT (Open-source intelligence) tools can track her and build on
the information provided
• It’s the potential of future information that will cause issues to her
identity
23

24.
AM
Ultimately
• The ability and tools to collate more information about an individual
(regardless of age) exist in both marketing and cyber security
industries
• The skills to take the information we have and turn into viable
information are already in the room, a lot of the tools and methods to
do so are very established, be it in technology or simply observing an
individual
• These cases will always exist, it is justifiable for the existence of data
collection around children online for marketing purposes – whether
directly through children’s use, or through a third party or parent’s
use or purchasing data points.
24

25.
AM
The real issue..
• Some of the largest datasets on children in the world are owned by Social
Networking Services (SNS)
• They have this information, it’s usually attached to an identity.
• Encouragement of PII sharing, location data, connecting with more users, spending
more time on the platforms
25

26.
Looking at the numbers
26

27.
AM
Ofcom Report (12-15)
• 83% of 12-15 year olds have their own smartphone
• 50% of 12-15 year olds have their own tablet
• 99% of 12-15 year olds go online for 20 ½ hours per week
• 69% have a social media profile
27Children and parents: Media use and attitudes report 2018

28.
AM
Ofcom Report (8-11)
• 35% of 8-11 year olds have their own smartphone
• 50% of 8-11 year olds have their own tablet
• 93% of 8-11 year olds go online for 13 ½ hours per week
• 18% of 8-11 year olds have a social media profile
28Children and parents: Media use and attitudes report 2018

29.
What happens when
children’s data is
breached online?

30.
AM
Privacy Pin-Ups
• “We take your privacy and security seriously.”
• “Your privacy matters to us.”
30

31.
AM
Huge changes in Facebook
• Encrypted end-to-end messages through the messenger app
• 18.4 million reports of child sexual abuse worldwide in 2018, a staggering
12 million trace back to Facebook Messenger.
• Reducing Permanence – deleting long term information as standard
(undefined) March 2019
• Right to be forgotten/ The right to erasure – GDPR 2018. Doesn’t limit the
sharing of information primarily
• Suspension of tens of thousands of applications (69,000) in Sept 2019
made by about 400 developments
31

32.
AMParental Awareness of
Minimum Age Requirement
(13)
• Facebook 32%
• Instagram 28%
• Snapchat 15%
32Ofcom Children and parents: Media use and attitudes report 2018

33.
AM
Children lie about their age
• EU Kids Online conducted studies
between 2011 and 2014 in 22
different countries
• 1 in 4 of the 9-to-10-year-olds and 1
in 2 of the 11-to-12-year-olds were
using Facebook already
• 4 in 10 gave a false age.
33

34.
AM
How many children on SNS?
• In 2011 there was an estimated 20 million minors use Facebook,
according to Consumer Reports; 7.5 million of these are under
13.
• These estimates are no longer in date and the possibility of
establishing an accurate number has been significantly
decreased as more children lie to get past age verification
systems
34

35.
AM
If we take everything at face value
Removing potential FUD (Fear, Uncertainty and Doubt) – lets say:
• Social networking services care about your privacy
• Physical information gathering/safety will always be an issue
• We can’t control children lying about their age to interact on social media
35

36.
Building a timeline of
SNS
S oc ial Networkin g S er vic es

37.
AM
Timeline
A timeline of SNS as we know it today;
• 1997: First SNS – “Six Degrees” and AOL Messenger
• 1999: MSN Messenger and Yahoo Messenger Launch
• 2001: Six Degrees Shuts Down
• 2002: Friendster launches
• 2003: LinkedIn and Myspace launch
• 2004: Facebook launches
• 2005: Reddit, Bebo, YouTube launch
• 2006: Twitter Launches, Facebook releases newsfeed feature
37

38.
AM
Timeline
A timeline of SNS as we know it today;
• 2010: Pinterest and Instagram launch
• 2012: Snapchat Launches Facebook acquires Instagram
Facebook releases newsfeed feature (2006)
38

39.
AM
Features of SNS
Some examples of features that have rolled out in the last 20 years or so.
Some in real time/ some pre-emptive.
• Location data
• Event tagging
• Friend tagging
• Facial recognition features (photo tagging)
• Messenger
• Announcements
• Life Events
39

40.
AM
Who knows what this is?
40https://www.telegraph.co.uk/technology/0/snapchat-map-do-use-safe-children/

41.
AM
Snapchat Map
• SnapMap was a feature automatically rolled out in a June 2017
Snapchat update that tagged users location on a map in real time to
all their “friends” on Snapchat
• Snapchat had already established a young user group, there was a
reward system in place for snapchat streaks resulting in points for
users, the more “friends” users made, the more streaks could be
established, the points could be gained
• There were different settings for how users could find each other –
some transparently – public/private profiles. Others, including how
you could find friends such as the apps access to your contacts, have
become better communicated over time.
41

42.
AM
Snapchat Issues
• SnapLion (IOS and Android) a play on (LEO) and “Law Enforcement Officer”
• SnapLion’s purpose is to extract data from user accounts in the aid of legal
processes and investigation
• It’s essentially a backdoor exploit to the application
• Vice (May 2019) had internal emails discussing staff abusing and circulating the
images/account communications
42

43.
AM
TikTok
• Is one of the worlds most downloaded applications, one of the top 10
globally
• TikTok stated users must be over 13 but asked for no proof
• Known previously as Musically, utilised Snapchats successful model
and Vine’s demise to carve a niche for themselves with younger
users.
• Public profiles by default – public comments by default
• If the profile was public the application had an open messaging
feature which resulted in children receiving private messages from
strangers
43

44.
AMSNS are targeting children with
marketing
• We know this because of the tailored products and services they are
marketing towards their users based on data collection and analysis
• They are rolling out features without any care or consideration for
children’s/users safety
44

45.
AM
Childrens Sharing
• Children are sharing more content about themselves than ever before
to bigger audiences
• They are more vulnerable to peer pressure at various ages
• Some of children have more understanding of SNS than their parents or
educators
45

46.
This is just children’s sharing

47.
AM
Parents Sharing
• “Sharenting” – is the term being used for parents who share a lot of
information about their children online
• Some parents have been over-sharers from the beginning with no
prompts
• However, the introduction of Facebook and features such as the
newsfeed, announcements, timeline, memories have prompted users
to share more about their lives and their children
• A lot of the PII information required can be found about users
independently, but control of the sharing about third parties who
haven’t necessarily consented to the sharing of the information still
accumulate
47

48.
AM
Fraud - Trends
• The theft of personal and financial data through social engineering
and data breaches was a major contributor to fraud losses in 2018.
• The stolen data is used to commit fraud both directly and indirectly.
• www.ukfinance.org.uk
• Recession/Economic turmoil
48

49.
AM
Fraud - Trends
• In 2009, it was announced that fraud had increased threefold in the
previous year as a result of the recession
• Cases through British court alone accounted for more than £1.1bn worth
of fraud
• April 2018, a report in America (Javelin Strategy & Research) on child
fraud reported that more than 1 million children were victims of identity
theft or fraud in 2017.
• Two-thirds of those victims were age 7 or younger.
• Six in 10 child victims personally know the perpetrator.
49

50.
AM
Why is PII used?
CIA Triad
• Confidentiality through preventing access
by unauthorized users.
• Integrity from validating that your data is
trustworthy and accurate.
• Availability by ensuring data is available
when needed.
50
www.ibm.com

51.
AM
Why is this used?
• The 3 A’s of cyber security
• Authentication, Authorization, and Accounting (AAA)
Authentication, authorization, and accounting (AAA) is a term for a
framework for intelligently controlling access to computer resources,
enforcing policies, auditing usage, and providing the information necessary
to bill for services.
These combined processes are considered important for effective network
management and security. - searchsecurity.techtarget.com
51

52.
AM
Facebook’s Timeline is 13 years old
• In 3 years time – children who have had every significant moment of
their life shared online – nearly all potential PII authentication answer.
16 years old and old enough for a debit account/card
• In 5 years time - children who have had every significant moment of
their life shared online – nearly all potential PII authentication
answers. 18 years old and old enough for lines of credit, many
products pushed in their direction will be highly likely to be targeted
at low credit
• Most will be venturing into the professional world, with everything
associated with it, including loans, linkedin profiles, historic social
media profiles
52

53.
Potential for the perfect storm

54.
AM
PII used as authentication?
• SMS and/or Email Based 2FA: Whether the site offered a SMS (text
message) or email based 2FA. Sites that offered this method earned 1
point.
• Software Token 2FA: Whether the site allowed you to perform 2FA using
a software authenticator. Popular software authenticators include
Authy, Google Authenticator, or Microsoft Authenticator. Sites that
offered this method earned 1 point.
• Hardware Token 2FA: Whether the site allowed you to use a hardware
token to perform 2FA. Popular hardware tokens include YubiKey and
Google Titan. Sites that used this method earned 3 points.
54

55.
AM
Is 2FA/MFA a fix?
55
Researcher Piotr Duszyński published a tool called
Modlishka (Polish: “Mantis”) capable of automating
the phishing of one-time passcodes (OTPs) sent by
SMS or generated using authentication apps.
Jan 2019

56.
AM
Is Biometric Authentication a fix?
• There have already been a significant number of data breaches
since the mass introduction of biometric authentication
• Biostar 2 lost more than a million files
• OPM lost 20 million
• Facial recognition is more of a gimmick than a security feature,
not enough research completed
56

57.
AM
Fingerprints and Biometrics
• Major breach found in biometrics system used by banks, UK police
and defence firms - Fingerprints, facial recognition data and other
personal information lost in the data breach from Biostar 2
(Owned by Suprema) – August 2019
• Fingerprint data is stored locally in hash on mobile devices for IOS
and most Android in Trusted Execution Environment (TEE).
• Facial recognition is not secure, nor tested enough on BAME users
– it shouldn’t be used as a security feature
57

58.
Considering everything discussed

59.
AM
Right to forget
• Doesn’t mean that other users will forget
• Doesn’t mean that children are protected online
• Doesn’t mean that children’s information is not being shared
• Doesn’t educate users/parents/children about the dangers of oversharing PII online
• Doesn’t fix the problem
59

60.
AM
Potential actions for tech
• Moving away from the PII Authentication Model – especially as a
bypass/back up for password loss
• Tackle education of users around the availability of this information
• Attempt to limit the scope of the issue – through historic deletion on SNS
(this probably won’t happen)
• We change the infrastructure of how we secure accounts – if these
security questions are to remain then there should be additional steps
involved to reset a password or gain access to an account
• We attempt to tackle this in a way that doesn’t cause additional issues –
i.e Netflix asking for photos of passports through email to confirm identity
60

61.
AM
Steps moving forward for users
• Change answers to PII Questions on SNS – use like new passwords,
ideally 3 word combinations with number/symbol contributions
and upper and lower case i.e R3dR1dingH00d!
• Use passwords specific to the SNS service you’re using
• 91% of people know reusing passwords is poor practice,
59% reuse their passwords everywhere – at home and at work –
training is necessary - Change Email password to something unique
• MFA/2FA set up where possible
61

62.
Thank You
Abigail McAlpine
Twitter @abigailmcalpine

63.
Any questions?
Abigail McAlpine
Twitter @abigailmcalpine