If I were to ask you to install an exterior door in your child’s bedroom and told you that this door could not have any locks, alarms, or other security, how would you react? Most people would be uncomfortable with an unlocked door anywhere in their house and especially in their child’s room. How could a parent properly protect their child if strangers on the outside could walk right in? How would parents get alerted if someone had entered the child’s bedroom? This scenario might seem crazy or even rise to the level of negligence. The risks to the child could be anywhere from a simple burglary to physical assault, sexual assault, kidnap, and even murder and could extend beyond the child to any other occupants of the house.
The thought of this is disturbing and it is hard to imagine any parent would be this careless. Unfortunately though, there are homes in nearly every neighborhood in our country with unlocked and unmonitored doors. These doors are not your traditional doors though, these are virtual doors disguised as computers, tablets, smartphones, smart TVs, and a host of other gadgets referred to as the Internet of Things (IoT).
Most parents teach their children common safety messages to keep them safe: look both ways before you cross the street, don’t go anywhere with a stranger, don’t touch the stove because it could be hot, etc. But what do many parents teach their kids about Facebook, Snapchat, Kik, instant messaging, texting, or web surfing? In my experience as a career technologist and former law enforcement investigator of cybercrime, parents rarely have this kind of dialog with their kids. Stranger abductions of children are incredibly rare (less than 1% of all kidnappings), yet parents spend a great deal of time talking about stranger-danger with their kids and completely miss the much bigger and more common risk of online predators.
I cringe when I hear parents ask what kind of smartphone they should buy their tween, or I see kids walking to the local elementary school staring at their smart devices along the way. In a recent study, it was found that 21% of kids in kindergarten to second grade have cell phones! I completely understand the need for parents to contact their children, but does that really need to include a data plan and 12 megapixel camera? Any of these Internet capable devices are a portal to the world and kids who do not yet understand the consequences of their actions can quickly make fatal errors. The social impacts and long-term exposure to this technology aside, kids don’t need $800 smartphones to remain in contact or to use during an emergency. Believe it or not, cell phone providers do still make basic phones especially for kids.
The risks associated with kids and technology are not born from my paranoia or hypothetical scenarios I have dreamt up over the years. During my career I have seen firsthand the devastation brought to children and families from having an unlocked virtual door to a child’s bedroom. In one such case, an adult man lured an autistic 14-year-old girl over the Internet. This man used online gaming as his method of choice. Over the course of a few weeks he established a rapport with her and kept her distracted with the game (World of Warcraft), while he asked seemingly innocuous questions spread over time to not be obvious. Questions like what her parents did for work, what their schedules were, where she lived, and what school she went to were asked of her. The suspect recorded these answers within the dossier he was building on this girl. As the two communicated via voice chat in the game, she thought she had found a great friend. What she did not realize was that this man had no interest in World of Warcraft or being her friend. That realization became apparent the day he showed up at her front door when she was home alone. This man arrived from out of state when he knew her parents would be at work and he kidnapped her.
When the police was notified of her kidnapping they began searching and luckily found the vehicle several hours later in a different state as it was traveling on the freeway. I remember getting a phone call on a weekend about this case and was asked to assist the agency that stopped the suspect’s vehicle. They had taken the male suspect into custody and the girl was safely with child welfare. I conducted a forensic analysis of the suspect’s multiple computers he had in his truck as well as searched the truck itself. In the back of this truck was rope, knives, sex toys, and a mattress. I have always believed that if this man would not have been stopped, that young girl would have been raped, tortured, and killed.
In another case I investigated, an adult man was searching for young boys in chatrooms and other online venues. He knew exactly the type of boys to target and could quickly establish rapports with them. After having sexually explicit chats with these boys, he would ask them to send nude images of themselves to him. If the boys refused, the suspect told them that he was a police officer and had already traced their Internet connection back to their physical address. The suspect told them that if they did not send the pictures, he would show up to their home and tell their parents that they were homosexual. Out of fear of embarrassment, almost every boy was coerced into send the images to this man. In many cases, he continued the blackmail and had young boys travel to his home where he would sexually abuse them. He often would send money to these boys to facilitate getting them to his home.
These two examples drive home my point, but unfortunately I have many more stories; some of which have worse outcomes. On so many occasions parents would tell me they had no idea that their kids were on the Internet, or that they couldn’t keep up with all the technology. I argue that parents have a duty and obligation to protect their children from danger and simply saying they don’t understand technology does not suffice. Parents either need to learn the technology or not allow their children to use it. Before parents allow technology to be introduced to their child or home, they should understand what the device is capable of and how to secure it.
If you are interested in protecting your own family or help someone else with their children, here are some high level suggestions that you can take:
- Limit Access: No computers, laptops, tablets, iPhones, smartphones, Xboxes, or other Internet capable devices are allowed in kids rooms, period.
- Have Oversight: Computers are located in a common area of the home that can easily be seen by adults at a moment’s notice.
- Least Privileged Access: Kids have a separate non-administrative account on computers so they cannot change settings or install software.
- Protect Passwords: Kids do not know parent’s passwords. Change your passwords and PINs occasionally.
- Start the Dialog: Parents need to have real and frank conversations with their kids about Internet safety and what kind of sexual predators exist in the world. Most kids do not tell their parents when something makes them feel uncomfortable online because the kids are embarrassed, don’t want to get in trouble, or don’t think their parents will understand the technical pieces of what happened. Parents must build trust and have these discussions often.
- Know Their “Friends”: If children are allowed on social media, parents should have full access to the profiles and ensure that any “friend” is someone they actually know in real life. A 14-year-old probably doesn’t have 750 real friends. It should not be thought of as a popularity contest.
- No Cameras Allowed: 22% of girls have posted nude images of themselves online or sent them to another person. Having kids and cameras together is an exceptionally bad combination. I have investigated cases of girls as young as 10 taking nude images of themselves and sending them to adult males.
- Use Parental Controls: Both Mac and PCs have excellent parental controls. Lock down what websites kids can go to, what times they are allowed online, and who they can communicate with. Make sure kids can’t sneak devices into their room at night, or go out to the family PC while everyone is asleep.
- Review their Browsing Habits: 90% of children ages 8-16 have viewed online pornography, the largest group of Internet pornography consumers are ages 12-17, and 70% of kids ages 7-18 have accidentally encountered pornography while searching for unrelated material. Know what kids are looking for and looking at. Examine Internet history on browsers to see where kids are going. If Internet history is being deleted, ask why. There are other ways to capture Internet history at the home router level too, which kids would should not have access to or be able to manipulate those logs.
- Use Internet Filtering Solutions: Implement technical controls both on the device (e.g., parental controls) but also on the home Internet connection. OpenDNS is an awesome way to do this, see this blog post for more: http://www.joshmoulin.com/protecting-your-family-against-inappropriate-internet-content/ This can prevent children from accidentally coming across inappropriate content and block intentional access to sites.
- Thing About All Sites: Think YouTube and Flickr are educational and should be OK for your kids to have access to? Think again, these sites are full of nudity, sexual content, violence, and many other categories of inappropriate content. If there are videos that your child needs access to, give them access to just the URL of that video in YouTube and block everything else.
- Internet Rules are for Everywhere: The rules established about appropriate Internet behavior must be for the Internet, not just within a home. Many kids find themselves in trouble while at a friend’s house or somewhere outside of the home. Make sure they understand the family acceptable use policy applies anywhere.
- Parents get Full Access: Frequently review their social media pages, posts, pictures, and sites. Ensure there is nothing that could be considered cyberbullying or that a sexual predator could use to find out where the child goes to school, lives, or works. Limit personal information such as birthdays and phone numbers and check the background of images and videos to make sure there are no hints that could lead a predator to the child. Also consider Exif data in images that may lead someone directly to the front door (for more on this, see this blog post: http://www.joshmoulin.com/how-digital-pictures-and-videos-can-be-a-threat-to-privacy/)
- Understand the Technology: Ignorance is no longer a viable option. There are many resources for parents to learn about technology and how to protect their child, some of which are provided in this post. A simple Google search for protecting kids online would be a great start.
- Consider Internet Monitoring Software: There are software products on the market that are designed to covertly monitor kids’ activity online and provide reports. These programs can be helpful and range from free software to paid commercial products.
- Ensure Profiles are set to Private: Utilize privacy settings on social media and make sure all privacy settings made available are enabled.
While apps and websites may change names, the principles and mitigating controls are the same. If parents teach kids how to use technology responsibly, have frequent communication with their kids, and follow the steps outlined above, the virtual door can be closed. Technology can be amazing and kids must know how to use it properly to be successful as they grow older and prepare for college and their careers. By taking the time to implement what is suggested here and balancing the convenience of technology access with the security controls to make it safe, kids can have a healthy relationship with the Internet and devices.
Josh Moulin is a federal defense contractor and Chief Information Officer (CIO) of an agency with a national security mission, overseeing all classified and unclassified IT and cybersecurity functions for the agency that spans the country. Josh has been recognized nationally and in courtrooms as an expert in the areas of digital forensics, cybercrime, and cybersecurity. He spent 11 years in law enforcement with his last assignment as a police lieutenant and commander of an FBI cybercrimes task force, investigating hundreds of complex high-tech crimes. Josh has a Master’s Degree in Information Security and Assurance and holds multiple certifications in law enforcement, forensics, hacking, and cybersecurity.