Skip to main content

Are there hotter topics these days than data security and kids’ privacy?  An FTC law enforcement settlement with the social networking site RockYou ticks both of those topical boxes and challenges a course of conduct the FTC says made it easier for hackers to access the personal information of 32 million users.  The complaint also alleges the company collected info from kids in violation of the Children’s Online Privacy Protection Act.

What was going on at the RockYou site? In addition to playing games and using other features, RockYou allowed Scorcese wannabes to create slideshows of their uploaded photos.  To register and save content for later, users had to provide a valid email address and the password for that address — as well as their birth year, gender, country, and zip code.

Once users filled out the registration fields, RockYou sent a welcome email with an activation link.  When returning to the site, users were prompted to create another password.  But they didn’t have to change it and could just re-enter the password of their email address.

The FTC’s complaint alleged that RockYou’s practices posed a significant risk of harm to consumers.  First, the company stored passwords in clear text, allowing unauthorized access to private data stored in RockYou accounts.  Second, the FTC alleged that RockYou’s practice of initially collecting email account passwords and storing them in clear text — even temporarily — created the risk of unauthorized access to people's email.  How so?  It’s not unusual for people to use the same password for different accounts. Thus, the FTC alleged that RockYou’s practice of storing RockYou account passwords in clear text with users’ email addresses increased the likelihood that if intruders gained access to users RockYou passwords, many users’ email accounts also would be exposed to unauthorized access.

Although the RockYou privacy policy said that the company “cannot . . . ensure or warrant the security of any information you transmit to RockYou! and you do so at your own risk,” it also promised that it “uses commercially reasonable physical, managerial, and technical safeguards to preserve the integrity and security of your personal information.”  The FTC charged that contrary to this claim, RockYou failed to defend against commonly known forms of hack attacks.  As a result, hackers got a hold of the personal information of 32 million RockYou members.  If people used their email passwords as their RockYou passwords, hackers could access other personally identifiable information about them. That practice, said the agency, violated the FTC Act.

What about kids who visited RockYou?  For a two-year period, RockYou accepted registrations from children under 13.  During that time, it collected email addresses and associated passwords — along with birth year, sex, zip code, and country information — from approximately 179,000 kids 12 and under.  As a result, children were able to create personal profiles and upload content, including photos.  Once kids were registered, they could post comments about other slide shows and people could comment about their public content, too.  The FTC says all this was done without the parental consent required by COPPA.

The FTC charged that RockYou violated COPPA by:

  • not spelling out its collection, use and disclosure policy for children’s information;
  • not getting verifiable parental consent before collecting kids' personal information; and
  • not maintaining reasonable procedures to protect the confidentiality, security, and integrity of personal information collected from children.

What about the statements in its privacy policy describing the company’s commitment to children’s privacy:  "Protecting the privacy of young children is especially important. For that reason, RockYou! does not knowingly collect or maintain personally identifiable information or non-personally-identifiable information on the RockYou! sites from persons under 13 years of age, and no part of our website is directed to persons under 13. If you are under 13 years of age then please do not use or access the RockYou! sites at any time or in any manner. . .  ."

The company’s practices rendered those statements false, alleged the FTC.  In addition, the FTC charged that the company’s security failures put kids’ personal information at risk.

The proposed settlement bars deceptive claims and requires RockYou to put a data security program in place that includes independent third-party security audits every other year for 20 years.  It also requires RockYou to delete information collected from kids under age 13 and mandates future COPPA compliance.  RockYou will pay a $250,000 civil penalty for the alleged COPPA violations.

Looking for resources to share with family and friends about helping kids stay safer when using technology?  Visit onguardonline.gov or the FTC's Living Life Online site for tweens and teens.

Tags:

It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.

The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.

  • We won’t post off-topic comments, repeated identical comments, or comments that include sales pitches or promotions.
  • We won’t post comments that include vulgar messages, personal attacks by name, or offensive terms that target specific people or groups.
  • We won’t post threats, defamatory statements, or suggestions or encouragement of illegal activity.
  • We won’t post comments that include personal information, like Social Security numbers, account numbers, home addresses, and email addresses. To file a detailed report about a scam, go to ReportFraud.ftc.gov.

We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.

More from the Business Blog

Get Business Blog updates

 
Return to top