20
partial understanding of the nature and operation of
the internet and its uses of personal data.
The older children become, the more actively they
use the internet, and the more technical skills they
acquire (Madden et al., 2013). For example, 46% of
UK children aged 12-15 know how to delete the
history records of the websites they have visited
(27% have done it), 36% know how to use a browser
in incognito mode (20% have used it), 18% know
how to unset filters preventing them from visiting
websites (and 6% have done it), and 7% know how
to use a proxy server (3% have used one) (Ofcom,
2017b). These technical skills, however, are not
necessarily paired with good knowledge of privacy
risks or with effective privacy protection strategies.
With greater internet use comes higher exposure to
online risks, including those related to privacy –
older teens share more personal information, to
more people, and across a larger number of
platforms (Madden et al., 2013; Xie and Kang, 2015).
Children of this age (12-17) have a good
understanding of online restrictions and monitoring
by the school (Cortesi et al., 2014; Acker and Bowler,
2018) – for example, they know their online
activities are monitored when using a school
computer and the content they can access is
restricted. Children also demonstrate some
awareness of the ‘data traces’ they leave online
(e.g., in relation to seeing advertisements following
their earlier searches) (Zarouali et al., 2017) and of
device tracking (e.g., that some apps use their geo-
location) (Redden and Way, 2017), but find it hard to
make a personal connection – how their data is
being collected and to what effect (Emanuel and
Fraser, 2014; Acker and Bowler, 2018). Yet even at
this age, children have little knowledge of data flows
and infrastructure – they mostly see data as static
and fractured (e.g., located on different platforms)
(Bowler et al., 2017), which can create a false sense
of security. They have little awareness of future
implications of data traces, particularly related to
distant future, which is hard to predict or conceive
(Murumaa-Mengel, 2015; Bowler et al., 2017;
Pangrazio and Selwyn, 2018).
The online environment at this stage is seen as a
‘personal space’ for self-expression and socialising,
and children are often concerned about parental
intrusion of their privacy (boyd and Marwick, 2011;
Redden and Way, 2017; Martin et al., 2018). The
sense of control over one’s personal information,
which such online identity management provides,
can actually increase the extent of children’s self-
disclosure (Peter and Valkenburg, 2011), making
children more likely to share personal information
(Emanuel and Fraser, 2014). At this age, privacy risk
functions mostly as a ‘learning process’ – children
are mostly engaged in retrospective behaviour,
trying to rectify the past, and hold expectations that
they are able to retract their online activities
(Wisniewski et al., 2015; Wisniewski, 2018).
A major gap in children’s understanding of privacy is
that they associate it mainly with interpersonal
sharing of data and rarely consider the commercial
or institutional use of their data (Davis and James,
2013; Steijn and Vedder, 2015; Livingstone et al.,
2018b). Hence, their privacy strategies are mainly
limited to management of their online identity – for
example, withholding or providing fake information,
or creating multiple identities, removing content,
tags or withdrawing from the internet, managing
privacy settings or friendship circles (Livingstone,
2008; Almansa et al., 2013; Emanuel and Fraser,
2014; Weinstein, 2014; Mullen and Hamilton, 2016).
At the same time, children can be quite trusting of
online platforms, choosing to accept the default
privacy settings based on the belief that the site
designers and developers have already considered
privacy issues, and built adequate privacy
protections into the site’s architecture (Davis and
James, 2013) – thus undermining their own initiative
in relation to privacy.
Children struggle with some aspects of privacy –
while they know rather well what type of personal
information they have disclosed online, they are less
certain who has access to this information, and
often struggle to name the privacy setting of their
disclosed contents (Moll et al., 2014). Children are
both overestimating and underestimating how
private their profile content is, sugesting an overall
confusion rather than a tedency to underrate the
privacy risks. They tend to overestimate the privacy
of information such as favourite music and their
school, but underestimate the privacy of their email
address or birthday (Moll et al., 2014). While this
evidence is insufficient to answer all the questions
about child development, it undoubtedly points to
the need for a tailored approach that acknowledges
developments and individual differences amongst
children. It also demonstrates that data and
evidence pertaining to design standards and
regulatory frameworks based on disaggregated age
groups are low and merit further investigation.