textwithsanta
Tech

Texting Santa is so 2016—as are privacy risks

With the launch of a new texting app, there are more ways than ever to digitally reach Santa Claus. But a recent hack of children's data from 55 Father Frost websites in Russia raises questions around privacy.
December 9, 2016

When it comes to sitting down and writing a letter to Santa, Krissa Watry, co-founder and CEO of the new IO Kids app that lets kids text Kris Kringle, puts it best:

“That’s so 1990. Not even, maybe the 1970s,” says Watry. “Today, kids text everyone. So it seemed only logical to text Santa, too.”

This Christmas season, there are plenty of alternatives to putting pen to paper. There are hundreds of global sites that let kids email Santa in various languages, such as Elf on the Shelf, Elf HQ, Letters to Santa and Claus.com, to name a few. But while the messages themselves are innocent, there are potential sinister threats involved when it comes to data security.

“I think the idea of giving kids a digital playground where they can write to Santa is a great idea. But I think it needs to be done with experienced operators who understand the norms and requirements around building a site for kids,” says Linnette Attai, compliance consultant and president of Playwell, LLC.

Case in point: Last month, Russia’s telecom watchdog, Roskomnadzor, discovered that 55 websites allowing children to write Father Frost (the Russian Santa) had been sabotaged. The information from those websites, including children’s first and last names, ages, home addresses and telephone numbers, were disclosed.

“The operator shouldn’t be asking for anything more than what they really need in order to deliver. And you’d be surprised by how little information you can collect in order to deliver really robust functionality,” says Attai. “From the Russian incident we can learn that this kind of service is really easy to get wrong and really appealing to hackers. The more information you collect, the higher your risk.”

Attai points out that in order to run a contact Santa site of any form, often simply a first name will do.

IO Kids, for example, only requires a first name and a parent’s email address.

“I used to work on ultra-secure satellite communications for the US Air Force, so I know you always have to take a defensive posture,” says Watry. “Safety is paramount to us at IO Kids, that’s why we have the parents verify that they are an adult for COPPA purposes, and from there parents are able to approve friend connections.”

The app allows kids to message with their friends and parents, along with Santa, who isn’t really a stranger after all.

“Kids can text Santa and, unbeknownst to them, their parents are actually on the other side of the chat,” says Watry. “It’s not a chat bot and the parents will have prompts through the app that say ‘Santa is busy and needs your help to respond back to the child.’”

Dynepic, the company behind IO Kids, is launching the app later this week in the Apple Store. It’s free to download but costs US$1.99 for parents to verify their own identities. It is COPPA-compliant and functions as a messaging app, but eventually will function as an identity verification tool and game network for kids. It will act much the same way that Facebook or Google+ do for adults, in that kids will be able to attach their IO Kids friends and app to games and toys for identity verification.

In Canada, the Email Santa site was launched for Alan Kerr’s nephew, then four years old, who wanted to send his letter through Canada Post but due to a 1997 strike could not. The URL was spread around and he ended up responding to more than a thousand letters that year.

“Now I just get a few more letters than Canada Post. It fluctuates each year, but this year I’m expecting 1.2 million,” says Kerr. “The site is getting translated into more and more languages, but I get about 10 a second at its peak. Canada Post is at 1.1 million.”

The emails come from every country in the world, with 40% of the traffic from the US, 30% from the UK, 20% shared between Canada, Australia, New Zealand and 10% for the rest of the world.

Digital advancements aside, most countries still offer a place to send a physical letter to (and maybe hear back from) Santa. In the US, kids address it to Santa at the North Pole, in Canada they’re asked to include the postal code H0H 0H0, in Sao Paulo, Brazil they even deliver gifts to kids in need. However, these letters do require even more personal information than an electronic one should.

“The traditional written letter would be sent in the mail and it might have the return address. But if it’s being sent online we know as adults it’s not actually going anywhere,” says Attai. “We know there’s no Santa, so we know that there’s no child name or address needed. There’s nothing wrong with setting up a website where kids send a letter to Santa, but you have to know under the privacy regulations that that letter has got to be fairly canned.”

Kerr has gained more staff over the years, which he pays for through the use of ads on the site (he doesn’t make any money himself; he calls it an expensive hobby). The staff has enabled him to be able to answer letters fairly quickly and make each one slightly different. When children go to the site, they fill out options from a drop-down menu with free spaces for what they want for Christmas and extra comments. The response is mostly automated, but it is monitored in case children have severe issues they’re bringing to Santa.

“There are instances of children in dire circumstances–the dark side of Santa–kids tell things that they don’t tell anybody else,” says Kerr.

To deal with this problem, he added an email field that offers a longer response back. But he says he is still wary of kids giving him too much personal information.

“I think we need to understand how critically important it is to build in privacy and safety protections as fundamental to any website for kids, and to really use caution before going into the space,” says Attai. “Before building a site or a service or an app for children, understand what the regulations are, understand what the industry self-regulation is before launching. It’s a very appealing market, but it comes with very specific requirements and sensitivities around how we need to protect the user base.”

About The Author
Alexandra Whyte is Kidscreen's Online Writer. Contact her at awhyte@brunico.com

Menu

Brand Menu