Social
Networking Site
Divulges Child's
Personal Data
by David Lazarus
Jane Yang, a 30-year-old
marketing coordinator, was
curious the other day to see
what would turn up if she
searched for herself on Reunion.
com, a Los Angelesbased
social networking
site.
Sure enough, there was her
name, which didn't bother
the Oregon resident all that
much. Nor was she particularly
troubled that her husband's
name was included
under her "Friends & Family."
What did startle Yang was
seeing the name of her 4-
year-old son.
"That made me really,
really angry and really worried,"
Yang told me. "I'm
scared about predators out
there."
The incident serves as a
cautionary tale for anyone
who thinks kids' personal
information is excluded
from the data smorgasbord
that is the Internet. As
Yang discovered, there's no
telling what can turn up as
vast databases of sensitive
information are bought and
sold by private companies.
Reunion.com's privacy
policy says the site
"prohibits registration by
and will not knowingly collect
personally identifiable
information from anyone
under 13." But that doesn't
address the site's own datagathering.
Jeff Tinsley, Reunion.
com's chief executive,
said the company recently
purchased records on millions
of people from a data
broker. But he said the broker,
which he declined to
identify, was instructed not
to include anyone under 18.
"We have no idea how this
happened," Tinsley said.
After seeing her son's
name online, Yang, who
wasn't a Reunion.com
member, called the company
to find out what was
going on. She was especially
distressed that the
listing for her husband's
name included the family's
town, Beaverton – not the
sort of information she
wanted anywhere near her
son's identity.
Yang said a service rep
told her that the site receives
its information from
public databases.
What databases? Yang said
the rep couldn't answer
that.
A supervisor came on the
line. Yang said she was told
that her son's name probably
came from state vaccination
records or from the
Centers for Disease Control
and Prevention. This is
common, Yang said the
supervisor told her.
Actually, no.
"This is absolutely not the
case," said Lorraine Duncan,
who heads the Oregon
Public Health Division's
immunization program.
"We have an administrative
rule that says only authorized
users, such as doctors,
can access these records."
California has a similar
policy.
Duncan also said federal
officials at the CDC have
no records of individual
kids being immunized at
the state level.
Reunion.com is no
stranger to privacy issues.
In April I wrote about how
the company accesses the
online address books of
people who register at the
site and sends e-mails to all
their contacts saying that
so-and-so was searching for
them, even when no such
search was performed.
The practice helps privately
held Reunion.com
register 1.3 million newmembers each month -- an
important statistic to advertisers
and affiliates. The
site now boasts about 40
million registered members.
The Better Business Bureau
gives Reunion.com its
lowest grade of "F," mostly
due to its e-mailing of people
in members' address
books.
Tinsley said Reunion.com
previously linked to other
data providers when users
searched its site for names.
Last month, the site decided
to build its own database
by acquiring files on
as many as 260 million
people from a private data
broker.
Such brokers comb public
records including voterregistration
files and land
deeds to amass huge databases
that include information
on virtually every
American. They sell their
files to business clients and
government agencies.
In Yang's case, a profile
for her was automatically
created on Reunion.com's
website after the company
purchased the files from the
data broker. I found that a
profile had been created for
me as well, even though
I'm not a member.
Tinsley said he'd been assured
by Reunion.com's
data provider that the company
would be able to prevent
information about anyone
under 18 from appearing
on the site.
He said he can't explain
how the name of Yang's 4-
year-old son made it online,
or where it came from in
the first place. In fact,
Tinsley said he doesn't
know where much of the
data on his site originated.
"I don't know the sources,"
he said. "All I know is that
it's public records."
Tinsley declined to speculate
on whether the names
of other minors might now
be in Reunion.com's database.
"All we absolutely know is
that this was the one minor
on the site," he said.
Tinsley said the name of
Yang's son was removed
from the system within 24
hours of my contacting the
company to inquire about
the situation. He said measures
have been put in place
to make it easier for people
to have information deleted
from the site.
Ray Everett-Church, a Silicon
Valley privacy consultant,
said it's hard to imagine
Yang's son was the only
minor included in Reunion.
com's recent data purchase.
"The most reasonable assumption
is that if one minor
slipped through, then
others might also have gotten
in," he said.
Everett-Church said it's up
to parents to monitor online
directories such as Reunion.
com and make sure
their kids' names aren't present.
Parents also may want to
think twice about using
their kids' names for children's
magazine subscriptions
– as I've done, I'm
sorry to say – or online gift
registries. Once a name is
in a corporate database, it
can be bought and sold.
Reunion.com's Tinsley is
the father of a 3-year-old
girl and an 18-month-old
boy. I asked how he'd feel
if their names turned up on
his site.
"I'd feel very upset,"
Tinsley replied.
That's a start.
