Social site divulges child's personal data

By DAVID LAZARUS

July 2, 2008 12 AM PT

Jane Yang, a 30-year-old marketing coordinator, was curious the other day to see what would turn up if she searched for herself on Reunion.com, a Los Angeles-based social networking site.

Sure enough, there was her name, which didn’t bother the Oregon resident all that much. Nor was she particularly troubled that her husband’s name was included under her “Friends & Family.”

What did startle Yang was seeing the name of her 4-year-old son.

“That made me really, really angry and really worried,” Yang told me. “I’m scared about predators out there.”

The incident serves as a cautionary tale for anyone who thinks kids’ personal information is excluded from the data smorgasbord that is the Internet. As Yang discovered, there’s no telling what can turn up as vast databases of sensitive information are bought and sold by private companies.

Reunion.com’s privacy policy says the site “prohibits registration by and will not knowingly collect personally identifiable information from anyone under 13.” But that doesn’t address the site’s own data-gathering.

Jeff Tinsley, Reunion.com’s chief executive, said the company recently purchased records on millions of people from a data broker. But he said the broker, which he declined to identify, was instructed not to include anyone under 18.

“We have no idea how this happened,” Tinsley said.

After seeing her son’s name online, Yang, who wasn’t a Reunion.com member, called the company to find out what was going on. She was especially distressed that the listing for her husband’s name included the family’s town, Beaverton -- not the sort of information she wanted anywhere near her son’s identity.

Yang said a service rep told her that the site receives its information from public databases.

What databases? Yang said the rep couldn’t answer that.

A supervisor came on the line. Yang said she was told that her son’s name probably came from state vaccination records or from the Centers for Disease Control and Prevention. This is common, Yang said the supervisor told her.

Actually, no.

“This is absolutely not the case,” said Lorraine Duncan, who heads the Oregon Public Health Division’s immunization program. “We have an administrative rule that says only authorized users, such as doctors, can access these records.”

California has a similar policy.

Duncan also said federal officials at the CDC have no records of individual kids being immunized at the state level.

Reunion.com is no stranger to privacy issues. In April I wrote about how the company accesses the online address books of people who register at the site and sends e-mails to all their contacts saying that so-and-so was searching for them, even when no such search was performed.

The practice helps privately held Reunion.com register 1.3 million new members each month -- an important statistic to advertisers and affiliates. The site now boasts about 40 million registered members.

The Better Business Bureau gives Reunion.com its lowest grade of “F,” mostly due to its e-mailing of people in members’ address books.

Tinsley said Reunion.com previously linked to other data providers when users searched its site for names. Last month, the site decided to build its own database by acquiring files on as many as 260 million people from a private data broker.

Such brokers comb public records including voter-registration files and land deeds to amass huge databases that include information on virtually every American. They sell their files to business clients and government agencies.

In Yang’s case, a profile for her was automatically created on Reunion.com’s website after the company purchased the files from the data broker. I found that a profile had been created for me as well, even though I’m not a member.

Tinsley said he’d been assured by Reunion.com’s data provider that the company would be able to prevent information about anyone under 18 from appearing on the site.

He said he can’t explain how the name of Yang’s 4-year-old son made it online, or where it came from in the first place. In fact, Tinsley said he doesn’t know where much of the data on his site originated.

“I don’t know the sources,” he said. “All I know is that it’s public records.”

Tinsley declined to speculate on whether the names of other minors might now be in Reunion.com’s database.

“All we absolutely know is that this was the one minor on the site,” he said.

Tinsley said the name of Yang’s son was removed from the system within 24 hours of my contacting the company to inquire about the situation. He said measures have been put in place to make it easier for people to have information deleted from the site.

Ray Everett-Church, a Silicon Valley privacy consultant, said it’s hard to imagine Yang’s son was the only minor included in Reunion.com’s recent data purchase.

“The most reasonable assumption is that if one minor slipped through, then others might also have gotten in,” he said.

Everett-Church said it’s up to parents to monitor online directories such as Reunion.com and make sure their kids’ names aren’t present.

Parents also may want to think twice about using their kids’ names for children’s magazine subscriptions -- as I’ve done, I’m sorry to say -- or online gift registries. Once a name is in a corporate database, it can be bought and sold.

Reunion.com’s Tinsley is the father of a 3-year-old girl and an 18-month-old boy. I asked how he’d feel if their names turned up on his site.

“I’d feel very upset,” Tinsley replied.

That’s a start.

Consumer Confidential runs Wednesdays and Sundays.

Send your tips or feedback to david.lazarus@latimes.com.

On latimes.com

Discussion

Can kids’ privacy be protected in the digital age? latimes.com/lazarus/kids