Minors Trust Framework Goal
The goal of the Minors Trust Framework (MTF, Framework) is to create a growing federation of participating organizations and consumers working together to assure greater Child safety, parental empowerment, regulatory compliance, and consumer access and privacy. The MTF embodies the operating rules for the Minors Trust Federation (Federation). Participation in the Federation allows service providers to build a deeper level of trust with Parents, create higher brand recognition, and richer engagement with its audience.
Privacy Vaults Online Inc., d/b/a PRIVO, is author of the Minors Trust Framework in collaboration with NIST and the founding member of the Generational Trust Alliance (GTA). NIST is the federal technology agency that works with industry to develop and apply technology, measurements, and standards. PRIVO complies with the MTF and is an assessor for the MTF. PRIVO is the first and leading global industry expert in children’s online privacy and delegated consent management. Being in the trenches as an FTC approved COPPA safe harbor and authoring a digital trust framework, PRIVO has been helping brands not only comply with federal and international regulations but realize new avenues for increased traffic and sales. PRIVO iD is the new single sign-on market leading resource for large scale enterprise adoption, enabling companies with one or multiple sites and apps to engage and transact with younger consumers. The overall proposition offered by PRIVO’s iD is a fusion of risk reduction, easier access and parental convenience, thus enabling improved online engagement between brands and minors, providing protection and freedom for all constituents.
MTF General Description
The MTF is an online identity trust model, developed in conjunction with the National Strategy for Trusted Identities in Cyberspace (NSTIC), a White House initiative aimed at helping individuals and organizations utilize secure, efficient, easy-to-use and interoperable identity credentials to access online services in a manner that promotes confidence, privacy, choice and innovation. The Federation’s unique role is in helping organizations adhere to the unique requirements around minor’s access and interaction with online information; as well as enable more efficient and privacy enhancing means to conduct transactions with families. It does this by having a complete set of technical, operational, and legal policies that all Federation members adhere to in order to protect minors and their parents’ identities and personal information in a secure, privacy enhancing manner.
Today under COPPA, parents have to separately answer each consent request they get from every online service their kids want interactive access to, which can be a burden for both the parent and the online service provider. Because of this, fewer than 1-in-10 consent requests are acted upon, which frustrates online service providers. The real problem arises, however, when children subvert the process by lying about their age in order to access services. This reinforces the harmful notion that lying is an acceptable practice, as well as putting children at risk of privacy harms and Relying Parties at risk of running afoul of COPPA.
The MTF seeks to remedy this problem. Operating under the rules set by the MTF and promulgated by the Foundation, credential service providers (CSPs) can create an online credential for parents and children that can be used by other online service providers – known as Relying Parties (RPs) – who agree to the high standards of privacy and security under the Federation. The process is both free and simple to use: parents will have their identity verified once by an Identity Provider (IdP), and then be able to pre-consent their kids’ access to Federation-approved online services.
The greatest beneficiary of the MTF will be kids. Today they’re not just being forced to lie about their ages, they’re being excluded from, and marginalized in, online activities of all sorts. Without access to a secure credential that allows them to do the things in which they are permitted, kids are unnecessarily and unjustifiably excluded from experiencing much of the World Wide Web. Online services signing on to the Federation will enable participating children to be full Internet citizens in good standing, work within the law, and enjoy what benefits the Web has to offer them – in a safe and privacy-preserving manner.
MTF Technical Description
The MTF is the collection of legal, technical, and operational policies that underpin trust across service providers and consumers that conduct transactions online. Federation Participants issue federated credentials to Adults and Children so that the Adult may grant verifiable parental consent to Federation and COPPA certified online services. The MTF enables Credential Service Providers that issue a Child-unique pseudonymous identifier to interoperate and interact with RPs and other Members.
In a federation scenario, when someone attempts to access a protected Service Provider site an Identity Provider is asked to provide information called “identity attributes” to the Service Provider. Attributes might include a unique identifier (traditionally a “user ID”) or other information such as organizational affiliation, status, email address, etc. In many scenarios, identity attributes are very useful to Service Providers for access control, personalization, and other purposes. The Federation encourages the support of identity attributes by its participants to improve the COPPA consent process and to help protect personal privacy. The Federation allows the verification of a Parent’s attributes, including their self-asserted association to the Child, and provides the Parent with a unique identifier/relationship link and tools to manage multiple consents, notifications, and associations.
The MTF enables Parents to view their Child’s data and permissions across multiple venues, but prohibits Federation Members from assisting each other in tracking either Children or Parents by both MTF policy and technical enforcement due to the use of unique GUIDs. Credential holders are encouraged to have unique display names available at the online service level. CSPs and CMAs are permitted to maintain information about a User on multiple venues in order to support the use of federated credentials and consent.
The MTF empowers Parents to determine when they transfer control of the Parent-authorized credential to a Minor once they age out of COPPA protections. Minor’s rights to control their credential will be determined by relevant law and the issuing CSP/RP Terms of Service or EULA, and may be viewable from the CMA’s parent portal.
MTF Certification Requirements: All Participants
The certification processes are maintained by the Foundation as part of its governance and operating structure. These criteria set the requirements for MTF participants. These criteria focus on business and technical conformity of MTF participants to the MTF requirements as a means to establish trust throughout the MTF. The assessment criteria focus on three main areas: organizational, business and technical requirements as described in this section.
Compatibility with Other Digital Trust Networks
The MTF is intended to provide a set of principles and rules for the protection of identity and personal data on a digital trust network, as well as provide a mechanism for additional protection of Children afforded under COPPA, for students under FERPA, as well as other legal regimes. The MTF is also intended to maintain compatibility with other digital trust networks whose principles and rules are not in conflict with the MTF. Trust networks wishing to maintain compatibility with the MTF must meet the following rules:
- It must provide an explicit reference to the current version of the MTF; and
- It must not define principles or rules that are in conflict with, or requiring an alternate interpretation of, the principles or rules defined in the MTF.
The MTF consists of the following documents: