Help craft your internal and user-facing policies to help users from sharing sensitive info
Preventing users from sharing account information is a security concern as well as a way to prevent paid accounts from being shared. When hosting a virtual environment targeted to kids, families or general audiences in the United States, you are also required to take reasonable measures to prevent users from sharing PII (Personal Identifiable Information) in accordance with COPPA (Children’s Online Privacy Protection Act). The types of personal information include, but are not limited to, phone number, email address, and home address which cannot be shared in chat rooms, forum posts, and the like. Implementing all of the following prevention techniques will dramatically reduce your risk from users sharing account credentials and PII.
Will your users read your terms of service and privacy policy from start to finish? What if they are children? Probably not. Periodically remind users the importance of keeping private information private. First, display a notification each time users log in reminding them to never share their name, address, etc. Also, create quick and fun activities for your users to engage in informing them what not to share in the form of videos, short games, or other activities.
Passwords typically cannot be filtered since each user’s password is One-way Encrypted in your system (at least it should be!). However, you can prevent users from sharing their login names by rejecting messages that contain the login name of the user that generated the message. Without it, the password is not very useful. Note that a user’s login name cannot be the same as their public display name for this technique to work. Any personally identifiable information you store about a user (name, email, address, etc) can also be filtered on a user-by-user basis using this technique.
To identify and eliminate a majority of chat messages or forum posts that contain PII or account information, add commonly used phrases to your blacklist such as:
There are a number of variations for each phrase to consider as well, such as the pound sign (#) in place of the word “number”. Keep the phrases as short as possible, but not too vague as to generate false-positives. For example, blocking the word “number” will generate too many false-positives if filtered alone. Instead, add “my phone number” to your filter blacklist.
Two of the most commonly shared pieces of personally identifiable information are email addresses and phone numbers. Simply preventing “.com”, the “@” sign, and numbers from being typed are a good start. Better yet, use a filtering solution that can detect clever attempts of getting around the filter when users spell out numbers or type “at” in place of the “@” sign (among other techniques).
Restricted chat can also be referred to as White List Filtering. Users are only allowed to type words and phrases that are on a pre-approved list. Kids have been known to be able to circumvent white list filters to share information such as their phone number, so moderation efforts still need to be in place.
This is a common moderation practice for preventing any inappropriate behavior and worth mentioning here. If a user tries to share their personal information once, keep an eye on their content to be sure they do not try again.
Will these techniques be 100% effective when used together to prevent users from sharing account credentials and personal information? Most likely not, but making the effort will drastically reduce your risk and provide users a level of comfort and security while participating in your online environment.