Researchers
find that a great portion of popular children’s apps may run afoul of US
privacy legislation by improperly collecting data – albeit often probably
unintentionally. A response from Google to the unflattering findings wasn’t
long in coming.
More than 3,300 children-oriented Android
apps on Google Play are possibly gathering kids’ data in an improper manner,
which could put the apps in violation of US child privacy legislation, a recent
paper has found.
The study, called “Won’t Somebody Think of
the Children?” Examining COPPA Compliance at Scale, examined 5,855 of the
most popular children-focused Android apps. It found that “roughly 57%” of the
apps – which makes out to 3,337 in number – are potentially violating the US’
Children’s Online Privacy Protection Act (COPPA).
COPPA protects children under 13 from invasive collection of personally identifiable information
(PII). The law regulates how apps, games or websites are allowed to gather and
process sensitive data from children. In so doing, it prohibits some data
collection practices outright while requiring a parent’s consent for others.
The 5,855 apps tested were made by 1,889
developers and have racked up 4.5 billion installs between them. They are
listed in 63 different Google Play categories, obviously most of them in
various ‘games’ categories.
So what exactly are the apps up to?
The team of seven researchers hailing mainly
from US and Canadian universities used an automatic testing process to detect
how the apps handled data.
They found that the potential violations came
in several forms. For example, 28% of the apps accessed sensitive data
protected by Android permissions. Perhaps most worryingly, nearly 5% of all
apps collected children’s geolocation or contact information, notably the
device owner’s email address or phone number, without the permission of a parent.
Nearly three-fourths (73%) transmitted
sensitive data over the internet, but 40% of them didn’t apply reasonable
security measures by failing to use Transport
Layer Security (TLS), the standard for securing data in transit.
The study also identified potential
non-compliance in almost 19% of the apps that collected so-called persistent
identifiers (such as the device’s unique IMEI number or WiFi MAC address) with
third parties for prohibited purposes, notably user profiling and ad targeting.
According to COPPA, these identifiers are considered personal information if
they can be used to recognize a user over time and across different websites or
online services.
In addition, 39% of the apps transmitted
Google’s advertising identifier known as AAID together with another (and
immutable) identifier to the same destination, thus apparently acting in breach
of the terms of service of the Google Play’s Designed for Families (DFF)
program.
Personally identifiable information (PII)
collected by many of the tested apps
(credit: Won’t Somebody Think of the Children?” Examining COPPA Compliance at
Scale)
The researchers pinned the bulk of the blame
for the data slurping on the apps’ inclusion and use of third-party software
development kits (SDKs). “While many of these SDKs offer configuration options
to respect COPPA by disabling tracking and behavioral advertising, our data
suggest that a majority of apps either do not make use of these options or
incorrectly propagate them across mediation SDKs,” reads the paper.
Bearing this in mind, the researchers surmise
that “many privacy violations are unintentional and caused by misunderstandings
of third-party SDKs.”
Over to Google
The researchers acknowledged Google’s steps
to ensure compliance with COPPA, but added that “there appears to not be any
(or only limited) enforcement”. As a result, they urged the company to be more
active in its vetting process.
Meanwhile, Tom’s Guide quoted a Google spokesperson as saying in
response to the findings:
“We’re taking the researchers’ report very
seriously and looking into their findings. Protecting kids and families is a
top priority, and our Designed for Families program requires developers to
abide by specific requirements above and beyond our standard Google Play
policies. If we determine that an app violates our policies, we will take
action. We always appreciate the research community’s work to help make the
Android ecosystem safer.”
The researchers’ made their findings for each
tested app available at a dedicated website: https://www.appcensus.mobi/.